Some of my users have started receiving spam emails that look like they are coming from the mail server. They are addressed from [email protected] Is there anything I can do to stop this?
you could add headers to check where it's sent from... it's probably a some php script that's getting abused.
Add headers? Do you mean check the headers on the email? This is the email header: Code: Return-Path: <[email protected]> From: <[email protected]> To: <[email protected]> Subject: ***SPAM***Tax Refund New Message Alert! Date: Tue, 2 Jul 2013 03:32:01 +0100 Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_01BA_01CE773A.83E03300" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFXOcqxYQyb3TjOkfCwYK4CVpWOYQ==
Lol. Thats great For anyone else who checks this thread and wants to know without wondering what google search string to use (a lot of results are for adding additional headers using the mail() function), it's the following line in your php.ini file: Code: ;Add X-PHP-Originating-Script: that will include uid of the script followed by the filename mail.add_x_header = On Mine is set to "On" so I guess this email is not coming from a script being abused on my server as it does not contain the "X-PHP-Originating-Script" string in the header. Any other guesses as to where it's coming from and how to stop it?
http://serverfault.com/questions/40...which-user-sent-a-specific-email-with-postfix Well, my guess was an outdated Joomla installation... had one of those being abused a while back
Good guess. I have no idea how it's happening but it is getting some users very confused as they think it's coming from me!
Apache mod_security is a good way to protect outdated cms systems from being abused as it tests each http request against a set of generic exploit rules.
The only cms that is running on this server is a Wordpress install (all up to date with no funky plugins!) but the email headers show that the emails are not coming from a script on the server. I have run the following postfix config to see if it helps: Code: postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination’ and added: Code: b.barracudacentral.org, zen.spamhaus.org under System >> Config >> Mail >> Real-time Blackhole List
