Track Spamming in Postfix

Posted on by sreevalsan.mr

To check spam in postfix, we can follow the procedure below:

First check the Email queue.

High number of mails in the queue is an indication of possible spamming in the server

1.You can check the email queue using command

# mailq | tail -n 1

or
#postqueue -p|egrep “[A-F0-9]{11}”|awk ‘{print $1}’|wc -l
messages in queue: 27645

If there is huge range of mails in the queue, mostly there will be spamming in the server.

2. Check whether the server IP is blocked in RBLs.

http://mxtoolbox.com/blacklists.aspx

If the IP address is blocked in any of the RBL, then surely spam has occured in that server. Check whether there is still spam going on in the server. It is easy to find the ongoing spam in the server. Check the number of mails in the queue, if it is getting increased, then the spam is still going in that server.

3.Now, we got confirmed that there something suspicious activity going in the mailserver of that server. the next step is to find the source of spam.

Check the count of emails in queue:

mailq | tail -n 1
or
postqueue -p|egrep “[A-F0-9]{11}”|awk ‘{print $1}’|wc 

Find the mail account that has sent most messages.

postqueue -p|egrep “[A-F0-9]{11}”|awk ‘{print $1}’ | sort |uniq -c |sort -n

Then grep the messages of the mail account that is sending most messages

postqueue -p | grep “mailid”

View message (contents, header and body) in Postfix queue with message_id  “XXXXXXXXXX

postcat -vq XXXXXXXXXX

How to analyze headers:

Examine the message and find the line “Received” to find out from where it was sent for the first time. For example, if you find:

Received: (sendmail 19514 invoked by uid 10003);

Received: (sendmail 19514 invoked by uid 48);

Received: (sendmail 19514 invoked from network);

1. invoked by uid 10003

    This means that this message was sent via a CGI by user with UID 10003. Using this UID, it is possible to find the domain:

# grep 10003 /etc/passwd

2. invoked by uid 48

    This means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from/to or any other information).

    In most of our servers, we have mail.add_x_header set as ON in php.ini.
Otherwise do the following :


-> Add PHP parameter setting below in php.ini

mail.add_x_header = On
mail.log = /var/log/php-mail.log

Once done, do the below steps

         1. touch /var/log/php-mail.log

         2. chmod 777 /var/log/php-mail.log

    So the origin script for the mail can be found from the X- headers in the mail.

    eg:

    X-Priority: 3

    X-MSMail-Priority: Normal

    X-Mailer: phpBB3

    X-MimeOLE: phpBB3

    X-phpBB-Origin: phpbb://ps3.pponline.ca/forum

    Or else, you can find the script which is sending mail as per the Parallels KB link:

     http://kb.sp.parallels.com/en/114845

3. invoked from network

In this case header will be like this:

Received: (sendmail 13711 invoked from network); 26 Jun 2007 02:55:46 -0000
Received: from abc.com.ar (HELO User) (X.X.X.X)
The ‘invoked from network’ means the email was received from an external host (e.g. it was not send from a program like apache on your server itself).

The IP that sent the email was X.X.X.X
To find the account which sent the mail, grep the IP address in maillog or messages.

grep  X.X.X.X /var/log/maillog

This will give you the email address which authenticated for sending mail.

 

Leave a comment