how to identify which mailbox is sending spam - ISPConfig3, Debian 7

Discussion in 'ISPConfig 3 Priority Support' started by inside83, Jun 30, 2015.

  1. inside83

    inside83 Member HowtoForge Supporter

    Hello!
    One of my servers keeps getting listed on SpamHaus XBL list.
    How to know which mailbox is problematic?
     
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Watch the mail queue, scan for malware (!), check for outdated software (e. g. wordpress, joomla etc.), check mail contents and headers of mails in the queue.
    As this is a continuous job, you may try using a service like http://ispprotect.com
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    And when you find that the mailqueue grows, you can inspect the content of the mails that stick in the queue with the postcat command to find out which account or website has sent them.
     
  4. inside83

    inside83 Member HowtoForge Supporter

    Mail queue is empty.
    Senders get something like this from my server:
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    This means that the mailserver of the sender is blacklisted. Thats an issue on the sending server and not your server.
     
  6. inside83

    inside83 Member HowtoForge Supporter

    User on my server is the sender.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. The you should check the link in the message to see when spam has been reported to be sent from your server. next check the mail.log to see if you find any unusual amount of mssages sent at that time in your log.
     
  8. inside83

    inside83 Member HowtoForge Supporter

    This is why I asked HERE if there is some kind of tool that can help me identify the amount of messages per mailbox.
    Is there?
    Because, then I would be able to look at some specific accounts and scan for viruses on the computers on which those accounts are configured.
     
  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    You could start by doing a grep, e. g.
    Code:
    grep [email protected]' /var/log/mail.log | grep 'sasl'
    This should list smtp logins from this login.

    This won't help if the mails are not sent via smtp but via php mail() or something like that.

    This will give you a quick overview of all senders in your mail.log (external and internal):
    Code:
    grep 'from=<' /var/log/mail.log | grep 'qmgr' | awk '{print $7}' | sed -r 's/^.*=<(.*?)>.*$/\1/' | sort | uniq -c | sort -n
     
  10. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    To prevent outgoing connections on port 25 you can add a rule to your firewall to block those connections if the user is not your smtpd.
     
  11. inside83

    inside83 Member HowtoForge Supporter

    @Croydon
    That presumes that I know what logon is sending spam?
    But I do not know that, this is what I'm trying to find out.

    @florian030
    I'm not sure what you mean. Could you, please, explain?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    You can see the sending account in the mail headers. Get an suspicious mail ID from postqueue list and check it with postcat command:

    Example:

    postcat /var/spool/postfix/deferred/A/A4BB562D12DC
     

Share This Page