Discussion in 'Installation/Configuration' started by ZeroEnna, Apr 5, 2016.
THis thread can be closed, everything is fixed now
The most likely reason is a hacked website. Check the headers of the emails in the mailqueue with postqueue and postcat commands.
Did that, the site was identified and exterminated
How did you go about doing this, I'm sure lots will find the the steps informative and helpful. Did you use maldet? sucuri? maillog, IspProtect and so on.
I explained that in several posts here in the forum in the past:
1) Run "postqueue -p" to get a list of emails in the queue.
2) Inspect starnge emails with "postcat -q QUEID" where QUEID is the ID of the email that you got from the postqueue command.
Emails sent by PHP have a header in most cases that shows the file that has sent the email and which use has sent it, so you can find the website by user as each website in ispconfig runs under a different web user.
As till has explained:
I picked one queued mail and dumped it via
postcat -q QUEUEID | more
I found the header line "X-PHP-Originating" which pointed to the website ID and a script name. After a "locate script.php", I was able to find and delete that script (a wordpress installation got hacked and was used to inject some code).
Separate names with a comma.