How to find the script that is spamming via postfix

If you find that your postfix server keeps sending and you understand that you have been scammed. Pretty disgusting state of affairs.

Usually the spam mailing is launched by some kind of script.

Dont be upset. You can determine which script initializes the mailing list.

To do this, switch to the superuser account:

sudo su

Check the distribution queue:

mailq|less

less will allow you to view the entire queue if the output of the command does not fit on the screen. Press q to exit.

The first column will contain the ID of the messages in the queue to be sent.

You can view the contents of the email with:

postcat -q <ID>

Looking for something similar to X-PHP-Originating-Script or X-Originating-Script.

It has left to remove the scripts and clear the mailing queue:

for m in $(/usr/bin/mailq 2>&1 |grep -v postqueue |grep -i "^[1-9]\|^[A-Z]\|^0" |awk '{print $1}') ;
do
  if (/usr/sbin/postcat -q $m |grep X-PHP-Originating-Script |grep -q eval); then
/usr/sbin/postsuper -d $m;
  fi;
done

By the way, this script is a very good crutch if you schedule it to run every minute. In this case the send queue will be constantly monitored and cleared.

You can completely clear the queue with the following command:

postsuper -d ALL

Unfortunately the troubles don’t end there. Now you need to determine how the malware got onto the server. To do this look at the apache logs and system logs. Review scheduled tasks (cron jobs).

The following articles may also be helpful:

1. Cure an infected site/server
2. Scanning a Server with Rkhunter
3. Scanning a Server with Chkrootkit

It is strongly recommended to update everything that is possible (website engines, php, apache).

fail2ban and mod_security

All the best and successful projects!