How to Determine Which App Is Sending Spam
If you discover your server is sending spam, your primary concern should be determining which of your apps has been compromised and fix the problem there.
First, look for any unusually large PHP mail logs for your apps.
SSH in to your server as each of your system users and run this command, replacing SYSUSER with the user you have SSH'd in as:
ls -l /srv/users/SYSUSER/log/*/*.mail.log
Some apps intentionally send large volumes of legitimate mail, but this command will list your mail logs by size, helping you narrow your search for the offending app.
Once you determine the app you suspect is sending spam, check its PHP mail log, located at the following path:
(SYSUSER is the app's system user, APPNAME is the app's name, and X.Y is the app's PHP version.)
There you will see how many emails your app has sent.
Now, look for entries that will help track down the malicious code. Each entry in this log file will show you the details of which script sent the email, who it was sent to, and the email headers.
You can also view the postfix mail queue on your server to view the contents of suspicious emails.
To list all emails in the mail queue, run the following command as root:
sudo postqueue -p
Each email listed will have a unique identifier such as BA3DC120D88.
To view the contents of a particular email, use the following command. Replace MESSAGE_ID with the email's identifier shown in the output of the above list command.
sudo postcat -q MESSAGE_ID
sudo postcat -q BA3DC120D88
Deleting All Mail from the Mail Queue
If you need to permanently delete all unsent mail from your server's mail queue, SSH into your server as root and run the following command:
sudo postsuper -d ALL
Last updated: February 08, 2018