Articles

How to Determine Which App Is Sending Spam

If you discover your server is sending spam, your primary concern should be determining which of your apps has been compromised and fix the problem there.

Log Files

First, look for any unusually large PHP mail logs for your apps.

SSH in to your server as each of your system users and run this command, replacing SYSUSER with the user you have SSH'd in as:

ls -l /srv/users/SYSUSER/log/*/*.mail.log

Some apps intentionally send large volumes of legitimate mail, but this command will list your mail logs by size, helping you narrow your search for the offending app.

Once you determine the app you suspect is sending spam, check its PHP mail log, located at the following path:

/srv/users/SYSUSER/log/APPNAME/APPNAME_phpX.Y.mail.log

(SYSUSER is the app's system user, APPNAME is the app's name, and X.Y is the app's PHP version.)

There you will see how many emails your app has sent.

Now, look for entries that will help track down the malicious code. Each entry in this log file will show you the details of which script sent the email, who it was sent to, and the email headers.

Mail Queue

You can also view the postfix mail queue on your server to view the contents of suspicious emails.

To list all emails in the mail queue, run the following command as root:

sudo postqueue -p

Each email listed will have a unique identifier such as BA3DC120D88.

To view the contents of a particular email, use the following command. Replace MESSAGE_ID with the email's identifier shown in the output of the above list command.

sudo postcat -q MESSAGE_ID

For example:

sudo postcat -q BA3DC120D88

Deleting All Mail from the Mail Queue

If you need to permanently delete all unsent mail from your server's mail queue, SSH into your server as root and run the following command:

sudo postsuper -d ALL

Last updated: February 08, 2018