How to analyze cause of postfix server sending spam
That's some general outline of approach I usually use in such cases:
- look at "Received:" headers of the spam messages to check where did they come from. These headers can really reveal a lot. Especially you will know whether the messages originated locally or externally. Also if the message was sent by a web script, there may be some specific headers to indicate the source. For example, if a script in PHP sends mail using
mail()
function, a headerX-HTTP-Posting-URI:
orX-PHP-Originating-Script:
is usually added that tells you exactly which script has sent the message. - look at Postfix logs to identify all entries that refer to a sample spam message (identify by timestamp and Message-Id)
- if after steps 1) and 2) it still isn't clear what is the source of spam, try to coordinate timestamps from 2) with web server log, check what URLs were accessed at that exact time when the message originated, and examine all these URLs carefully.