How to analyze cause of postfix server sending spam

spam postfix forensics

That's some general outline of approach I usually use in such cases:

  1. look at "Received:" headers of the spam messages to check where did they come from. These headers can really reveal a lot. Especially you will know whether the messages originated locally or externally. Also if the message was sent by a web script, there may be some specific headers to indicate the source. For example, if a script in PHP sends mail using mail() function, a header X-HTTP-Posting-URI: or X-PHP-Originating-Script: is usually added that tells you exactly which script has sent the message.
  2. look at Postfix logs to identify all entries that refer to a sample spam message (identify by timestamp and Message-Id)
  3. if after steps 1) and 2) it still isn't clear what is the source of spam, try to coordinate timestamps from 2) with web server log, check what URLs were accessed at that exact time when the message originated, and examine all these URLs carefully.

Related

window server 2012 r2 - failover cluster resource vs cluster disk
saving and searching encrypted mail
How to un-enrage a wave in GemCraft: Chasing Shadows?
Is there a benefit to clearing snow in rimworld?
How to preserve sort order in Excel Pivot-table?
Can you get a hextech chest on a S rating champ?
How to select columns in editor view for Eclipse on OSX
Why is Used + Available disk space always less than Total disk space?
Is there a way to "burn" audio to an ISO? (as an audio CD)
Can the "glow" notification on Firefox 4's App Tabs be disabled?
How can I use my server's IPv6 connection from my computer's IPv4?
Go to definition of a C function in a different file in Notepad++