How to find out what program is sending emails

linux debian configuration email

Solution 1:

What you're asking how to do:
dpkg -S /path/to/mail

/path/to/mail/ can be found using which mail, provided that mail is in your path.

Minor Note:
Mail also be sent out using sendmail instead of mail.

What you should do:
Look at your maillog, likely /var/log/maillog or /var/log/mail.log the daemon name should be there.

Solution 2:

This question is similar to How to find which script on my server is sending spam emails? , but since it doesn't allow answer anymore (marked as duplicated), I am answering it here to provide some insights.

Short answer:

Change file /etc/php.ini or /etc/php5/apache/php.ini by adding those two lines: mail.add_x_header = On mail.log = /var/log/phpmail.log

restart your php5 or php5-fpm service and nginx/apache service, then check /var/log/phpmail.log file to see what script had trigger error, and remove them!

Long Answer:

Here is the very specific scope (my solution doesn't solve other scenario):

I am running Ubuntu in a VPS and had nginx, php5-fpm, and wordpress installed, and it get hacked, and I am pretty sure it was WP get hacked and spam codes were injected.

I tried the following actions to fix; such as used Linux malware detector; reset all database connection credentials; and simply eye-browsing to remove malicious codes.

Some actions I took are:

  • reset all database passwords
  • login wp-admin, remove unintended admin user
  • install wordfence to do defense

For source code:

  • you can do a diff with official wordpress code with yours, and see what are changed
  • weird folders in the WP root directory
  • some files ending with *.suspected
  • weird files names like 1346.php, etc.
  • grep eval of all your files to see anything malicious
  • check any php files that have obfuscated code

After I done those, I also remove the execute permission of all files except directory: chmod -x+X -R * or refer here: remove execute permissions from files without touching folder

However, I still see many errors in my /var/log/mail.err and /varlog/syslog, because I didn't configure sendmail or postfix (you can stop such services to expose the spam error):

postfix/sendmail[2422]: fatal: open /etc/postfix/main.cf: No such file or directory

However, I still don't know where are the spamming scripts are... stuck here...

After searching several hours, I found the above solution mentioned in short answer , config your mail settings in php.ini and expose the location of the scripts.

After removing those scripts, I found no more spam errors, and so far my server looks clean.

Although as many suggested, you are supposed to take such server offline and do a reimage or reset to a previous status, etc.

reference links:

How do I deal with a compromised server?

https://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/

Solution 3:

strace will expose the behaviour of your code - whether it is executing a program or making a TCP connection to a mailserver.

Related

ssh-keyscan through a bastion
Wrong SID for Administrator account
Windows NT cannot browse Windows Server 2008
Is there a test to see if hardware virtualization (vmx / svm) are presently enabled within a Linux session?
Any open source backup software with NDMP support? [closed]
Wildcard CNAME with GoDaddy DNS Manager
systemd Vagrant and VirtualBox: wait for synced folder to mount
Can I specify where my database files are stored *per database* in MySQL?
What is the name of this screw? (from HP ProLiant quick-deploy rail kits) [closed]
How to configure bind9 to accept connections from other machines
VMWare vSphere and the move from ESX to ESXi
Active Directory: Does renaming a security group also change the name of all instances where the group was used?