postfix sending mails to unknown addresses
I was checking my munin tables and saw a huge list of deferred mails in postfix and looking into /var/log/mail.log gave me an idea: I am sending mails to unknown mail addresses:
Dec 23 08:21:32 h2065299 postfix/pickup[10816]: 63F5811A0384: uid=33 from=<www-data>
Dec 23 08:21:32 h2065299 postfix/cleanup[20915]: 63F5811A0384: message-id=<[email protected]>
Dec 23 08:21:32 h2065299 postfix/qmgr[7878]: 63F5811A0384: from=<[email protected]>, size=2254, nrcpt=1 (queue active)
Dec 23 08:21:32 h2065299 postfix/smtp[20917]: 63F5811A0384: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.69.26]:25, $
Dec 23 08:21:32 h2065299 postfix/qmgr[7878]: 63F5811A0384: removed
this is not really different to a forced "good" email
Dec 23 09:41:51 h2065299 postfix/pickup[28905]: EE51611A0393: uid=33 from=<www-data>
Dec 23 09:41:51 h2065299 postfix/cleanup[30516]: EE51611A0393: message-id=<[email protected]>
Dec 23 09:41:52 h2065299 postfix/qmgr[28906]: EE51611A0393: from=<[email protected]>, size=977, nrcpt=1 (queue active)
Dec 23 09:42:22 h2065299 postfix/smtp[30518]: connect to gmail-smtp-in.l.google.com[2a00:1450:4008:c01::1b]:25: Connection timed out
Dec 23 09:42:22 h2065299 postfix/smtp[30518]: EE51611A0393: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.69.27]:25, delay=$
Dec 23 09:42:22 h2065299 postfix/qmgr[28906]: EE51611A0393: removed
We are running three wordpresses and some scipt folder on the server. The WPs are up-to-data and I think we have correct file permissions on them.
What can cause www-data to send mails to unknown users?!
If your server is sending lots of mails to unknown users, it's probably spamming. To confirm this, you should check your postfix queue for the IDs of the deferred mails and read what's in them.
If you're using CMS systems like wordpress, there's probably some insecure script that can be used for sending spam. If your wordpress is up to date, you should also check any plugins, modules etc. if they are.
To find out which script is responsible for sending these mails, you can set the directive
mail.add_x_header = On
in your php.ini. This will add an additional mail header
X-PHP-Originating-Script
to your mails that shows the sending script. This directive is available from PHP 5.3 on.