postfix sending mails to unknown addresses

ubuntu php spam postfix wordpress

I was checking my munin tables and saw a huge list of deferred mails in postfix and looking into /var/log/mail.log gave me an idea: I am sending mails to unknown mail addresses:

Dec 23 08:21:32 h2065299 postfix/pickup[10816]: 63F5811A0384: uid=33 from=<www-data>
Dec 23 08:21:32 h2065299 postfix/cleanup[20915]: 63F5811A0384: message-id=<[email protected]>
Dec 23 08:21:32 h2065299 postfix/qmgr[7878]: 63F5811A0384: from=<[email protected]>, size=2254, nrcpt=1 (queue active)
Dec 23 08:21:32 h2065299 postfix/smtp[20917]: 63F5811A0384: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.69.26]:25, $
Dec 23 08:21:32 h2065299 postfix/qmgr[7878]: 63F5811A0384: removed

this is not really different to a forced "good" email 

Dec 23 09:41:51 h2065299 postfix/pickup[28905]: EE51611A0393: uid=33 from=<www-data>
Dec 23 09:41:51 h2065299 postfix/cleanup[30516]: EE51611A0393: message-id=<[email protected]>
Dec 23 09:41:52 h2065299 postfix/qmgr[28906]: EE51611A0393: from=<[email protected]>, size=977, nrcpt=1 (queue active)
Dec 23 09:42:22 h2065299 postfix/smtp[30518]: connect to gmail-smtp-in.l.google.com[2a00:1450:4008:c01::1b]:25: Connection timed out
Dec 23 09:42:22 h2065299 postfix/smtp[30518]: EE51611A0393: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.69.27]:25, delay=$
Dec 23 09:42:22 h2065299 postfix/qmgr[28906]: EE51611A0393: removed

We are running three wordpresses and some scipt folder on the server. The WPs are up-to-data and I think we have correct file permissions on them.

What can cause www-data to send mails to unknown users?!


If your server is sending lots of mails to unknown users, it's probably spamming. To confirm this, you should check your postfix queue for the IDs of the deferred mails and read what's in them.

If you're using CMS systems like wordpress, there's probably some insecure script that can be used for sending spam. If your wordpress is up to date, you should also check any plugins, modules etc. if they are.

To find out which script is responsible for sending these mails, you can set the directive

mail.add_x_header = On

in your php.ini. This will add an additional mail header

X-PHP-Originating-Script

to your mails that shows the sending script. This directive is available from PHP 5.3 on.

Related

How to prevent nginx redirecting from HTTPS to HTTP on AWS?
Block interactive SSH sessions while allowing certain commands
KVM virtio disk drivers for Windows SVR 2016?
windows could not start sql server ( error 1067 the process terminated unexpectedly)
Can I Use a Normal SSD disk in HP DL380 G6
ionice without effect
php 7 ignores ini files, but claims to load
periodically overridding NTP for simulation purposes
How to install PHP from source with latest cURL package on Linux?
Azure IO performance
How can I run Startup Repair on a KVM virtualized Windows Server?
How to have my PHP Send mail?