Postfix user is not allowed to submit mail

I am running a webserver on debian wheezy with postfix and about 3 months ago I had a major spam problem with one my domains with web21 id. I made a fresh wordpress install and everything and the problem was gone for about 3 months and this time although I have set !web21 in my main.cf to disallow this user to send mail I still get tones of :

May 8 13:53:05 htz postfix/sendmail[16190]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:06 htz postfix/sendmail[16191]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:07 htz postfix/sendmail[16192]: fatal: User web21(5012) is not allowed to     submit mail
May 8 13:53:07 htz postfix/sendmail[16193]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:08 htz postfix/sendmail[16194]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:09 htz postfix/sendmail[16195]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:26 htz postfix/sendmail[16196]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:27 htz postfix/sendmail[16197]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:28 htz postfix/sendmail[16198]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:29 htz postfix/sendmail[16199]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:29 htz postfix/sendmail[16200]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:31 htz postfix/sendmail[16201]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:31 htz postfix/sendmail[16202]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:32 htz postfix/sendmail[16203]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:32 htz postfix/sendmail[16204]: fatal: User web21(5012) is not allowed to submit mail
May 8 13:53:33 htz postfix/sendmail[16205]: fatal: User web21(5012) is not allowed to submit mail
May 8 14:07:22 htz postfix/sendmail[16468]: fatal: User web21(5012) is not allowed to submit mail
May 8 14:07:23 htz postfix/sendmail[16469]: fatal: User web21(5012) is not allowed to submit mail
May 8 14:07:25 htz postfix/sendmail[16470]: fatal: User web21(5012) is not allowed to submit mail
May 8 14:07:26 htz postfix/sendmail[16471]: fatal: User web21(5012) is not allowed to submit mail
May 8 14:07:27 htz postfix/sendmail[16472]: fatal: User web21(5012) is not allowed to submit mail
May 8 14:07:28 htz postfix/sendmail[16473]: fatal: User web21(5012) is not allowed to submit mail

I have run the antivirus multiple times and there was no infected file found.

I wonder how am I able to understand what these mails are / where are they going / and how can I track down the method they are using to send all these spams ?


First you can list all files owned by web21 user. Try to identify a strange filename, maybe in an strange location too. To do this, you can use this command find / -user web21.

Second try look process with ps to identify process which sending spam. Maybe you can catch it there.

Third, maybe spammer periodically send by crontab, check every crontab in your system to identified the bogus script.

Fourth, the spammer could be send email by send POST/GET request to particular page in your website. Check your web server log, this will point out which page the spammer targeted.