How to find the source of outgoing SPAM emails on my Server [closed]

linux email spam

Hello this is my first time here.

I do know a little about linux but I can't seem to find out the source of tons of SPAM emails being sent out on my server.

Here is a small portion of the QMAIL queue

29 May 2014 06:29:00 GMT  #13879694  601  <marina_velazquez@spam_domain1.org>
        remote  [email protected]
29 May 2014 06:35:05 GMT  #13880108  636  <iva_holman@spam_domain1.org>
        remote  [email protected]
29 May 2014 06:38:26 GMT  #13880223  677  <kathryn_spence@spam_domain1.org>
        remote  [email protected]
29 May 2014 06:40:44 GMT  #13879786  620  <marisol_harper@spam_domain1.org>
        remote  [email protected]
29 May 2014 07:20:08 GMT  #13880361  642  <candace_hammond@spam_domain2.com>
        remote  [email protected]
29 May 2014 07:21:44 GMT  #13880407  659  <esperanza_barnett@spam_domain2.com>
        remote  [email protected]

Here is what I find when with less on the last mail

[email protected]^@Received: (qmail 7343 invoked by uid 33); 29 May 2014 07:20:07 -0500
Date: 29 May 2014 07:20:07 -0500
Message-ID: <[email protected]>
To: [email protected]
Subject:  Ha ha
From: "Candace Hammond" <candace_hammond@spam_domain2.com>
Reply-To: "Candace Hammond" <candace_hammond@spam_domain2.com>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit



<!-- Contents of spam message removed--> ^@

I see is says UID 33 but there is no mail log file that I can find this is Ubuntu server

How can I isolate the source of the spams?

Are they from a script on the server? if so how can I locate it?

Can they be from a remote machine? if so how do I know?

Thanks for any help I really need this fixed ASAP

Paul


On ubuntu, UID 33 is usually www-data, the httpd user. Most likely, someone found an exploitable web script on your server which you need to locate and terminate. Read the httpd logs. For now, stop letting uid 33 send mail or make outgoing connections:

iptables -I OUTPUT ! -o lo -m owner --uid-owner 33 -m conntrack --ctstate NEW -j REJECT

(you may need to use -m state --state NEW on older kernels instead of conntrack)

Then disable sendmail access for httpd.

setfacl -m u:www-data:000 `which sendmail`

to revert:

iptables -D OUTPUT ! -o lo -m owner --uid-owner 33 -m conntrack --ctstate NEW -j REJECT
setfacl -x u:www-data `which sendmail`

Now that it's disabled, you can investigate your scripts at leisure.

Related

How are A record for webhost website is found from nameserver?
Finding out the total number of email accounts in a cPanel server [closed]
One drive failed in my RAID 1+0 array, am I safe to replace it without losing data? [duplicate]
postfix how to setup local domain users as virtual users
php.ini Error on "error_reporting"
Repair HP SmartArray p410i
Cannot start a script
permissions problems [closed]
Redirects and masking with Apache
Is my Apache server under attack [duplicate]
updates-testing repo for CentOS 6?
How to analyse performance issue on apache web server?