A client of mine has a server hosting postfix as well as nginx with several websites, including an nginx installation with several subdomains / websites.
Since a couple of days the /var/spool/postfix directory is filled with e-mails recognized as spam emails.
The task now is to identify the cause of this exploitation. My feeling is that there is a vulnerability on one of the websites that was used for uploading a web shell or something similar in order to send e-mails via Postfix.
I am not experienced with Postfix so my question is how I can identify the source of the sender. In particular, whether it was a local account or an external user sending the e-mails, maybe the process that triggered the sending, etc. in order to create a bullet-proof link between the sent spam and a potential vulnerability in the website(s).
So far I am running Linux Malware Detect against the entire filesystem. Furthermore, I am running webshell-scan
So, my question is, is there a sequence of (best) practices in order to further analyze the root cause of the sent spam e-mails?
UPDATE:
Here are some details of one of the sent spam emails:
$ postcat -q 27E70B3B1
*** ENVELOPE RECORDS active/27E70B3B1 ***
message_size: 3001 2450 20 0 3001 0
message_arrival_time: Fri Jan 15 10:06:00 2021
create_time: Fri Jan 15 10:06:01 2021
named_attribute: log_ident=27E70B3B1
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=bounce
sender: morrisheldon@mfarms.net
named_attribute: log_client_name=unknown
named_attribute: log_client_address=91.224.92.168
named_attribute: log_client_port=52564
named_attribute: log_message_origin=unknown[91.224.92.168]
named_attribute: log_helo_name=[91.224.92.168]
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=srv-91-224-92-168.serveroffer.net
named_attribute: client_address=91.224.92.168
named_attribute: client_port=52564
named_attribute: server_address=foo.bar.baz.xxx
named_attribute: server_port=25
named_attribute: helo_name=[91.224.92.168]
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;grluhring@yahoo.com
Does it mean that the attacker was able to authenticate via user "bounce" or is the server misconfigured to simply bounce spam mails coming from another server?
Thanks!