3

I was checking my munin tables and saw a huge list of deferred mails in postfix and looking into /var/log/mail.log gave me an idea: I am sending mails to unknown mail addresses:

Dec 23 08:21:32 h2065299 postfix/pickup[10816]: 63F5811A0384: uid=33 from=<www-data>
Dec 23 08:21:32 h2065299 postfix/cleanup[20915]: 63F5811A0384: message-id=<301b8e057416d03df3ac7c11f1aa5bda@www.my-server.com>
Dec 23 08:21:32 h2065299 postfix/qmgr[7878]: 63F5811A0384: from=<www-data@my-server.com>, size=2254, nrcpt=1 (queue active)
Dec 23 08:21:32 h2065299 postfix/smtp[20917]: 63F5811A0384: to=<underlyingbzvn+zprtra@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.69.26]:25, $
Dec 23 08:21:32 h2065299 postfix/qmgr[7878]: 63F5811A0384: removed

this is not really different to a forced "good" email 

Dec 23 09:41:51 h2065299 postfix/pickup[28905]: EE51611A0393: uid=33 from=<www-data>
Dec 23 09:41:51 h2065299 postfix/cleanup[30516]: EE51611A0393: message-id=<2736115f98e8293f5e8b657b22e66b4d@www.my-server.com>
Dec 23 09:41:52 h2065299 postfix/qmgr[28906]: EE51611A0393: from=<www-data@my-server.com>, size=977, nrcpt=1 (queue active)
Dec 23 09:42:22 h2065299 postfix/smtp[30518]: connect to gmail-smtp-in.l.google.com[2a00:1450:4008:c01::1b]:25: Connection timed out
Dec 23 09:42:22 h2065299 postfix/smtp[30518]: EE51611A0393: to=<my-name@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.69.27]:25, delay=$
Dec 23 09:42:22 h2065299 postfix/qmgr[28906]: EE51611A0393: removed

We are running three wordpresses and some scipt folder on the server. The WPs are up-to-data and I think we have correct file permissions on them.

What can cause www-data to send mails to unknown users?!

Riccardo
  • 131
  • 4

2 Answers2

7

If your server is sending lots of mails to unknown users, it's probably spamming. To confirm this, you should check your postfix queue for the IDs of the deferred mails and read what's in them.

If you're using CMS systems like wordpress, there's probably some insecure script that can be used for sending spam. If your wordpress is up to date, you should also check any plugins, modules etc. if they are.

To find out which script is responsible for sending these mails, you can set the directive

mail.add_x_header = On

in your php.ini. This will add an additional mail header

X-PHP-Originating-Script

to your mails that shows the sending script. This directive is available from PHP 5.3 on.

etagenklo
  • 5,694
  • 1
  • 25
  • 31
  • That sounds good but I've checked the php.ini in the /etc/php5/apache2 folder and this mail.add_x_header = On was already set. – Riccardo Dec 23 '13 at 10:48
  • Then check the mails in the postfix deferred queue. They should have a X-PHP-Originating-Script header showing you the responsible script. – etagenklo Dec 23 '13 at 11:00
  • I#ve cleared the queue after the removal of old Wordpress-vesions on unused vservers. now the queue is only filled sporadically. nevertheless there are mails going out to unknown gmail users.. – Riccardo Dec 23 '13 at 11:22
  • You can use iptables to prevent outgoing tcp connection to port 25 to investigate the problem without spam. –  Dec 23 '13 at 12:10
  • As I said, read the mails in your queue. The headers will show you the originating script. – etagenklo Dec 23 '13 at 14:52
0

strange signs, simple explanation: we are using a plugin that asks the commentator of a post to verify his comment. This means: each commentator receives an email. After upgrading wordpress to 3.8 some bots are able to set a comment without answering the needed captcha in the blog post. That means: a lot of comments which results in a lot of mails. We are hoping to get an update for the re-captcha plugin soon.

the queue was filled by emails to heavy-usage gmail spam accounts (the receiver gets to much messages in a given time...)

So it is a result of wanted mail-traffic and no "spamming" from our server seems to be involved.

Riccardo
  • 131
  • 4