1

my server yesterday started sending thousands of spam emails. I blocked it adding default_transport=No transport to the postfix main.cf. But now of course I can't send legit emails as well.

I have 10+ websites in my Centos Server, using Nginx. I went via FTP to see if there were new strange files or recently edited (checking the dates). I couldn't find anything suspicious.

I want to track the source of the script sending emails - they are being sent using the generic email address configured in the server.

In my php.ini I added:

mail.log = /var/log/phpmail.log

And I created the file phpmail.log via touch on /var/log/ and I restarted the server using the command systemctl restart php-fpm

The file phpmail.log is not populating, still 0KB. Now it has the following righs:

-rwxrwxrwx  1 apache apache       0 Aug 10 12:47 phpmail.log

But I tried to give him nginx.nginx, root, root, web.web, but nothing seems to work. (of course after each chmod change I restarted once again php-fpm, and tried to send emails using for example the mail() contact form on my website).

And I tried also to make this file populate before adding default_transport=No transport to main.cf.

Not sure if it's useful for you, but mailq is full of mails in the queue.

Do you have any idea what is wrong with the file phpmail.log and why it's not populating, and/or how to find the root cause that is preventing it to populate?

Drifter104
  • 3,693
  • 2
  • 22
  • 39
Pikk
  • 329
  • 1
  • 4
  • 17

1 Answers1

1

As stated in the PHP manual for the mail.log option, that file only logs messages sent with php's mail() function.

If the attacker is directly connecting to your local SMTP service with fsockopen then anything they send won't be logged.

GregL
  • 9,030
  • 2
  • 24
  • 35
  • Hi, thanks. Is there any way to capture everything that is being sent via SMTP and ad the same time track the script where it was originated from (the script that calls the SMTP)? – Pikk Aug 11 '15 at 17:07
  • `ad the same time track the script where it was originated from (the script that calls the SMTP)`, no, not that I know of. `Is there any way to capture everything that is being sent via SMTP`, you can run an SMTP proxy on the machine to catch the email, or can setup rules with iptables to do it that way, but neither will give you any more information than what you're getting now. – GregL Aug 11 '15 at 18:06