Main menu

Postfix analyzing spam sending scripts

Spamming is a most common problem these days. Most of WordPress websites hacked and used as a spammers tool. In Postfix can easily determine which script is used for sending spams in case of server compromise. Let’s start analyzing spam sending scripts in Postfix..

Let’s follow the steps

  1. Login with root user and check the mail queue using mailq command.
    # mailq
  2. In the first coloumn of mailq result you will find a unique ID of each mails.
  3. Using unique id we can gether the information of emails. use postcat -q <ID> to show email details
    # postcat -q 128787842abcd
  4. Find the “X-PHP-Originating-Script”. This is the path or URL of that specific script which is sending emails.
  5. empty the mailq using postsuper -d ALL
    # postsuper -d ALL
  6. watch the mail queue for some time to find if other scripts is also sending the spam.
    # watch mailq

There are some other useful links tooo

  • find spam sending PHP scripts
  • Delete all spam emails in Postfix