kogh's picture

Hi I have a TurnkeyLinux server  joomla25 3.2.0-4-amd64. For some time I have a problem with the server postfix. Send a lot of spam. The reason was probably by infected joomla page. I removed infected page and stop apache server but the problem has not gone away. I have a question on how to check what sends so much spam. Maybe  postfix is infected? When I turn postfix (postfix start) i have immediately a lot of processes like:

postfix   5929  0.0  0.1  39964  2404 ?        S    09:34   0:00  \_ pickup -l -t fifo -u -c
postfix   5930  1.4  0.1  40536  3052 ?        D    09:34   0:00  \_ qmgr -l -t fifo -u
postfix   5937  0.2  0.1  39976  2420 ?        S    09:34   0:00  \_ trivial-rewrite -n rewrite -t unix -u -c
postfix   5941  0.0  0.1  44268  2696 ?        S    09:34   0:00  \_ smtp -t unix -u -c
...
postfix   6005  0.0  0.1  44268  2696 ?        S    09:34   0:00  \_ smtp -t unix -u -c
postfix   6006  0.2  0.1  39996  2416 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6007  0.2  0.1  44268  2812 ?        S    09:34   0:00  \_ smtp -t unix -u -c
...
postfix   6010  0.0  0.1  44268  2824 ?        S    09:34   0:00  \_ smtp -t unix -u -c
postfix   6011  0.0  0.1  39996  2416 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6012  0.0  0.1  44268  2828 ?        S    09:34   0:00  \_ smtp -t unix -u -c
...
postfix   6020  0.0  0.1  44268  2692 ?        S    09:34   0:00  \_ smtp -t unix -u -c
postfix   6021  0.0  0.1  39996  2420 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6022  0.0  0.1  39996  2420 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6023  0.0  0.1  39996  2420 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6024  0.0  0.1  44268  2816 ?        S    09:34   0:00  \_ smtp -t unix -u -c
postfix   6025  0.0  0.1  39996  2416 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6026  0.0  0.1  39996  2420 ?        D    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6027  0.0  0.1  39996  2416 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6028  0.0  0.1  39996  2416 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6029  0.0  0.1  39996  2416 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6030  0.0  0.1  39996  2416 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6031  0.0  0.1  39996  2420 ?        S    09:34   0:00  \_ bounce -z -n defer -t unix -u -c
postfix   6032  0.0  0.1  39960  2400 ?        S    09:34   0:00  \_ error -n retry -t unix -u -c
postfix   6033  0.0  0.1  39960  2404 ?        S    09:34   0:00  \_ error -n retry -t unix -u -c
postfix   6034  0.0  0.1  39960  2400 ?        S    09:34   0:00  \_ error -n retry -t unix -u -c
postfix   6035  0.0  0.1  39960  2400 ?        S    09:34   0:00  \_ error -n retry -t unix -u -c
postfix   6036  0.0  0.1  39960  2400 ?        S    09:34   0:00  \_ error -n retry -t unix -u -c
postfix   6037  0.0  0.1  39960  2404 ?        S    09:34   0:00  \_ error -n retry -t unix -u -c
postfix   6038  0.0  0.1  39960  2400 ?        S    09:34   0:00  \_ error -n retry -t unix -u -c
postfix   6039  0.0  0.1  39960  2400 ?        S    09:34   0:00  \_ error -n retry -t unix -u -c
postfix   6040  0.0  0.1  39964  2400 ?        S    09:34   0:00  \_ scache -l -t unix -u -c

 

My main.cf looks like:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localdomain, localhost, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = localhost

 

Forum: 
Jeremy Davis's picture

But I wonder if it is just caused by a backlog of unsent/bounced mail? Looking at the process list, it seems like it's retrying mails that have previously bounced or failed sending for some other reason!?

You can see what is in the mail queue like this:

mailq

That should display a list of all queued mail and each message should have a unique ID. If you wish to read any of the emails (which may assist you to see where they may be coming from) then you can do that like this:

postcat -q <MSG_ID>

If you would like to delete individual messages from the queue, do that like this:

postsuper -d <MSG_ID>

To remove all mail from the queue:

postsuper -d ALL

To remove all mails in the deferred queue:

postsuper -d ALL deferred
To find out more stuff that postuser can do:
man postuser

Beyond that I'm not really sure. I doubt that postfix itself is infected, but you may have some other malware running (e.g. a rogue service that a hacker has installed?) that is sending out emails? Perhaps there is still some infected Joomla page(s)? Or perhaps there is a vulnerability in the version of Joomla you are using which is repeatedly being exploited? E.g. perhaps you have cleared the infection from one page, but another has been reinfected in the meantime?

kogh's picture

Thanks Jeremy, it helps :-) I remove over 50000 mails from queue.

Add new comment