Finding source of outbound spam

[jeremynd01]

I need some serious help here. I setup a postfix server for a friend five years ago, and lately it seems to be sending on a ton of spam. The logs of full of entries like this:

Oct 14 23:05:03 mail postfix/cleanup[30758]: 1BCF12402D: message-id=<20071015030503.1BCF12402D@mail.mungedmydomain.com>
Oct 14 23:05:03 mail postfix/nqmgr[30535]: 1BCF12402D: from=<>, size=3103, nrcpt=1 (queue active)
Oct 14 23:05:04 mail postfix/smtp[30756]: 1BCF12402D: to=<LoriecacophonistSouza@newscientist.com>, relay=my.isps.mailhost.relay.com[207.115.20.115], delay=1, status=sent (250 2.0.0 l9F35DZf011965 Message accepted for delivery)

(I've munged my domain name and relayhost, for privacy).

You can see that this message bogus and has and empty "from" field, and I don't know of any way to trace its origin. I thought it might be a local PC with a virus, but I disabled the entire LAN interface and the messages keep appearing, so they must be either from the outside or the mail server itself. I doubled checked, and postfix is set not to relay any message but from local clients, and abuse.net/relay.html confirms I didn't screw up and make an open relay.

So how can I find out where these things are coming from, so I can plug that hole?? Thanks!

 

[jkupski]

Chances are that this is going to turn out that either the postfix box was owned (it's been five years since you installed it for your friend. What maintenance has he done in the last half-decade?) or some machine that is authorized to relay through the postfix box was owned.

Finding out which is a fairly trivial task. Anything using postfix as a relay is going to be connecting from somewhere (even if "somewhere" is localhost) and that should generate a message like:

Oct 15 07:51:08 xxxxxxxxxx postfix/smtpd[20977]: connect from unknown[xxx.xxx.xxx.xxx]

If you're not seeing messages like that, turn up the log level.

 

[jeremynd01]

I think their is a high likelihood of an "owned" box, and I regretfully think it may be the server.

Now, to try and find the connection of the offending message, I bumped the log level up by adding a -v to the smtpd line in the master.cf file. Then I browse for an instance like the one in my original post, searching for the email ID that postfix assigns.

The problem is, the first entry of that ID is the "mail postfix/cleanup" line (since, I guess you could connect to port 25 and not actually send a message, so there would be no message ID). I tried visually browsing back to look for a connection just before the spam, but there is so much going on I can't with certainty say which connection belongs to the bogus email. (In fact, I didn't see anything within the minute before the message that seemed suspicious - is it possible that one connection is opened, possibly hours ago, and sends many messages before closing?)

I'm wondering if there is a why for Postfix to refuse to send messages with that bogus "from=<>" field?