How to check my linux server isn't spamming
Solution 1
One of the easiest ways is to check your /var/log/maillog (default location) to see if it's sending out mail that you're not expecting.
Solution 2
Do you have PHP scripts on your server that make use of email? Make damn sure that those don't allow visitors to specify the address that mail is sent to. That means not having To fields in forms that create email.
That alone is not enough, as spammers can inject mail headers into poorly written mailer scripts. Check out http://www.alt-php-faq.org/local/115/ for a discussion on this.
You may not have control of all the scripts on your server, so you may want to read http://ilia.ws/archives/149-mail-logging-for-PHP.html which gives details of a PHP extension which logs all use of the mail function. That will give you a specific place to look for PHP related mail activity, which may be useful if you also send mail legitimately from this server.
Solution 3
You need to check your mail logs -
/var/log/exim_mainlog.
and there are many ways to identify if any one is spamming. If your IP is blacklisted - most likely your server is sending a lot of spam. And if mail queue is very large -also..
Anyway, here are points to check:
- Check your mailqueue, especially bounces to nobody and emails from nobody.
- Make sure, you have installed "MailHeaders" extension for PHP and that nobody
servermail is being redirected to some existing account and that you actually check
these bounces to identify source of spam. This PHP extension will add path to the
file, which has generated that mail. - Make sure you have some limit of how many emails your users are allowed to send per hour.
These are some points which will periodically notify, if some script is sending too much emails.
If you are unsure about all this, then I can look and fix these things.
Solution 4
I've used abuse.net in the past to check that my server is not an open relay.
Not used it for a while though, but gotta be worth a quick test if you're worried/unsure.
Solution 5
The best way is to monitor traffic generated by the machine. This may show if something suspicious is happening no matter what is the source of the spam (is that badly configured mail server, badly configured proxy or some malicious software). Especially take look at outgoing connections to port 25. If you can see much more such connection than mails the machine is supposed to send, then the machine is probably abuse. But closer inspection you can also find many 'MX' queries (sent to find victims' name servers) or suspicious incoming connections (used to control a 'trojan horse' software).
Next step is to find the abused service and fix it.
Related videos on Youtube
06 : 04
04 : 22
09 : 10
17 : 47
01 : 02 : 27
aidan
Updated on September 17, 2022Comments
-
aidan almost 2 years
I'm worried about dodgy php scripts or other malicious software on my linux server sending out spam. Or maybe I left an open relay
What are the ways to check I'm not sending any spam out?
-
aidan over 14 yearsThat's exactly what I'm looking for, Thanks! (strangely, that file doesn't exist on my server though)
-
user3601602 over 14 yearsWell- depending on your setup, it might be elsewhere (try a search)- else, could it be that you haven't sent any mail yet?
-
aidan over 14 yearsmight be mail.log in ubuntu. looks clear.
-
aidan over 14 yearsThat's a useful link to have. Using it now. thanks.
-
user3601602 over 14 yearsLooking at help.ubuntu.com/8.04/serverguide/C/postfix.html it does seem that the default mail location is /var/log/mail.log Might be worth writing a test php mail script (or I have one if you want) to check its logging to this location
-
Jacek Konieczny over 14 yearsThe MTA (mail transfer agent) installed on the server may not be used at all, and the spam may still be sent from the machine by other means: e.g. misconfigured proxy server or malicious software running on the machine and sending the emails directly (not using local MTA).
-
aidan over 14 yearsSounds good. What's a good way of monitoring the traffic on port 25? Wireshark? (I've only got a CLI - no GUI)
-
Jacek Konieczny over 14 yearsAnything will do. Wireshark (it has simple text interface too), tcpdump (you can write a dump file, and then open it somewhere else with Wireshark GUI), iptraf (will show what is going on 'on the wire' with quite visual form, sill text console).
-
womble almost 8 yearsGratuitous use ofcatis gratuitous.
