How to find out what program is sending emails
Solution 1
What you're asking how to do:
dpkg -S /path/to/mail
/path/to/mail/ can be found using which mail, provided that mail is in your path.
Minor Note:
Mail also be sent out using sendmail instead of mail.
What you should do:
Look at your maillog, likely /var/log/maillog or /var/log/mail.log the daemon name should be there.
Solution 2
This question is similar to How to find which script on my server is sending spam emails? , but since it doesn't allow answer anymore (marked as duplicated), I am answering it here to provide some insights.
Short answer:
Change file /etc/php.ini or /etc/php5/apache/php.ini by adding those two lines:
mail.add_x_header = On
mail.log = /var/log/phpmail.log
restart your php5 or php5-fpm service and nginx/apache service, then check /var/log/phpmail.log file to see what script had trigger error, and remove them!
Long Answer:
Here is the very specific scope (my solution doesn't solve other scenario):
I am running Ubuntu in a VPS and had nginx, php5-fpm, and wordpress installed, and it get hacked, and I am pretty sure it was WP get hacked and spam codes were injected.
I tried the following actions to fix; such as used Linux malware detector; reset all database connection credentials; and simply eye-browsing to remove malicious codes.
Some actions I took are:
- reset all database passwords
- login wp-admin, remove unintended admin user
- install wordfence to do defense
For source code:
- you can do a diff with official wordpress code with yours, and see what are changed
- weird folders in the WP root directory
- some files ending with *.suspected
- weird files names like
1346.php, etc. - grep
evalof all your files to see anything malicious - check any
phpfiles that have obfuscated code
After I done those, I also remove the execute permission of all files except directory:
chmod -x+X -R *
or refer here: remove execute permissions from files without touching folder
However, I still see many errors in my /var/log/mail.err and /varlog/syslog, because I didn't configure sendmail or postfix (you can stop such services to expose the spam error):
postfix/sendmail[2422]: fatal: open /etc/postfix/main.cf: No such file or directory
However, I still don't know where are the spamming scripts are... stuck here...
After searching several hours, I found the above solution mentioned in short answer , config your mail settings in php.ini and expose the location of the scripts.
After removing those scripts, I found no more spam errors, and so far my server looks clean.
Although as many suggested, you are supposed to take such server offline and do a reimage or reset to a previous status, etc.
reference links:
How do I deal with a compromised server?
https://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/
Solution 3
strace will expose the behaviour of your code - whether it is executing a program or making a TCP connection to a mailserver.
Related videos on Youtube
09 : 22
03 : 51
05 : 00
10 : 42
02 : 36
Comments
-
Sinan almost 2 years
I have linux (debian) box which is running fine. However I have problem I need to find out what program is sending emails when i use "mail" command. Or for that matter when a PHP script is sending emails with mail() function I need to know what program is sending those emails.
How can I find out?
Ps: To clear, I'd like to know what program is invoked when I (or a program) use the "mail" command.
There are 2-3 MTA's installed on my server but I can't find out which one is responsible for sending mail.
-
Sinan over 11 yearswhich mail gives me
/usr/bin/mailand when I dodpkg -S /usr/bin/mailIt says not found. However/var/log/mail.logshows the daemon as postfix so I am assuming postfix is responsible for sending out emails.