Issue Spam sent from webmail

[SalvadorS]

Hello,

First of all thank you for reading this topic.

I have a spammer in one of our servers, sending spam from webmail. So I can find this in mail.info from the info on spamhaus (spamhaus don't show me the full headers yet...)

Oct 11 08:12:37 xxx postfix/smtpd[11109]: connect from localhost[127.0.0.1]

Oct 11 08:12:37 xxx postfix/smtpd[11109]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <info@traxxus.ch>: Relay access denied; from=<info@kontakt-ch.net> to=<info@traxxus.ch> proto=ESMTP helo=<kontakt-ch.net>

Oct 11 08:12:37 xxx postfix/smtpd[11109]: disconnect from localhost[127.0.0.1]

How can I know which email account is using the spammer?

Thank you

 

[UFHH01]

Hi SalvadorS,

did you see the Plesk KB - article:

=> Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?​

... which shows you, how to investigate the sources of the possible scripts?

 

[SalvadorS]

It seems the spammer send a few spam emails and then disappear, so that method is not good for me at this time. Thank you very much for the reply.

 

[UFHH01]

Hi SalvadorS,

if you can't elimate the script, pls. consider to switch of sendmail usage at your server, untill you are able to eliminate the script on your server.

Second, pls. post your corresponding postfix - configuration, so that people willing to help you have the chance to investigate possible misconfigurations together with you.

 

[SalvadorS]

Hi!

Thanks again for replying.

I am not sure if there is an script or a spammer sending mail from webmail. I check all the POST from de domains logs with the hour of the spam mails and there aren´t POST in the access_log of the domains on the server. But also I don´t see in the logs which email account log in at that time to send spam. Also mail is limited in the server so the spammer send a few mails.

Spamhaus don´t send me full headers so I am lost...