I know this is an age-old question but I've not found a satisfactory answer on how to identify a spamming script on postfix.
I know I've to look at the mail logs for postfix, get the message ID and examine the header content which I've done. I don't seem to see "X-PHP-Originating-Script" line to locate the exact script. Instead I have the line X-mailer: Mailer v1.0. Is there any other way I can locate a script that's sending out emails from my local machine?
Below is the message ID
*** MESSAGE CONTENTS deferred/1/17A30ED943C ***
Received: from somedomain.com (localhost [127.0.0.1])
by mymail-server.com (Postfix) with ESMTP id 17A30ED943C
for <[email protected]>; Mon, 18 Jul 2016 12:45:54 +0300 (EAT)
Date: Mon, 18 Jul 2016 09:45:54 +0000 (UTC)
From: jms <[email protected]>
To: [email protected]
Message-ID: <[email protected]>
Subject: FW: Hi nolaspud
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_3510964_1152532126.1468835154806"
X-mailer: Mailer v1.0
would be faster enable the X-PHP-Originating-Script header by allowing it in php.ini file by option
mail.add_x_header = On.Then just check new email in mailq.
If you have a machine that is compromised, the first step is to disconnect it from network. Then you can replace with a new secured one.
I know this is not answer you expect, but it could be very complicate to cleanup a compromised machine. The way you ask this question shows your lack of experience in dealing with security issues and the best answer is to replace the machine with a clean and secure one.
If you want to see which process was sending the email, check for running processes, check
crontabandat. Check loaded modules, check if the machine has the network cards in promiscuous mode. Usenetstat -anp | grep :25to see which processes are connecting to SMTP. You can use Rootkit Hunter to search for the attack traces.