It seems that my server is being used to send out spam mail. I first recognised this as an issue as the memory spiked and the mail.log file is absolutely huge! Looking at the logs there is a lot of errors / email addresses that I don’t recognise. For now I have disabled Postfix and the memory use has dropped considerably (the majority of sites on my server use SMTP mail anyway) but how would I go about debugging this? Would I be able to find the cause?
Ubuntu 16.04.3 x64 - happy with terminal commands
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
There are two common causes:
- Open Relay
- Bad security on a website <form>
Open Relay
Open relay just means that anyone can use your email server to send out emails and pass them along. Obviously this is very bad for Spam, a simple way to disable it is to setup postfix to only accept sending email from localhost which is explained here:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-16-04#step-2-—-configuring-postfix
Bad Security The second biggest cause is that you have a webform somewhere that sends out emails and that it wasn’t properly secured or the code itself has a few security issues in which case people can abuse that web form to send out emails, that takes a bit more work to troubleshoot but if you check your webserver logs you can see if there are a large number of requests to a contact form that exceed what your expected normal usage is.
Heya,
You can start by examining the Postfix logs to identify the source of the spam:
sudo tail -f /var/log/mail.log
Look for patterns such as specific scripts, users, or IP addresses that are sending a high volume of emails.
You can use a tools like maldet, rkhunter or chkrootkit to scan for malware. All tools will return a list of pottentially compromised files which you can check and then remove if necessary.
Also to prevent unauthorised use of Postfix, configure it to only allow sending emails from authenticated users and authorized IP addresses:
You can edit /etc/postfix/main.cf to enforce stricter access policies:
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unverified_sender
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
A good approach will be to set up monitoring to detect unusual server activity in real-time. Tools like fail2ban can help in blocking malicious IPs.
Hope that this helps!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.