How to check whether my server turned into a spamming machine?

tobi85 asked:

I am suspecting something is sending a plenty of mails from my server without my knowledge. I’d like to check whether my machine turned into a spamming server. What is the easiest way to do this?

Related to this, I’d also like to check the CONTENTS of emails sent from my server. Is there such a log and can I turn it on? /var/log/mail.log does not return the content of the emails, and it looks like this:

Oct 23 21:03:26 Ubuntu-1204-precise-64-minimal sendmail[29973]: s9NJ31pS029973: to=root, delay=00:00:19, xdelay=00:00:07, mailer=relay, pri=31367, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s9NJ37kn029974 Message accepted for delivery)
Oct 23 21:03:38 Ubuntu-1204-precise-64-minimal sm-mta[29977]: s9NJ37kn029974: to=<root@Ubuntu-1204-precise-64-minimal>, delay=00:00:19, xdelay=00:00:07, mailer=local, pri=32861, dsn=2.0.0, stat=Sent
Oct 23 21:06:03 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: from=root, size=343, class=0, nrcpts=1, msgid=<201410231906.s9NJ61xZ030011@Ubuntu-1204-precise-64-minimal>, relay=root@localhost
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rW030014: ruleset=check_rcpt, arg1=<root@Ubuntu-1204-precise-64-minimal>, relay=localhost.localdomain [127.0.0.1], reject=553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender address root@Ubuntu-1204-precise-64-minimal does not exist
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: to=root, ctladdr=root (0/0), delay=00:00:04, xdelay=00:00:00, mailer=relay, pri=30343, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.8, stat=User unknown
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rW030014: from=<root@Ubuntu-1204-precise-64-minimal>, size=343, class=0, nrcpts=0, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Oct 23 21:06:05 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xZ030011: s9NJ61xa030011: DSN: User unknown
Oct 23 21:06:12 Ubuntu-1204-precise-64-minimal sm-mta[30014]: s9NJ65rY030014: from=<>, size=2623, class=0, nrcpts=1, msgid=<201410231906.s9NJ61xa030011@Ubuntu-1204-precise-64-minimal>, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Oct 23 21:06:13 Ubuntu-1204-precise-64-minimal sendmail[30011]: s9NJ61xa030011: to=root, delay=00:00:08, xdelay=00:00:02, mailer=relay, pri=31367, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s9NJ65rY030014 Message accepted for delivery)
Oct 23 21:06:17 Ubuntu-1204-precise-64-minimal sm-mta[30024]: s9NJ65rY030014: to=<root@Ubuntu-1204-precise-64-minimal>, delay=00:00:06, xdelay=00:00:01, mailer=local, pri=32861, dsn=2.0.0, stat=Sent
You have new mail in /var/mail/root

As you can see, some strange messages occur from time to time.

Edit: I got 200 000 unread emails. Here is the newest email I received:

Return-Path: <MAILER-DAEMON>
Received: from Ubuntu-1204-precise-64-minimal (localhost.localdomain [127.0.0.1]
)
        by fares (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s9NAp3iX021790
        for <root@Ubuntu-1204-precise-64-minimal>; Thu, 23 Oct 2014 12:51:03 +02
00
Received: from localhost (localhost)
        by Ubuntu-1204-precise-64-minimal (8.14.4/8.14.4/Submit) id s9NAp1Xu0217
89;
        Thu, 23 Oct 2014 12:51:03 +0200
Date: Thu, 23 Oct 2014 12:51:03 +0200
From: Mail Delivery Subsystem <MAILER-DAEMON@static.***.clients.***>
Message-Id: <201410231051.s9NAp1Xu021789@Ubuntu-1204-precise-64-minimal>
To: root@Ubuntu-1204-precise-64-minimal
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Status: O
X-UID: 210004

This is a MIME-encapsulated message

--s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal

The original message was received at Thu, 23 Oct 2014 12:51:01 +0200
from root@localhost

   ----- The following addresses had permanent fatal errors -----
root
    (reason: 553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender
 address root@Ubuntu-1204-precise-64-minimal does not exist)
    (expanded from: root)

   ----- Transcript of session follows -----
... while talking to [127.0.0.1]:
>>> DATA
<<< 553 5.1.8 <root@Ubuntu-1204-precise-64-minimal>... Domain of sender address
root@Ubuntu-1204-precise-64-minimal does not exist
550 5.1.1 root... User unknown
<<< 503 5.0.0 Need RCPT (recipient)

--s9NAp1Xu021789.1414061463/Ubuntu-1204-precise-64-minimal
Content-Type: message/delivery-status

My answer:


This is just local mail, probably from one of your running services or cron jobs. It’s addressed to root, but the mail server can’t figure out that it’s intended to be local mail, because the hostname Ubuntu-1204-precise-64-minimal can’t be resolved to an address.

To fix this, rename the host to a hostname which resolves to the server’s IP address, or add the IP address and hostname to /etc/hosts.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.