Last night my postfix mail server(Debian Squeeze with dovecot, roundcube, opendkim and spamassassin enabled) started sending out spam from a single domain of mine like these:
$cat mail.log|grep D6930B76EA9
Jul 31 23:50:09 myserver postfix/pickup[28675]: D6930B76EA9: uid=65534 from=<
[email protected]>
Jul 31 23:50:09 myserver postfix/cleanup[27889]: D6930B76EA9: message-id=<
[email protected]>
Jul 31 23:50:09 myserver postfix/qmgr[7018]: D6930B76EA9: from=<
[email protected]>, size=957, nrcpt=1 (queue active)
Jul 31 23:50:09 myserver postfix/error[7819]: D6930B76EA9: to=<
[email protected]>, relay=none, delay=0.03, delays=0.02/0/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[66.196.118.33] while sending RCPT TO)
The domain in question did not have any accounts enabled but only a catchall alias set through postfixadmin - most emails were send from a specific address I use frequently but some were also sent from bogus addresses. None of the other virtual domains handled by postfix were affected.
How can I find out what
process was feeding postfix/sendmail or more info on where they originated? As far as I can tell php mail() wasn't used and I've run several open relay tests. I did a little tinkering(removed winbind from the server and ipv6 addresses from main.cf) after the attack and it seems to have subsided but I still have no idea how my server was suddenly sending out spam. Maybe I fixed it - maybe I didn't. Can anyone help figuring out how I was compromised? Anywhere else I should look?
I've run Linux Malware Detect on recently changed files but nothing found.