Skip Navigation

Support

 

Find the heaviest e-mail users of your Postfix MTA's deferred spool

This article discusses how to determine which Postfix users are sending the most email that is in your deferred Postfix queue. This can be used for Linux mail compromises (assuming the server uses the Postfix MTA) in order to determine which user(s) is/are compromised. Typically the higher the number of emails being sent out, the more likely there is some type of contact form or software component that has been compromised. This article is considered to be a tool rather than a fool proof way to diagnose email issues for Postfix.

First, find which users are sending most e-mails in the deferred queue on the Linux server.

Run these commands via SSH to get started

cd /var/spool/postfix

vi findUsers.sh

Enter the below code into the file name findUsers.sh. Change the paths in the file to those relevant to your Postfix installation.

#!/bin/bash

for i in {0..9}

do

#generate paths 1-9 in postfix deferred directory

path="/var/spool/postfix/deferred/"

str1="ls $path$i"

cmd1=`$str1`

#echo $str1

for v in $cmd1;

do

filepath="$path$i/$v"

strings $filepath | grep userid | awk '{print $7}' | cut -d")" -f1 >> suspects

done;

done;

for i in {A..F}

do

#generate paths A-F in postfix deferred directory

path="/var/spool/postfix/deferred/"

str1="ls $path$i"

cmd1=`$str1`

#echo $str1

for v in $cmd1;

do

filepath="$path$i/$v"

strings $filepath | grep userid | awk '{print $7}' | cut -d")" -f1 >> suspects

done;

done;

`less suspects | sort | uniq -c | sort -nr > suspects-real`

`rm suspects`

Make the file executable by running the following command:

chmod +x findUsers.sh

Lastly, execute the file:

./findUsers.sh

This will return a list of users as follows when viewing the suspects-real file:

[root@server postfix]# cat suspects-real

22 228757

13 228975

9 229920

8 228820

6 228426

3 228452

1 228388

1 228102

1 228023

The format is the number of emails the user/site is sending and the second column is the UID of the user which can be cross referenced with /etc/passwd.