You are using a Postfix mail server, and your system started sending masses of spam emails? The following guide will show you how to narrow down how spam is sent by inspecting emails in the mail queue.
To use the postcat command in Postfix to find out who has sent an email that is currently in the Postfix mail queue, follow these steps:
Identify the Mail in the Queue
First, you need to identify the specific mail in the queue. Run the postqueue -p command to list all emails in the Postfix queue. This command provides a list of queued mails along with their queue IDs.
The output will show several details per queued mail, including the queue ID, size, arrival time, sender, and recipients.
Use Postcat to View the Email
Once you have identified the queue ID of the email you're interested in, use postcat to view the details of that email. Replace <queue_id> with the actual queue ID of the email. A queue ID looks like this "485413EA36" and is displayed by postqueue command that we used in the first step.
postcat -q <queue_id>
The postcat command displays the contents of the specified mail file in a human-readable format.
Find the Sender Information
The output of the postcat command includes the full details of the email. Look for headers like "From:", which indicate the sender's email address. You may also find other relevant information, such as the time the email was sent, the subject, and the body of the email.
Email sent by websites
Identifying which website has sent an email using PHP's mail() function by analyzing the mail header can be challenging, especially if the email does not include explicit references to the sending website. However, there are a few headers and details that you can look for in the email to make an educated guess:
This header often includes the PHP script's user ID and the script's path that sent the email. If this header is present, it can directly point to the PHP file on the server that sent the email.
In this example, 1001 might be the user ID, and sendmail.php is the script.
Similar to "X-PHP-Originating-Script", this header can show the script's URL that sent the email. This is more common in shared hosting environments.
The Received headers trace the path that the email took through different servers (SMTP relays). Sometimes, the domain name or IP address of the website's server is listed here. However, interpreting Received headers requires caution as they can be manipulated.
Return-Path or From Header
These headers usually contain the email address of the sender. If the email address is domain-specific, it can give you clues about the sending website.
Subject Line or Email Content
Sometimes, the subject line or the body of the email itself might contain references to the website.
Check the Web Server Logs
If you have access to the web server logs, you can look for entries that correspond to the time the email was sent. This might help you correlate the sending of the email with specific PHP script executions.
It's important to note that if the sender has taken steps to hide their identity or the origin of the script, it might be difficult or impossible to determine the exact source of the email.
If you want to see more detailed information, `postcat` has several options that can be useful. For example, the -b option displays the body of the message, and the -v option provides more verbose output.
postcat -v -q <queue_id>
Remember, accessing and reading emails from the mail queue should be done in compliance with privacy policies and regulations applicable in your environment. The postcat command is a powerful tool for administrators to manage and troubleshoot the mail system, but it should be used responsibly.
To delete messages selectively from the mail queue, take a look here: https://www.faqforge.com/linux/server/manage-the-postfix-mail-queue-with-postsuper-postqueue-und-mailq/