How to track down spam mails?

Postfix sends spam mail, and i cannot track down, where they come from. There was an infected CMS installation, which i repaired; the infection came with an existing Joomla a client brought from another hoster; so i fixed that, but i keep getting abuse mails, mainly from

So , how can i track down, who sends this emails?

My postfix config:

non-default parameters alias_maps hash:/etc/aliases append_dot_mydomain no biff no broken_sasl_auth_clients yes default_destination_concurrency_limit 5 default_destination_recipient_limit 5 home_mailbox Maildir/ mailbox_command /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit 0 mynetworks [::ffff:]/104 [::1]/128 readme_directory no recipient_delimiter + smtp_tls_session_cache_database btree:${data_directory}/smtp_scache smtpd_banner $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_restrictions permit_mynetworks permit_inet_interfaces reject_unknown_reverse_client_hostname smtpd_recipient_limit 5 smtpd_recipient_restrictions permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable yes smtpd_sasl_authenticated_header yes smtpd_sender_restrictions hash:/etc/postfix/access smtpd_tls_cert_file /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database btree:${data_directory}/smtpd_scache smtpd_use_tls yes virtual_alias_maps hash:/etc/postfix/virtual

parameters defined as per defaults alias_database hash:/etc/aliases config_directory /etc/postfix inet_interfaces all mydestination $myhostname, localhost.$mydomain, localhost smtpd_sasl_security_options noanonymous



Your system doesn’t appear to be an open relay.

Chances are that if remote systems are seeing spam originating from your server, that it’s either from a compromised web app, or an email user’s password was compromised.

Have you received any information about the spam emails that people received, including any headers?

Also, what output do you receive if you run this command:

mailq | tail -1

You can also look in /var/log/maillog to see what mail is getting processed through your server and where its from.

Also check in your stats folders of where your server app was compromised. You might still have some shells on your server. Check to see if your mail queue is backed up with a few thousand emails also.