Look at the logs around the time the mails in the postfix queue are dated you should see the login and the attempted send without that information no one, including yourself, can help or fix the issue
but believe me the emails they left the server even if I suspended the box otherwise why the vps provider sent me an email that I have an anomaly with my server and that it will suspend port 25 for one day this I mean that the spammer has access to send emails even if the account shown in the photo is suspended
The logs will tell you how the mail is sent and who by then you can take action to fix the problem. Just saying the mail left the server wonât help ⊠the who and how will help a grat amount
1 Like
There is no guarantee that these emails are even going through postfix.
lsof -nPi tcp:25
Hmmm⊠After looking Iâm not 100% sure this will show the destination port which is what we need.
1 Like
True so its then looking at the auth log to see if this shows a login at the time in question on any service example ssh
Mail rate limits donât address the root problem. If someone is sending mail from the server, the server is compromised in some way, and that needs to be addressed.
It could be a compromised web app, a compromised user, or one of your users is a spammer, and they should be killed (I mean the account, not the actual user, though I think spammers should go to jail).
I was awarded some kind of points, maybe fictitious, on the cPanel forum decades ago because my sig was âkill more spammersâ.
This might be useful. It uses the destination port and thatâs what we are looking for. Not what is coming in on port 25 but what is going out.:
watch -n .1 ss -te 'dport == :25'
the -n .1 us the time basis for which watch renews. You can lengthen this time to try and get more stable output.
1 Like
is there a solution to limit the traffic for each email for example giving 100 MB of data for each email or something to specify the quota for each email
Why not fix the problem rather than mask it ? If someone has got into your server you wont fix it without taking positive steps ⊠what software are your web sites running ?
1 Like
100MB is a friggin huge email. Spam Assassin defaults to not checking incoming messages of 512K because spammers work on numbers of emails, not size. Get lots out as quick as they can before they are discovered. You can set limits but that in no way helps here.
Again, run this command from a terminal window. If you have spams going out, you should see them:
I donât understand why you keep repeating the wrong question instead of trying to learn how to identify and correct the problem.
If your server is sending spam, it will get blocked whether it is thousands or just dozens. There is no rate limit you can put on spam to make it acceptable.
And, even if there were, most of the ways people spam from a system do not go through the mail server. If you configure rate limits in Postfix, you probably wonât actually slow the spam.
1 Like
SpamAssassin does not scan any outgoing mail, so size is irrelevant to that question. There is no spam scanning happening for outgoing mail in any circumstance in a Virtualmin system, by default.
1 Like
Thank you Mr Joe you are always there to really help me I appreciate your effort I am completely convinced of your analysis but the question and who what I must do exactly or who what I must protect exactly thank you for briefing me
You have a user or web application that is compromised. Or you have a customer that is a spammer.
You need to figure out which.
From the queue, looks like azzedine.moufaddal@atlanticfoods.ma, though itâs very hard for me to read screenshots, Iâd much prefer you post the actual text, wrapped in triple backticks (```).
I assume thatâs a legitimate user on your system (one you created for a human to use).
You say you disabled the user but it continued to send mailâŠbut, the postfix log you show doesnât show any mail being sent by that user. The queue holds mail until it gets a permanent failure trying to deliver it. So, itâs possible (but not at all guaranteed) that disabling the user has stopped the problem and you just need to delete the queued spam so it stops trying to send them.
If that user has a web app on the system, they may have other ways to send spam, though.
I do see another user in that domain successfully logging in, though. So, if itâs a company that sends spam, I guess other users in the domain could be sending spam. Youâd need to look through the logs (not just a few lines, and donât ask us to read the whole logâŠyou can search logs for usernames and domain names, etc., you have lots of information about the situation we donât have, and donât want to have).
And, if itâs a company that sends spam, you need to send them packing. You canât host spammers. Youâll lose the ability to send any mail rather quickly, because hosts known for tolerating spam get blocked by everybody eventually.
well understood Mr Joe your Hepotysis it is logical but what I confirm to you that the company I have an idea of its work and the most by its efictive I have access to their PCs except the commercial ones and this is the case for the Mr that you saw clearly on the capture because the commercial people rarely come to the office and most of the time they use their smart phone
what I propose is there a way with which I can know exactly which email he consumed all the traffic something that I just remembered is that I entered the postfix once I saw the mail displayed on the capture in the waiting list with a bunch of emails of course I went directly to modify the password and I still see it on the waiting list and after I suspended the email and always emails on the waiting list
Well, there is pflogsumm
Read this, it will help you use pflogsumm and also query logs to identify users who send a large volume of messages:
Nobody is sure that postfix is sending the message though
Obviously the ones in the queue were sent via Postfix. But, the logs shown later donât show that user sending any new mail (but we only see a tiny snippet). OP needs to look at the danged logs and actually read them to figure out whatâs going on.
But there are many ways to send spam if a user has a shell or has the ability to install a web application.