outgoing spam

[Kod]

I've noticed a lot of spam going out of my server, lots of frozen e-mails show on the queue :

2h 2.8K 1S2joq-0007uR-Tu <>
[email protected]

74m 2.8K 1S2kSm-0001V3-Mz <>
[email protected]

70m 2.8K 1S2kXQ-0001kg-9n <>
[email protected]

64m 2.8K 1S2kd5-000213-CI <>
[email protected]

64m 2.8K 1S2kd5-000214-Cd <>
[email protected]

61m 2.7K 1S2kfx-0002C6-HT <>
[email protected]

61m 2.8K 1S2kgC-0002Cb-7C <>
[email protected]

When checking the header it shows the mail is being sent from localhost :

Received: from localhost ([127.0.0.1] helo=next.mydomain.tld)
by next.mydomain.tld with smtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1S2fpB-0004SJ-7Z
for [email protected]; Wed, 29 Feb 2012 10:27:53 +0100
Date: Wed, 29 Feb 2012 10:27:53 +0000 (UTC)
From: Mandy Taylor via LinkedIn <[email protected]>
Reply-To: Mandy Taylor <[email protected]>
To: a0063109 At adlog.com via LinkedIn <[email protected]>

Any ideas of what's wrong knowing that the server is NOT an openrelay.

 

[Kod]

Maybe removing 127.0.0.1 from relay_hosts would be an idea. Is this safe? thanks for your feedback.

 

[zEitEr]

Maybe removing 127.0.0.1 from relay_hosts would be an idea. Is this safe? thanks for your feedback.

Yes, that should help. But I'd recommend finding out who sends spam from your server.

 

[Kod]

Hi, thanks for the reply, i really have no idea, logs show nothing relevant, all i see is output like this one :

2012-02-28 21:09:57 1S2TMz-00015B-4v <= [email protected] H=localhost (next.mydomain.tld) [127.0.0.1] P=smtp S=13424 [email protected] T="Graham Patterson has sent you a new private message" from <[email protected]> for [email protected]

No idea on how i could find the script behind this.

 

[zEitEr]

Show results for

exigrep 1S2TMz-00015B-4v /var/log/exim/mainlog

Does

ps aux | egrep "php|perl"

show anything unusual?

p.s. Feel free to contact me if you want me to find a spammer on your server. You can hire me for that, or anybody else here.