Postfix Sending Spam From User www-data

« Human Bed Warmers Now at the Holiday Inn | Paddock Wood Loki IPA »

Postfix Sending Spam From User www-data

Recently I discovered that Postfix had been busy sending spam emails to people all over the web. Several entries like this started showing up in my /var/log/mail.log

Jan 24 09:05:50 li51-89 postfix/qmgr[2971]: 278C6C499: from=<www-data@####.members.linode.com>, size=600, nrcpt=1 (queue active)

278C6C499: to=<luke.debett####@law.com>, relay=none, delay=185184, delays=185184/0/0.05/0, dsn=4.4.1, status=deferred (connect to law.com[12.170.132.211]:25: Connection refused)

I also found many rejected emails that had bounced back to my server in the /var/mail/www-data file. These gave me an idea of what kind of emails my server was busy sending out.

Here’s and example, I removed the link address from the email, parts of my server’s domain name, and the recipient’s email address.

--3432BC4CA.1262789678/####.members.linode.com
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: by ####.members.linode.com (Postfix, from userid 33)
id 3432BC4CA; Wed,  6 Jan 2010 08:54:36 -0600 (CST)
To: runner####@hotmail.com
Subject: Biggest result ever
MIME-Version: 1.0 ^M
Content-type: text/html; charset="utf-8" ^M
X-Mailer: eComm Php^M
From: mail@shop.subdomain.org ^M
Message-Id: <20100106145437.3432BC4CA@####.members.linode.com>
Date: Wed,  6 Jan 2010 08:54:36 -0600 (CST)

Only here you can get it. <a href="CENSORED"><font size=3 color="orange">Get now</font></a><style>}3;m@7~w(;9j]8T_3FB|}IP9b5X][H;Np5nlEn</style>

--3432BC4CA.1262789678/####.members.linode.com--

From the “From” line in the above returned email, I could find the source of the problem. My website located a shop.subdomain.org was being hijacked to send spam. This particular website was running osCommerce v2.2 Rc 2a last released in 2008. There were no updates available to OsCommerce that fixed this problem.

I suppose at this point I could have tried to find the component at fault and bugfix it myself, but I took the lazy way out, and completely shut down the site.

Result: problem fixed.

Hope this helps someone with a similar problem. For those that must know, I started using Joomla 1.5 and Virtuemart for the same website. Haven’t had any problems yet… fingers still crossed.

Tags: linux

This entry was posted on Monday, February 22nd, 2010 at 6:00 am and is filed under linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Postfix Sending Spam From User www-data”

bajlek says:

April 15, 2010 at 3:10 am

Hi,I have the same problem. Can you help me?
Mike Lenzen says:

April 16, 2010 at 2:43 pm

I may be able to, but not likely. I couldn’t fix my own problem, and migrated to a different software package for my e-commerce. If OSCommerce is the source of your problems, you should try to get in touch with one of the developers to have them incorporate a fix into the next version of the software. A contact list for the development team can be found here.

Click here to cancel reply.