I have a web server running Ubuntu 18.04 with Apache. I have three sites running. Looking in the mail logs, I can see there are many attempts to send email, however I cannot determine the source (e.g. which page of the website is generating the message). A lot of the messages look like spam based on the subject line I can see in the mail.log file.
My question is, how do I work out where this is coming from?
- Having multiple sites makes it more complicated.
- I would like to know in the logs how to identify the source. If I can find the particular web page would be even better. This is not currently configured correctly from a reverse DNS standpoint but I will worry about that another time.
- I just want to find where the emails are coming from.
I've checked the server access logs and nobody is logging in to the server so it must be coming through one of the websites. The server firewall blocks incoming connections to the mail server.
Copy of mail.log file showing emails. I've changed some of the names.
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1t001734: <-- EHLO localhost.localdomain
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-localhost.localdomain Hello localhost.localdomain [127.0.0.1], pleased to meet you
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-ENHANCEDSTATUSCODES
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-PIPELINING
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-EXPN
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-VERB
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-8BITMIME
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-SIZE
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-DSN
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-ETRN
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-AUTH PLAIN
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250-DELIVERBY
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250 HELP
Jun 1 14:34:45 localhost sm-mta[1734]: STARTTLS=read, info: fds=8/4, err=2
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: <-- MAIL From:<admin@example.com> SIZE=10825
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250 2.1.0 <admin@example.com>... Sender ok
Jun 1 14:34:45 localhost sm-mta[1734]: STARTTLS=read, info: fds=8/4, err=2
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: <-- RCPT To:<abdukarimovubaydulla@gmail.com>
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250 2.1.5 <abdukarimovubaydulla@gmail.com>... Recipient ok
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: <-- DATA
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 354 Enter mail, end with "." on a line by itself
Jun 1 14:34:45 localhost sm-mta[1734]: STARTTLS=read, info: fds=8/4, err=2
Jun 1 14:34:45 localhost sm-mta[1734]: STARTTLS=read, info: fds=8/4, err=2
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: from=<admin@example.com>, size=11136, class=0, nrcpts=1, msgid=<202206010504.25154jKf001733@localhost.localdomain>, proto=ESMTPS, daemon=MTA-v4, relay=localhost.localdo$
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1u001734: --- 250 2.0.0 25154j1u001734 Message accepted for delivery
Jun 1 14:34:45 localhost sm-mta[1736]: 25154j1u001734: makeconnection (gmail-smtp-in.l.google.com. [IPv6:2404:6800:4003:c06:0:0:0:1b]) failed: Network is unreachable
Jun 1 14:34:45 localhost sm-mta[1734]: STARTTLS=read, info: fds=8/4, err=2
Jun 1 14:34:45 localhost sendmail[1733]: 25154jKf001733: to=abdukarimovubaydulla@gmail.com, ctladdr=admin@example.com (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=40825, relay=[127.0.0.1] [127.0.0.1], dsn=2.0$
Jun 1 14:34:45 localhost sm-mta[1734]: 25154j1v001734: <-- QUIT
