5B4B2255C565 759 Wed Jan 7 00:33:40 firstname.lastname@example.org
(host mx-eu.mail.am0.yahoodns.net[188.125.69.xx] said: 421 4.7.1 [TS03] All messages from 85.214.246.xx will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html (in reply to MAIL FROM command))
-- 221201 Kbytes in 211122 Requests.
There are a lot of spam mails in the queue (requests: 211122) that haven´t been delivered, yet. Based on the feedback in some of those mails I came to the knowledge, that my server was blacklisted for mail spamming. You can check , if your server is blacklisted or not at mxtoolbox.com.
In my case, there were a lot of mails issued from three different domains, I am hosting.
To get more information from those mails, you can call them by their ID with postcat, like presented below:
user@server:/var# sudo postcat -q 5B4B2255C565
*** ENVELOPE RECORDS deferred/5/5B4B2255C565 ***
message_size: 759 195 1 0 759
message_arrival_time: Wed Jan 7 00:33:40 2015
create_time: Wed Jan 7 00:33:40 2015
*** MESSAGE CONTENTS deferred/5/5B4B2255C565 ***
Received: by matrix.internet-reloaded.de (Postfix, from userid 10x01)
id 5B4B2255C565; Wed, 7 Jan 2015 00:33:40 +0100 (CET)
Subject: RE: Hi
From: "Cheryl Rose" <email@example.com>
Reply-To:"Cheryl Rose" <firstname.lastname@example.org>
X-Priority: 3 (Normal)
Content-Type: text/html; charset="iso-8859-1"
Date: Wed, 7 Jan 2015 00:33:40 +0100 (CET)
*** MESSAGE FILE END deferred/5/5B4B2255C565 ***
Taking a deeper look to line 14, where the header information „X-PHP-Originating-Script“ was stated, you get the information where this mail was orginated from.
In that case, a script, named stats.php, belonging to the user with the ID 10001 was used for sending this mail. You might have to check multiple of your mails to find all spam sending scripts on your server. If you did not get these information presented, you can check another article about necessary changes to your PHP configuration.
First we are checking, which username is cloaked behind that user ID.
user@hserver:/var# sudo cat /etc/passwd | grep 10001
In that case, a user called „USERNAME“ owns the spam sending script. In the next step we are going to check, if there is a script called stats.php that belongs to the user.
user@server:/var# sudo find / -name 'stats.php' | grep USERNAME
This works for me, as I name the virtual host web directories according to the username. Otherwise, you can just try to get the script in another way:
user@server:/var# sudo find / -name 'stats.php'
You should now take a look to all of these scripts and check if they have suspicious code in them.
If some of the scripts only have a preg_replace statement, they are is very likely a malicious one.
You can move the scripts to another directory not avaliable through your webserver or also delete them.
Just a final hint:
If you really have a lot of mails in your queue, you can delete all mails in the postfix mail queue with the following statement. But keep in mind, that this will also delete unobtrusive ones!
sudo postsuper -d ALL