postfix sending email every minute

More this problem now.
I recently noticed that postfix issues this log every minute, but I can't find these emails sent or the email account used for sending and receiving.

Code: [Select]

May 27 08:11:02 server postfix/pickup[575682]: F2E74412187D: uid=1010 from=<agendada>
May 27 08:11:02 server postfix/cleanup[571398]: F2E74412187D: message-id=<20230527121102.F2E74412187D@server.xxxxxxx.xxx.xx>
May 27 08:11:03 server opendkim[1093]: F2E74412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:11:03 server postfix/qmgr[371490]: F2E74412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:11:03 server postfix/local[548309]: F2E74412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.55, delays=0.37/0.03/0/0.15, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:11:03 server postfix/qmgr[371490]: F2E74412187D: removed
May 27 08:12:02 server postfix/pickup[575682]: 6FDB5412187D: uid=1010 from=<agendada>
May 27 08:12:02 server postfix/cleanup[571398]: 6FDB5412187D: message-id=<20230527121202.6FDB5412187D@server.xxxxxxx.xxx.xx>
May 27 08:12:02 server opendkim[1093]: 6FDB5412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:12:02 server postfix/qmgr[371490]: 6FDB5412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:12:03 server postfix/local[548309]: 6FDB5412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.68, delays=0.49/0.05/0/0.14, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:12:03 server postfix/qmgr[371490]: 6FDB5412187D: removed
May 27 08:13:03 server postfix/pickup[575682]: 097FC412187D: uid=1010 from=<agendada>
May 27 08:13:03 server postfix/cleanup[571398]: 097FC412187D: message-id=<20230527121303.097FC412187D@server.xxxxxxx.xxx.xx>
May 27 08:13:03 server opendkim[1093]: 097FC412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:13:03 server postfix/qmgr[371490]: 097FC412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:13:03 server postfix/local[548309]: 097FC412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.76, delays=0.62/0.07/0/0.07, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:13:03 server postfix/qmgr[371490]: 097FC412187D: removed
May 27 08:13:09 server clamd[923]: SelfCheck: Database status OK.
May 27 08:14:02 server postfix/pickup[575682]: 74670412187D: uid=1010 from=<agendada>
May 27 08:14:02 server postfix/cleanup[571398]: 74670412187D: message-id=<20230527121402.74670412187D@server.xxxxxxx.xxx.xx>
May 27 08:14:02 server opendkim[1093]: 74670412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:14:02 server postfix/qmgr[371490]: 74670412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:14:02 server postfix/local[548309]: 74670412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.52, delays=0.43/0/0/0.09, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:14:02 server postfix/qmgr[371490]: 74670412187D: removed


By your log, it looks to be agendada, UID 1010
Try running:

Code: [Select]

id 1010to find the associated account. Then go into your admin panel and rate limit the amount of mail messages the account can send in an hour, to contain collateral damage while you investigate.

I would seriously consider enacting some Postfix rate limiting restrictions as well in /etc/postfix/main.cf:

Code: [Select]

##//delivery rate controls/restrictions
# Parrallel delivery force (local=2 and dest=20 are aggressive)
local_destination_concurrency_limit = 6
default_destination_concurrency_limit = 30
# Max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec)
in_flow_delay = 1s
# Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10s 
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
# limit max sends per minute
anvil_rate_time_unit = 60s
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 30
smtpd_client_message_rate_limit = 30


Check HTTP/HTTPS access logs of the websites associated with the user "agendada". I assume some website hosted in the account of the user "agendada" could contain some unprotected mail form or vulnerable mail script. It could be bombarded by spam bots. That is why you could get a lot of mail delivery failures. To solve the problem with the form, protect the form using Google reCaptcha or similar method. In case the bounces are caused by the vulnerable mail script then to avoid the spam submission the script must check the referrer, verify some hidden data from the form, etc.

By your log, it looks to be agendada, UID 1010
Try running:

Code: [Select]

id 1010to find the associated account. Then go into your admin panel and rate limit the amount of mail messages the account can send in an hour, to contain collateral damage while you investigate.

I would seriously consider enacting some Postfix rate limiting restrictions as well in /etc/postfix/main.cf:

Code: [Select]

##//delivery rate controls/restrictions
# Parrallel delivery force (local=2 and dest=20 are aggressive)
local_destination_concurrency_limit = 6
default_destination_concurrency_limit = 30
# Max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec)
in_flow_delay = 1s
# Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10s 
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
# limit max sends per minute
anvil_rate_time_unit = 60s
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 30
smtpd_client_message_rate_limit = 30


Hello, overseer

In fact there is the scheduled user, there just aren't those email accounts agendada@server.xxxxxxx.xxx.xx
I'll make the settings you gave me.

Thanks

Check HTTP/HTTPS access logs of the websites associated with the user "agendada". I assume some website hosted in the account of the user "agendada" could contain some unprotected mail form or vulnerable mail script. It could be bombarded by spam bots. That is why you could get a lot of mail delivery failures. To solve the problem with the form, protect the form using Google reCaptcha or similar method. In case the bounces are caused by the vulnerable mail script then to avoid the spam submission the script must check the referrer, verify some hidden data from the form, etc.

hello cyberspace

I hadn't thought of that possibility, I'll check the logs

Thanks

Yes, cyberspace mentioned the most common vector for spam sending on servers -- an insecure php script that gets exploited/abused to send bulk UCE (unsolicited commercial e-mail). I'm sorry I neglected to mention the possibility in my response, because that's the most common vector these days. In fact, that's the only mail abuse I've seen on my servers is via a malicous php script implanted via a WordPress vulnerability. You may want to consider closing off the php mailer vector altogether and require ONLY authenticated SMTP on the server for mail sending. It depends on your situation, but really I would say generally that using the php mailer functionality is "lazy coding" and you should only use SMTP AUTH for accounting purposes -- it's clear who is sending what and everything is logged.

Yes, cyberspace mentioned the most common vector for spam sending on servers -- an insecure php script that gets exploited/abused to send bulk UCE (unsolicited commercial e-mail). I'm sorry I neglected to mention the possibility in my response, because that's the most common vector these days. In fact, that's the only mail abuse I've seen on my servers is via a malicous php script implanted via a WordPress vulnerability. You may want to consider closing off the php mailer vector altogether and require ONLY authenticated SMTP on the server for mail sending. It depends on your situation, but really I would say generally that using the php mailer functionality is "lazy coding" and you should only use SMTP AUTH for accounting purposes -- it's clear who is sending what and everything is logged.

hello overseer

I disabled the sending of direct email through php, now for sending only smtp auth.

After these suggestions I was able to stop those submissions.

Thank you all for your help.