We currently have a larger spam issue on one of our servers. I think, that some customer hosted CMS is compromised and is sending spam e-mails out.
Unlike any other spam issue, i've ever seen, this time it is NOT sent via php's mail() feature. (I log that and there's nothing there).
In the postfix log, I can see, the mails are delivered by the server's own ip address (and, of course allowing it, since the local ip is in mynetworks).
The header's of the spam examples, that got reported to me, gives absolutely no hint on the root cause. (e.g. which customer etc). Envelope data, from fields, recipients
are all unknown (not from our customers) and seem to be fake.
Does anyone got an idea, on how to track this further ? Could it be a php script, delivering the mails via localhost:25 by having some smtp client implemented in php ? How would it
be possible to monitor that ?
I would be very happy for any hint, that could help me to get more insight and solve that problem.