I have an email server, but the las 1rst and 6th of september some spammer is sending spam from my server.
My problem is that I can't detect how is doing this, apparently they hijacked a website in my server and put there a cgi or php script, cause the maillog show this kind or registry:
Sep 6 16:44:20 sm3 sendmail: s86LTIdQ027961: from=<email@example.com>, size=1653, class=0, nrcpts=1, msgid=<201409061259.s86CxFP8005548@my.server.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Sep 6 16:44:20 sm3 sm-msp-queue: s86CxFP8005548: firstname.lastname@example.org, ctladdr=apache (48/48), delay=08:45:05, xdelay=00:00:00, mailer=relay, pri=121430, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s86LTIdQ027961 Message accepted for delivery)
Sep 6 16:48:20 sm3 sendmail: s86LTIdQ027961: to=<email@example.com>, ctladdr=<firstname.lastname@example.org> (48/48), delay=00:04:00, xdelay=00:04:00, mailer=esmtp, pri=121653, relay=aaa.com. [220.127.116.11], dsn=4.0.0, stat=Deferred: Connection timed out with aaa.com.
There are not ip that I can't block, because the ip is the localhost, so they are using apache user to send.
I look for the spammer in the access_log to check if there a webpage that is sending the spam, but access_log don't show any activity suspect.
Any idea that you can share to know how I can't find the spammers' tools in my server?