How I find a spam sender when Akamai reports spam?
Akamai sent an email claiming there is a spam coming from our server. They do provide the email of the spammer or even the domain name. How do I even begin to locate this spam sender? They say we have to resolve it in 24 hours or block our server.
Roger
1 Reply
jhartman
Linode Staff
Hey Roger! Right up front, we can generally delay our original timeline to resolve a ToS Violation ticket as long as you respond to that ticket asking for some extra time and remain in consistent communication through out the process. This can allow you to more thoroughly investigate your server without the looming fear of having your services disrupted before you are able to fully resolve the reported issue(s).
From what I found in this StackOverflow post, the following command will return the destination of all mail sent out of your mail server:
cat /var/log/maillog | grep 'to=<[a-z0-9_\.-]\+@[\da-z\.-]\+\.[a-z\.]\{2,6\}>' -o
That may be too broad of a grep search, so instead you could try:
cat /var/log/maillog | grep -i $REPORTED_DOMAIN
Which should instead only return the outbound mail sent by the spammer, more specifically, the mail sent by the reported domain.
Longer term, security is important for all systems, so I would recommend reviewing not only the underlying server security measures, but also improving mail settings to prevent the sending of spam. The following guides should help you do this:
Mail Server Security:
- Running a Mail Server | Spam and Virus Protection
- How to Check if Your Server is Sending Spam - Abusix
- Create DNS Records to prevent spoofing: SPF, PTR/rDNS, DKIM, and DMARC
System Security: