Find Spammer on Plesk Server

If you are using POSTFIX follow these steps

To check if emails are being send from a compromised account please follow this step. If there are too many emails send from an email account its compromised

zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 [email protected]

Here [email protected] is compromised so change its password immediately and clear queue using the below command

postsuper -d ALL

To view mail ids of email.

postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'

Find total no of emails in queue when using qmail

mailq | tail -n 1

Find total no of emails in queue when using Postfix

postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'|wc -l

List all message in queue for Postfix mail server

postqueue -p

To flush the mail queue:

postfix -f

If the email are being send from php script you need to get the script from its ID using the command

postcat -q 679E745AC97E

From that you can find the script.

X-PHP-Originating-Script: 33:spam.php

Here the script is spam.php you can verify it by accessing access log


Need our help to fix the issue ? Submit Support Ticket Now