Finding Spammer in Plesk or Qmail

To provide a mail service, Plesk supports two mail transfer agents: Postfix and qmail.

Plesk uses only one mail transfer agent at a time. You can check which of them is currently enabled on the following page: Server Administration Panel > Tools & Settings > Services Management

By default, Plesk for Linux uses the Postfix for sending and receiving mail through the SMTP and SMTPS protocols.

You can switch to qmail by running the following command:

# /usr/local/psa/admin/sbin/autoinstaller –select-release-current –install-component qmail

Now we can check which account is spamming in Qmail using following methods:

1) Let’s take a look in the mail queue and read one of those spam email references:

# /var/qmail/bin/qmail-qread

remote [email protected]
6 Jan 2012 09:14:53 GMT #34012584 2987 <[email protected]>

2) Now we have a message ID, let’s search for the actual message:

# find /var/qmail/queue/ -name 34012584

/var/qmail/queue/info/0/34012584
/var/qmail/queue/remote/0/34012584
/var/qmail/queue/mess/0/34012584

3) Great! Now let’s see what’s in the message to get out that all telling UID:

# cat /var/qmail/queue/mess/0/34012584

Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <[email protected]>
To: [email protected]
Subject: Urgent Reply
From: Mrs.Farida Waziri <[email protected]>

4) Let’s map the UID to a domain name on the Plesk server:

# cat /etc/passwd | grep 10820

admin947932:x:10820:2523::/var/www/vhosts/spammer.com:/bin/false

Spammer caught

Or if its something like

Received: (qmail 11795 invoked by uid 48); 8 Mar 2013 08:22:19 -0800

 

If the ‘Received’ line contains a UID of a user ‘apache’ (for example invoked by uid 48), it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from/to or any other information). It is usually very difficult to discover the source of spam. If you are absolutely sure that this time there is a script which sends spam (tail grows rapidly for no apparent reason), you can use the following script to determine what PHP scripts are running at this time:

 

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

 

 

To remove mails in the queue, please check following doc: