Finding Spammer in Plesk or Qmail
To provide a mail service, Plesk supports two mail transfer agents: Postfix and qmail.
Plesk uses only one mail transfer agent at a time. You can check which of them is currently enabled on the following page: Server Administration Panel > Tools & Settings > Services Management
By default, Plesk for Linux uses the Postfix for sending and receiving mail through the SMTP and SMTPS protocols.
You can switch to qmail by running the following command:
# /usr/local/psa/admin/sbin/autoinstaller –select-release-current –install-component qmail
Now we can check which account is spamming in Qmail using following methods:
1) Let’s take a look in the mail queue and read one of those spam email references:
# /var/qmail/bin/qmail-qread remote admin@yahoo.com 6 Jan 2012 09:14:53 GMT #34012584 2987 <anonymous@server.bashexperts.com>
2) Now we have a message ID, let’s search for the actual message:
# find /var/qmail/queue/ -name 34012584 /var/qmail/queue/info/0/34012584 /var/qmail/queue/remote/0/34012584 /var/qmail/queue/mess/0/34012584
3) Great! Now let’s see what’s in the message to get out that all telling UID:
# cat /var/qmail/queue/mess/0/34012584 Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000 Date: 6 Jan 2012 09:14:50 +0000 Message-ID: <20120106091450.9934.qmail@server.bashexperts.com> To: admin@recdsa.uk Subject: Urgent Reply From: Mrs.Farida Waziri <faridawaziri@hotmail.com>
4) Let’s map the UID to a domain name on the Plesk server:
# cat /etc/passwd | grep 10820 admin947932:x:10820:2523::/var/www/vhosts/spammer.com:/bin/false
Spammer caught
Or if its something like
Received: (qmail 11795 invoked by uid 48); 8 Mar 2013 08:22:19 -0800
If the ‘Received’ line contains a UID of a user ‘apache’ (for example invoked by uid 48), it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from/to or any other information). It is usually very difficult to discover the source of spam. If you are absolutely sure that this time there is a script which sends spam (tail grows rapidly for no apparent reason), you can use the following script to determine what PHP scripts are running at this time:
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
To remove mails in the queue, please check following doc:
Leave A Comment