Finding Spammer in Plesk or Qmail

1) Let’s take a look in the mail queue and read one of those spam email references:

# /var/qmail/bin/qmail-qread

remote [email protected]
6 Jan 2012 09:14:53 GMT #34012584 2987 <[email protected]>

2) Now we have a message ID, let’s search for the actual message:

# find /var/qmail/queue/ -name 34012584

/var/qmail/queue/info/0/34012584
/var/qmail/queue/remote/0/34012584
/var/qmail/queue/mess/0/34012584

3) Great! Now let’s see what’s in the message to get out that all telling UID:

# cat /var/qmail/queue/mess/0/34012584

Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <[email protected]>
To: [email protected]
Subject: Urgent Reply
From: Mrs.Farida Waziri <[email protected]>

4) Let’s map the UID to a domain name on the Plesk server:

# cat /etc/passwd | grep 10820

admin947932:x:10820:2523::/var/www/vhosts/spammer.com:/bin/false

Spammer caught

Or if its something like

Received: (qmail 11795 invoked by uid 48); 8 Mar 2013 08:22:19 -0800

 

If the ‘Received’ line contains a UID of a user ‘apache’ (for example invoked by uid 48), it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from/to or any other information). It is usually very difficult to discover the source of spam. If you are absolutely sure that this time there is a script which sends spam (tail grows rapidly for no apparent reason), you can use the following script to determine what PHP scripts are running at this time:

 

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

 

 

To remove mails in the queue

http://wiki.iserversupport.com/remove-spam-in-plesk-or-qmail/ ‎

 

Leave a Reply

Your email address will not be published. Required fields are marked *