Find Spam Source On Plesk/Qmail:
1- Check how many emails in the queue:
/var/qmail/bin/qmail-qstat
2- Check large number of authentications to a particular mailbox
cat /usr/local/psa/var/log/maillog |grep -I "LOGIN"|awk {'print $12'}|sort|uniq -c|sort -n
3- Look at the log to see if a particular domain is sending emails and suspend it
tail -500 /usr/local/psa/var/log/maillog
Entries will be like:
Dec 7 10:51:01 server qmail-local-handlers[29265: from=info@spammerdomain.com
If you see the above for a particular mailbox from a domain, then no further work is required and the domain can be suspended to see if this helps.
However, if the entries look like this:
Dec 7 10:50:17 server qmail-queue-handlers[29080: from=anonymous@server.hostname.com or Dec 7 10:50:17 server qmail: 1323255017.404624 info msg 47220220: bytes 501 from <anonymous@server.hostname
In this case, its not possible to determine the spammer from the mail log, usually these emails are being sent using PHP mail handler/perlscript or a
form processor.
4- Now we need to look at the reference of an email by using the following command:
/var/qmail/bin/qmail-qread
remote ankush_krishna2137@yahoo.com 6 Jan 2012 09:14:53 GMT #32423402 2987 <anonymous@server.microlite8.com>
Where ‘32423402’ is the message ID.
5- Finding the actual message using the ID
find /var/qmail/queue/ -name 32423402
/var/qmail/queue/info/0/32423402 /var/qmail/queue/remote/0/32423402 /var/qmail/queue/mess/0/32423402
6- Now we can find out whats in the message which will identify the UID of the process
cat /var/qmail/queue/mess/0/32423402
Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000 Date: 6 Jan 2012 09:14:50 +0000 Message-ID: <20120106091450.9934.qmail@server.microliteX.com> To: annette@recdom.wandoo.co.uk Subject: Urgent Reply From: Mr Example <mrexample@hotmail.com>
7- Now we have the UID in the above email as ‘UID 10820’ which we can use to identify the domain sending spam:
cat /etc/passwd | grep 10820
admin947932:x:10820:2523::/var/www/vhosts/thisisthespammer.com:/bin/false
The resulting domain is sending out the spam
But if the UID in the received line contains user ‘apache’ for example, invoked by uid 48, then it means the php script is being used here to send out
spam emails.
We can find out which domains are sending out spams using the scripts:
1- Create a file ‘/var/qmail/bin/sendmail-wrapper’ with the following code:
#/bin/sh (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
(The code should be on two different lines)
2- Create a log file ‘mail.send’ in the /var/tmp/ directory and grant the relevant permissions as follows:
touch /var/tmp/mail.send chmod a+rw /var/tmp/mail.send chmod a+x /var/qmail/bin/sendmail-wrapper mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail
We have also made the wrapper executable, renamed the old sendmail and linked it to the new wrapper in the above commands.
Now we can wait for some time while mail.send in the tmp directory grows. After an hour or so we can remove the sendmail file and move the sendmail- qmail back to sendmail.
(While performing this step, check if the mail.send have enough information to extract the relevant script sending spam)
rm -f /var/qmail/bin/sendmail mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail
Now look in the /var/tmp/mail.send file and look for “X-Additional-Headers” pointing to the domain folders where the scripts are located.
We can all the scipts from where the scipts are running using this command:
grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
If there is no output, no email was sent using the php mail() function from the virtual hosts directory.
If the /var/tmp/mail.send contains only:
X-Additional Header: /var/www
Without pointing to a particular domain then e need to change the permissions of the Perl Binary:
chmod 700 /usr/bin/perl