Category: ASP General

Find Spam Source On Plesk/Qmail:

1- Check how many emails in the queue:

/var/qmail/bin/qmail-qstat

2- Check large number of authentications to a particular mailbox

cat /usr/local/psa/var/log/maillog |grep -I "LOGIN"|awk {'print $12'}|sort|uniq -c|sort -n

3- Look at the log to see if a particular domain is sending emails and suspend it

tail -500 /usr/local/psa/var/log/maillog
Entries will be like:
Dec  7 10:51:01 server qmail-local-handlers[29265: [email protected] 

If you see the above for a particular mailbox from a domain, then no further work is required and the domain can be suspended to see if this helps.

However, if the entries look like this:

Dec  7 10:50:17 server qmail-queue-handlers[29080: [email protected]
or
Dec  7 10:50:17 server qmail: 1323255017.404624 info msg 47220220: bytes 501 from <[email protected]

In this case, its not possible to determine the spammer from the mail log, usually these emails are being sent using PHP mail handler/perlscript or a
form processor.

4- Now we need to look at the reference of an email by using the following command:

/var/qmail/bin/qmail-qread
remote [email protected] 
6 Jan 2012 09:14:53 GMT #32423402 2987 <[email protected]>

Where ‘32423402’ is the message ID.

5- Finding the actual message using the ID

find /var/qmail/queue/ -name 32423402
/var/qmail/queue/info/0/32423402
/var/qmail/queue/remote/0/32423402
/var/qmail/queue/mess/0/32423402

6- Now we can find out whats in the message which will identify the UID of the process

cat /var/qmail/queue/mess/0/32423402
Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <[email protected]>
To: [email protected]
Subject: Urgent Reply
From: Mr Example <[email protected]>

7- Now we have the UID in the above email as ‘UID 10820’ which we can use to identify the domain sending spam:

cat /etc/passwd | grep 10820
admin947932:x:10820:2523::/var/www/vhosts/thisisthespammer.com:/bin/false

The resulting domain is sending out the spam

But if the UID in the received line contains user ‘apache’ for example, invoked by uid 48, then it means the php script is being used here to send out
spam emails.

We can find out which domains are sending out spams using the scripts:

1- Create a file ‘/var/qmail/bin/sendmail-wrapper’ with the following code:

#/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

(The code should be on two different lines)

2- Create a log file ‘mail.send’ in the /var/tmp/ directory and grant the relevant permissions as follows:

touch /var/tmp/mail.send
chmod a+rw /var/tmp/mail.send
chmod a+x /var/qmail/bin/sendmail-wrapper
mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

We have also made the wrapper executable, renamed the old sendmail and linked it to the new wrapper in the above commands.

Now we can wait for some time while mail.send in the tmp directory grows. After an hour or so we can remove the sendmail file and move the sendmail- qmail back to sendmail.

(While performing this step, check if the mail.send have enough information to extract the relevant script sending spam)

rm -f /var/qmail/bin/sendmail
mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Now look in the /var/tmp/mail.send file and look for “X-Additional-Headers” pointing to the domain folders where the scripts are located.

We can all the scipts from where the scipts are running using this command:

grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

If there is no output, no email was sent using the php mail() function from the virtual hosts directory.

If the /var/tmp/mail.send contains only:
X-Additional Header: /var/www

Without pointing to a particular domain then e need to change the permissions of the Perl Binary:

chmod 700 /usr/bin/perl

How useful was this post?

Click on a star to rate it!

Average rating 4 / 5. Vote count: 1

No votes so far! Be the first to rate this post.