Find Spam Source On Plesk/Qmail#

1- Check how many emails in the queue:

/var/qmail/bin/qmail-qstat

2- Check large number of authentications to a particular mailbox

cat /usr/local/psa/var/log/maillog |grep -I "LOGIN"|awk {'print $12'}|sort|uniq -c|sort -n

3- Look at the log to see if a particular domain is sending emails and suspend it

tail -500 /usr/local/psa/var/log/maillog
{{{

Entries will be like:
{{{
Dec  7 10:51:01 server qmail-local-handlers[29265]: from=info@spammerdomain.com \\
If you see the above for a particular mailbox from a domain, then no further work is required and the domain can be suspended to see if this helps.
But if the entries look like this:
Dec  7 10:50:17 server qmail-queue-handlers[29080]: from=anonymous@server.hostname.com
or
Dec  7 10:50:17 server qmail: 1323255017.404624 info msg 47220220: bytes 501 from <anonymous@server.hostname

In this case, its not possible to determine the spammer from the mail log, usually these emailsare being sent using PHP mail handler/perlscript or a form processor.

4- Now we need to look at the refernece of an email by using the following command:

/var/qmail/bin/qmail-qread
remote ankush_krishna2137@yahoo.com \\
6 Jan 2012 09:14:53 GMT #32423402 2987 <anonymous@server.microlite8.com>

Where '32423402' is the message ID.

5- Finding the actual message using the ID

find /var/qmail/queue/ -name 32423402
/var/qmail/queue/info/0/32423402
/var/qmail/queue/remote/0/32423402
/var/qmail/queue/mess/0/32423402

6- Now we can find out whats in the message which can identify the UID of the process

cat /var/qmail/queue/mess/0/32423402
Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <20120106091450.9934.qmail@server.microliteX.com>
To: annette@recdom.wandoo.co.uk
Subject: Urgent Reply
From: Mr Example <mrexample@hotmail.com>

7- Now we have the UID in the aobve email as 'UID 10820' which we can use to identify the domain sending spam:

cat /etc/passwd | grep 10820
admin947932:x:10820:2523::/var/www/vhosts/thisisthespammer.com:/bin/false

The resulting domain is sending out the spam!!!

But if the UID in the received line contains user 'apache' for example, invoked by uid 48, then it means the php script is being used here to send out spam emails.

We can find out which domains are sending out spams using the scripts
1- Create a file '/var/qmail/bin/sendmail-wrapper' with the following code:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

(The code should be on two different lines)

2- Create a log file 'mail.send' in the /var/tmp/ directory and grant the relevant permissions as follows:

touch /var/tmp/mail.send
chmod a+rw /var/tmp/mail.send
chmod a+x /var/qmail/bin/sendmail-wrapper
mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail


We have also made the wrapper executable, renamed the old sendmail and linked it to the new wrapper in the above commands.

Now we can wait for some time while mail.send in the tmp directory grows. After an hour or so we can reove the sendmail file and move the sendmail- qmail back to sendmail.
(While performing this step, check if the mail.send have enough information to extract the relevatn script sending spam)

rm -f /var/qmail/bin/sendmail
mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Now look in the /var/tmp/mail.send file and look for "X-Additional-Headers" pointing to the domain folders where the scripts are located.

We can all the scipts from where the scipts are running using this command:

grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

If there is no output, no email was sent using the php mail() function from the virtual hosts directory.

If the /var/tmp/mail.send contains only:
X-Additional Header: /var/www

Without pointing to a particular domain then e need to change the permissions of the Perl Binary:

chmod 700 /usr/bin/perl

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 24-May-2017 15:30 by Hyve Support
G’day (anonymous guest) My Prefs
  • View Page Source
  • This clear IPSec security association,
    clear ipsec sa peer X.X.X.X
    

All Pages

Page views: 3782

Private Tomcat

Linux

MySQL

Email

SQL Server

ASP

JSP

C#

Web Mail

Windows Plesk

Linux Plesk

PHP

Gaming

ASP.NET

Persits ASPUpload

Wiki Help

Referring Pages:
...nobody

JSPWiki v2.8.1