How to find/locate a Spammer on a Linux Plesk server?
November 15, 2012 | Posted byIf you feel emails are saturated in the Plesk Qmail mail queue, there is a possibility that your Plesk server is been used for sending spam emails.
On a Plesk server relaying is not allowed by default so following are the ways spamming is mostly done. They are explained below point wise.
1) Using CGI by a user
2) PHP scripts. Also refer the article to locate the directories of the PHP scripts that are sending emails.
3) By a compromised email account
First, lets look at the the mail queue
# /var/qmail/bin/qmail-qstat messages in queue: 22507 messages in queue but not yet preprocessed: 0
As you can see above, there are a large amount of emails in the mail queue. The source of these emails could either be a PHP/CGI script OR an authorized email account on the server.
Let’s start with reading the message headers with ‘qmail-qread’
# /var/qmail/bin/qmail-qread 5 Nov 2012 11:50:17 GMT #768752 1231 remote user1@domain1.com remote user2@domain1.com remote user1@domain2.com
This will list the sender and recipient of all the emails in the mail queue.
In the above example #768752 is the message ID, now find out the location of this email to read the complete header
# find /var/qmail/queue/mess/ -name 768752 /var/qmail/queue/mess/0/768752
Above is the complete path to the mail file, now open the file and look for the “Received” line.
# cat /var/qmail/queue/mess/0/768752 | more
The “Received” line indicates from where the message was received OR invoked.
1) If the message is sent via CGI by a user, it will display the UID of the user as below:
Received: (qmail 26193 invoked by uid 10001); 5 Nov 2012 11:50:17
Now, search the UID 10001 in the passwd file to find the domain name
# grep 10001 /etc/passwd
This will display the domain name the UID 10001 belongs to.
2) The “Received” line indicates the UID of user Apache (i.e. 48) if email is sent via a PHP script
Received: (qmail 26193 invoked by uid 48); 5 Nov 2012 11:50:17 +000
In such a case, you have to monitor the PHP scripts in real-time i.e. scripts that are running when emails are been sent.
Execute the below command as it is when the mail queue is growing rapidly
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | \ awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` \ | grep vhosts | grep php
The above command won’t display the location of the php scripts, so please refer the article to locate the folders of the PHP scripts that are sending emails.
3) Many a time email accounts are compromised and used for sending bulk/spam emails from other locations. In such a case, “Received” line contains “invoked from network”
Received: (qmail 26193 invoked from network); 5 Nov 2012 11:50:17
Refer the article to find the compromised email accounts on a Plesk server.