{"id":1991,"date":"2012-11-15T10:44:15","date_gmt":"2012-11-15T14:44:15","guid":{"rendered":"http:\/\/linuxhostingsupport.net\/blog\/?p=1991"},"modified":"2013-03-20T08:38:22","modified_gmt":"2013-03-20T12:38:22","slug":"how-to-findlocate-a-spammer-on-a-linux-plesk-server","status":"publish","type":"post","link":"https:\/\/linuxhostingsupport.net\/blog\/how-to-findlocate-a-spammer-on-a-linux-plesk-server","title":{"rendered":"How to find\/locate a Spammer on a Linux Plesk server?"},"content":{"rendered":"

If you feel emails are saturated in the Plesk Qmail mail queue, there is a possibility that your Plesk server is been used for sending spam emails.<\/p>\n

On a Plesk server relaying is not allowed by default<\/strong> so following are the ways spamming is mostly done. They are explained below point wise.<\/p>\n

1)<\/strong> Using CGI by a user
\n2)<\/strong> PHP scripts. Also refer the article to locate the directories of the PHP scripts that are sending emails<\/a>.
\n3)<\/strong> By a compromised email account<\/p>\n

First, lets look at the the mail queue<\/p>\n

\n
# \/var\/qmail\/bin\/qmail-qstat<\/strong>\r\nmessages in queue: 22507\r\nmessages in queue but not yet preprocessed: 0<\/pre>\n<\/blockquote>\n
As you can see above, there are a large amount of emails in the mail queue. The source of these emails could either be a PHP\/CGI script OR an authorized email account on the server.<\/p>\n
Let’s start with reading the message headers with ‘qmail-qread’<\/strong><\/p>\n
\n
# \/var\/qmail\/bin\/qmail-qread<\/strong>\r\n5 Nov 2012 11:50:17 GMT #768752 1231 \r\nremote user1@domain1.com\r\nremote user2@domain1.com\r\nremote user1@domain2.com<\/pre>\n<\/blockquote>\n
This will list the sender and recipient of all the emails in the mail queue.<\/p>\n
In the above example #768752 is the message ID, now find out the location of this email to read the complete header<\/p>\n
\n
# find \/var\/qmail\/queue\/mess\/ -name 768752<\/strong>\r\n\/var\/qmail\/queue\/mess\/0\/768752<\/pre>\n<\/blockquote>\n
Above is the complete path to the mail file, now open the file and look for the “Received” line. 
\n<\/strong><\/p>\n
\n
# cat \/var\/qmail\/queue\/mess\/0\/768752 | more<\/strong><\/pre>\n<\/blockquote>\n
The “Received” line indicates from where the message was received OR invoked.<\/p>\n
1)<\/strong> If the message is sent via CGI by a user<\/strong>, it will display the UID of the user<\/strong> as below:<\/p>\n
\n
Received: (qmail 26193 invoked by uid 10001<\/strong>); 5 Nov 2012 11:50:17<\/pre>\n<\/blockquote>\n
Now, search the UID 10001 in the passwd file<\/strong> to find the domain name<\/p>\n
\n
# grep 10001 \/etc\/passwd<\/strong><\/pre>\n<\/blockquote>\n
This will display the domain name the UID 10001 belongs to.<\/p>\n
2)<\/strong> The “Received” line indicates the UID of user Apache<\/strong> (i.e. 48)\u00a0 if email is sent via a PHP script<\/strong><\/p>\n
\n
Received: (qmail 26193 invoked by uid 48<\/strong>); 5 Nov 2012 11:50:17 +000<\/pre>\n<\/blockquote>\n
In such a case, you have to monitor the PHP scripts in real-time<\/strong> i.e. scripts that are running when emails are been sent.<\/p>\n
Execute the below command as it is when the mail queue is growing rapidly<\/p>\n
\n
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | \\\r\nawk ' { if(!str) { str=$1 } else { str=str\",\"$1}}END{print str}'` \\\r\n| grep vhosts | grep php<\/pre>\n<\/blockquote>\n
The above command won’t display the location of the php scripts, so please refer the article<\/strong> to locate the folders of the PHP scripts that are sending emails<\/a>.<\/p>\n
3)<\/strong> Many a time email accounts are compromised<\/strong> and used for sending bulk\/spam emails from other locations. In such a case, “Received” line contains “invoked from network”<\/strong><\/p>\n
\n
Received: (qmail 26193 invoked from network<\/strong>); 5 Nov 2012 11:50:17<\/pre>\n<\/blockquote>\n
Refer the article<\/strong> to find the compromised email accounts on a Plesk server.<\/p>\n","protected":false},"excerpt":{"rendered":"
If you feel emails are saturated in the Plesk Qmail mail queue, there is a possibility that your Plesk server is been used for sending spam emails.
\nOn a Plesk server relaying is not allowed by default so following are the ways spamming is mostly done. They are explained below point wise.
\n1) Using CGI by a user
\n2) PHP scripts. Also refer the article to locate the directories of the PHP scripts that are sending emails.
\n3) By a compromised email account
\nFirst, lets look at the the mail queue<\/p>\n
# \/var\/qmail\/bin\/qmail-qstat
\nmessages in […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[1443,1439,1440,1442,1441,1444],"_links":{"self":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/1991"}],"collection":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/comments?post=1991"}],"version-history":[{"count":16,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/1991\/revisions"}],"predecessor-version":[{"id":2002,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/1991\/revisions\/2002"}],"wp:attachment":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/media?parent=1991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/categories?post=1991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/tags?post=1991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}