Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!
« previous next »
Pages: [1]   Go Down

Author Topic: Few useful scripts to find spammer in plesk linux server  (Read 2626 times)

0 Members and 1 Guest are viewing this topic.

Leo.Prince

  • Guest
Few useful scripts to find spammer in plesk linux server
« on: November 01, 2013, 12:10:51 pm »
Hi,

Bash scripts are very useful in executing multiple commands using a single finger touch. Here I am listing such a script to locate a spammer from a qmail mail server.

1, First we needed to locate and store all the mail IDs of the mails in the current qmail queue.

Code: [Select]
[root@vps-test /]# for i in `/var/qmail/bin/qmail-qread | awk '{print $6}'|  cut -d# -f2` ; do find /var/qmail/queue/ -iname $i; done > test.txt

2, Now we have all the unique mail IDs in the file test.txt. We can grep with any suspicious spammy word say "spam" :)

Code: [Select]
[root@vps-test /]# for i in `cat test.txt` ; do grep -irl "spam" $i ; done
/var/qmail/queue/mess/1/40697903
/var/qmail/queue/mess/2/156009370
/var/qmail/queue/mess/3/40697928
/var/qmail/queue/mess/5/156008499
/var/qmail/queue/mess/5/156016434
/var/qmail/queue/mess/6/40697931
/var/qmail/queue/mess/7/156016551
/var/qmail/queue/mess/7/156016850
/var/qmail/queue/mess/8/40697933
/var/qmail/queue/mess/9/156016576
/var/qmail/queue/mess/9/40697911
/var/qmail/queue/mess/10/40697958
/var/qmail/queue/mess/11/40697913
/var/qmail/queue/mess/12/156016832
/var/qmail/queue/mess/13/156016488
/var/qmail/queue/mess/15/156009843
/var/qmail/queue/mess/15/40697940
/var/qmail/queue/mess/17/40697896
/var/qmail/queue/mess/19/156009916
/var/qmail/queue/mess/19/156016563
/var/qmail/queue/mess/20/156016587
/var/qmail/queue/mess/21/40697900
/var/qmail/queue/mess/21/156016519
/var/qmail/queue/mess/21/156016841

3, So we have isolated the mails with the spammy word. Now the next step should be to find out the user who is causing spams. We can check the UID of the user from any of the mails thus we isolated.

Code: [Select]
[root@vps-test /]# grep uid /var/qmail/queue/mess/1/40697903
Received: (qmail 3234 invoked by uid 10022); 16 Oct 2013 14:57:55 -0400

Code: [Select]
[root@vps-test /]# grep 10022 /etc/passwd
iamaspammer:x:10022:506::/var/www/vhosts/iamaspammer.com:/bin/false
[root@vps-test /]#

You have caught the spammer and notify him.  :o

If the number of spam mails are high and if it is sending by a authenticated E-mail ID (not via php script), Then we can sort the domain name who sent highest amount of spams.

Code: [Select]
[root@vps-test /]# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I iamaspammer |awk '{print $12}'
iamaspammer.com
iamaspammer.com
iamaspammer.com
iamaspammer.com
iamaspammer.com
iamaspammer.com
iamaspammer.com
iamaspammer.com
spammer2.com
spammer3.com
[root@vps-test /]#

Now we can sort out the domain which sent highest amount of spam

Code: [Select]
[root@vps-test /]# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I iamaspammer |awk '{print $12}' | sort | uniq -c | sort -n
      8 iamaspammer.com

In this testing environment, The domain "iamaspammer.com" is causing highest number of spams with a count of 8.

Please note that all the parameters used here is of testing purpose. To make the most of the scripts, You needed to use this on a real-time spamming environment.

I referred the following parallels guide :

http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.3-unix-advanced-administration-guide/index.htm?fileName=61674.htm

That is it from end  8)
Logged
Pages: [1]   Go Up
« previous next »