Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!
« previous next »
Pages: [1]   Go Down

Author Topic: Finding Spam source in Plesk- Postfix servers  (Read 2299 times)

0 Members and 1 Guest are viewing this topic.

aneeshs

  • Guest
Finding Spam source in Plesk- Postfix servers
« on: December 16, 2017, 03:02:46 pm »
Identifying the PHP scripts which are used for spamming purposes is a vital part in mittigating spam issues. In this article, I will guide you through the steps for easy spam troubleshooting. The paths mentioned in this artivle may hay differ according to the OS and Plesk versions.

Determining the directory of the spamming PHP script is the first step.

1. Create a script and paste the following contents:
Code: [Select]
# vim /usr/sbin/sendmail.postfix-wrapper

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

2. Create a log file for logging purpose and assign the correct access rights.
Code: [Select]
# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send

3. Make the wrapper executable, rename the old sendmail.postfix file, and link it to the new wrapper:
Code: [Select]
# chmod a+x /usr/sbin/sendmail.postfix-wrapper
# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

4. Wait for a while and rename sendmail.postfix-bin back to /usr/sbin/sendmail.postfix:
Code: [Select]
# rm -f /usr/sbin/sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

5. Check /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header" pointing to the domain folders where the scripts that sent the mail are located.

6. The directories, from which mail PHP scripts are run, can be seen using the following command:
Code: [Select]
# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

7. This means one of the mail accounts has been compromised. Check the login attempt count:
Code: [Select]
# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*

Sample results may be like:
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

8. If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:
Code: [Select]
# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=user@example.com

Thanks for reading :)
Logged
Pages: [1]   Go Up
« previous next »