First, check that all domains have the option "Mail to non-existing user" set to "reject" and not to "forward." You can change this setting for all domains using "Group Operations" in the "Domains" tab in Parallels Plesk Control Panel. The option "Reject mail to nonexistent user" has been available since Parallels Plesk Panel 7.5.3.
Also check that all the IPs and networks in the white lists are reliable and familiar to you.
Check how many messages are in the queue with Qmail:
# /var/qmail/bin/qmail-qstat
messages in queue: 27645
messages in queue but not yet preprocessed: 82
If the queue has too many messages, try to discover the source of the spam. If mail is being sent by an authorized user but not from a PHP script, you can run the command below to find the user that has sent the most messages (available since Plesk 8.x). Note that you must have "SMTP authorization" activated on the server to see these records:
# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n
The path to "maillog" may differ depending on the OS you are using.
The next step is to use "qmail-qread," which can be used to read the message headers:
# /var/qmail/bin/qmail-qread
18 Jul 2005 15:03:07 GMT #2996948 9073 <user@domain.com> bouncing
done remote user1@domain1.com
done remote user2@domain2.com
done remote user3@domain3.com
....
This shows the senders and recipients of messages. If a message contains many recipients, it is probably spam.
Now try to find this message in the queue by its ID (#2996948 in our example):
# find /var/qmail/queue/mess/ -name 2996948
Examine the message and find the line "Received" to determine from where it was sent for the first time. For example, if you find the following ...
Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700
... it means that this message was sent via a CGI by user with the UID 10003. Using this UID, it is possible to find the domain:
# grep 10003 /etc/passwd
If the "Received" line contains a UID of the user "apache" (for example. invoked by UID 48), it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (from/to address or any other information). It is usually very difficult to discover the source of spam. If you are absolutely sure that a script is sending the spam (because the tail grows rapidly for no apparent reason), you can use the following script to determine which PHP scripts are currently running:
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
Lines in the "Received" section like below ...
Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700
Received: from external_domain.com (192.168.0.1)
... mean that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user.
