Spamming Troubleshotting - Qmail ( Plesk Server )

Firstly we should look at the server’s queue:

# /var/qmail/bin/qmail-qstat
messages in queue: 758
messages in queue but not yet preprocessed: 0
We do have 758 mails in the queue. Let’s examine the queue with qmail-qread. Seeing a bunch of strange email addresses in the recipient list usually it’s meaning spam.

# /var/qmail/bin/qmail-qread
You can examine the email content of the emails in the queue using Plesk interface or just less command. Firstly we should find message’s id using qmail-qread, then find the file holding the email in /var/qmail/queue with find command.

# /var/qmail/bin/qmail-qread
18 Jul 2008 02:01:11 GMT #22094026 1552 <>
remote user@yahoo.com

# find /var/qmail/queue/ -name 22094026
/var/qmail/queue/mess/19/22094026
/var/qmail/queue/remote/19/22094026
/var/qmail/queue/info/19/22094026

# less /var/qmail/queue/mess/19/22094026
Received: (qmail 10728 invoked from network); 22 Jul 2008 19:40:46 +0300
Received: from unknown (HELO User) (86.107.221.138)
by domain.com with SMTP; 22 Jul 2008 19:40:46 +0300
Reply-To: <support@PayPal.Inc.com>
From: "PayPal"<support@PayPal.Inc.com>
Subject: Dispute Transaction
Date: Tue, 22 Jul 2008 19:40:52 +0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
[...]


Oops, we do have some spam in the queue that’s received from the network (IP: 86.107.221.138). We should remove spam from the queue or the server IP address will finish listed in the RBLs, qmail-remove is the right tool for this job.

Check the number of the spams with the spam pattern (”PayPal.Inc.com” in this case):

# qmail-remove -p 'PayPal.Inc.com'

Now, remove spams (notice the ‘-r’ switch), they all will end up in the /var/qmail/queue/yanked directory. Don’t forget to stop qmail daemon before (/etc/init.d/qmail stop) :

# qmail-remove -r -p 'PayPal.Inc.com'

In a few minutes we do have more emails with the same patterns from the same ip address. That’s great, we do have opportunity to examine smtp traffic from the spammer’s ip address. Run tcpdump and wait a few minutes.

# tcpdump -i eth0 -n src 86.107.221.138 \or dst 86.107.221.138 -w smtp.tcpdump -s 2048
Examining log file with less or vi we found that spammer is sending spam using LOGIN authentication:
220 ulise.domain.com ESMTP
ehlo User
250-ulise.domain.com
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdA==
334 UGFzc3dvcmQ6
MTIzNDU=
235 go ahead

Interesting, let’s decode the user/pass to see which account is used:

# perl -MMIME::Base64 -e ‘print decode_base64(“dGVzdA==”)’
test

# perl -MMIME::Base64 -e 'print decode_base64("MTIzNDU=")'
12345

So, someone created a test account with a weak password and someone else guessed it and is sending spam through the server.

Let’s find the domain owning of the mailbox:

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

 
mysql> SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name='test' AND a.password='12345';

+-----------+------------+----------+
| mail_name | name | password |
+-----------+------------+----------+
| test | example.com | 12345 |
+-----------+------------+----------+
1 row in set (0.01 sec)

Next step is to delete test mailbox and send a warning to client.

To improve your server’s security you’ll need to enable:
 
Server -> Mail -> Check the passwords for mailboxes in the dictionary

07:09 | Category: | 3 comments

Spamming Troubleshotting - Qmail

Find and Stop the Spamming in Qmail


Check how many messages are in the queue with

Qmail: # /var/qmail/bin/qmail-qstat messages in queue: 27645 messages in queue but not yet preprocessed: 82 If the queue has too many messages, try to discover the source of SPAM.

If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages (available since Plesk 8.x). Note that you must have the 'SMTP authorization' activated on the server to see these records:

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n

The path to 'maillog' may differ depending on the OS you are using. The next step is to use "qmail-qread," which can be used to read the message headers:

# /var/qmail/bin/qmail-qread 18 Jul 2005 15:03:07 GMT
#2996948 9073 bouncing done remote user1@domain1.com done remote user2@domain2.com done remote user3@domain3.com .... This shows the senders and recipients of messages. If the message contains too many recipients, probably this is spam. Now try to find this message in the queue by its ID ( # 2996948 in our example):

# find /var/qmail/queue/mess/ -name 2996948 Examine the message and find the line "Received" to find out from where it was sent for the first time. For example, if you find: Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700 it means that this message was sent via a CGI by user with UID 10003. Using this UID, it is possible to find the domain:

# grep 10003 /etc/passwd If the 'Received' line contains a UID of a user 'apache' (for example invoked by uid 48), it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from/to or any other information).

It is usually very difficult to discover the source of spam. If you are absolutely sure that this time there is a script which sends spam (tail grows rapidly for no apparent reason), you can use the following script to determine what PHP scripts are running at this time:

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

You can also apply this which describes the procedure of discovering which domains are sending mail through PHP scripts. Lines in Received section like Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700 Received: from external_domain.com (192.168.0.1) Means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user.

Many email messages are sent from PHP scripts on the server. How can we find the domains on which these scripts are running? There is a way to determine from what folder the PHP script that sends mail was run. Note: Depending on your OS and Plesk version, the paths can slightly differ from those listed below.

1) Create a /var/qmail/bin/sendmail-wrapper script with the following content:
#!/bin/sh (echo X-Additional-Header: $PWD ;cat | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
Note, it should be two lines including '#!/bin/sh'.

2) Create a log file /var/tmp/mail.send and grant it "a+rw" rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper: ~

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

3) Wait for an hour and change back sendmail:

# rm -f /var/qmail/bin/sendmail
# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header:" pointing to domain folders where the scripts which sent the mail are located. You can see all the folders from where mail PHP scripts were run with the following command:

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' ` If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.
SPAM CHECK
07:05 | Category: | 3 comments

To Remove Mail Queue in Qmail
Easy way to remove your Qmail Mail Queues.

Before attempting this please don't forgot the stop the qmail service.

  #qmailctl stop

find /var/qmail/queue/mess -type f -exec rm {} \;
find /var/qmail/queue/info -type f -exec rm {} \;
find /var/qmail/queue/local -type f -exec rm {} \;
find /var/qmail/queue/intd -type f -exec rm {} \;
find /var/qmail/queue/todo -type f -exec rm {} \;
find /var/qmail/queue/remote -type f -exec rm {} \;

#qmailctl start


Thank you,
07:00 | Category: | 1 comments

What is Dedicated, VPS and Shared Web Hosting - copypastelinux.blogspot.com

'Virtual' means that it is not real. Basically, it is still a shared hosting account but unlike a normal shared hosting account, each VPS has its own dedicated slice of the CPU, RAM and disk space. So basically, what you do will not affect the other VPS on the machine. You can reboot your VPS anytime you want and you will have root access. 

Think of it this way. A Dedicated Server is like owning and living in your own mansion, you can share or use it completely yours, it is up to you. 

A Virtual Private Server is like living in an apartment or a hotel room. You have your own doors, walls and private bathroom. You have the privacy of your own room and you more or less can do anything you want. Of course, you will share the infrastructure with the other residence in the apartment building. 

A Virtual Hosting/Shared Account is like having a bed in a dormitory. You basically share a bathroom, common area and so on. 

Of course, in a virtual hosting account, if you are the only customer on the machine, you can more or less use all the resources there is. If you share, as long as all the customers do not use more than what the server can handle, it does not matter. 

A VPS on the other hand has stricted defined slice of the CPU/RAM and Diskspace and most of the time, unless permitted, you cannot go beyond that allocation. The good news is that no matter how crowded the server is, you still have your minimum allocation. The bad news is that if your site requires more than what the VPS slice can handle, you will bare with it even if there are more resources that is unused on the server. Of course some VPS application allow bursting to a reasonable limit but some don't.
03:02 | Category: , , | 245 comments

What Is A Mail Header ? Things You Should Remember While Troubleshooting ! - copypastelinux.blogspot.com

*) What is happening while sending a mail by referring that mail header.

Return-path:<georgek@admin-ahead.com>Envelope-to:shijuc@admin-ahead.comDelivery-date:Fri, 07 Jun 2013 16:49:32 +0530Received:from t1.admin-ahead.com ([14.140.176.234]:13182 helo=w10.office.admin-ahead.com)
by cpanel.admin-ahead.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.80.1)
(envelope-from <georgek@admin-ahead.com>)
id 1Ukuhb-00062Y-Eu; Fri, 07 Jun 2013 16:49:28 +0530Message-ID:<51B1C1B5.2060807@admin-ahead.com>Date:Fri, 07 Jun 2013 16:49:17 +0530From:George Koshy <georgek@admin-ahead.com>Organization:Admin-Ahead Server TechnologiesUser-Agent:Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130330 Thunderbird/17.0.5MIME-Version:1.0To:shijuc@admin-ahead.com, nijina@admin-ahead.com,
rintus@admin-ahead.com, ashleyj@admin-ahead.com, giving@admin-ahead.com,
tensinj@admin-ahead.com, nikhiln@admin-ahead.com,
rahuln@admin-ahead.comCC:trainers@admin-ahead.comSubject:MailEnable assignmentContent-Type:multipart/signed;protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms030101050807050906030809"


Every mail header will have all the necessary information about what was happened during the transfer of mail from one user to other or more likely one server to another. It shows the destination address form where it being processed the message ID.The message ID is unique for all mail, so this become very handy when troubleshooting.It also show from which organization it is sent. Which Browser does it uses and the operating system etc..,
07:43 | Category: | 4 comments

How To Create Mail Forwarders, Mail Group And Aliasing In Sendmail ? - copypastelinux.blogspot.com


Mail Forwarders, Mail Group, Aliasing
*) How to create mail forwarders,mail group and aliasing in Sendmail ?
    Mail forwading in sendmail can be done in 2 ways, locally and remotely.If you want to redirect a mail within the local domain you can make use of the /etc/aliases for remote domains set and entry on the virtusertable. 

    Mail group and aliasing
    ftp-group:root,user1,user2
    the above is an entry in the /etc/aliases file ,where ftp-group is your mail group and root,user1,user2 are your setted aliases. Which means mail sended to ftp-group will be recieved by all the three.

07:42 | Category: , , | 1 comments

What Is Spamming ? What Does It Do ? Types Of Spamming ? - copypastelinux.blogspot.com

*) What is spamming? Type of spamming and spamming prevention methods?

    Spamming involves sending unwanted electronic communication and is often considered junk e-mail. Spammers lure individuals to read e-mails through enticing words in the subject line. The majority of spam is related to commercial advertising promoting questionable products or services. Often, sending spam is an attempt to commit identity theft or other types of fraud over the Internet.

    Types of Spamming

    However, when averaged out over the course of the year, 50% of spam falls into the following categories:
    When you get spammed by others though it consumes your mail space apart from that it creates a traffic and let your server down at times due to low bandwidth.

    Prevention Methods
  • Spam Assassin
  • SPF record
  • DNS Blacklist
  • Disable open relay
  • Anti-Spamware

07:37 | Category: , , | 1 comments