Find and Stop the Spamming in Qmail
Check how many messages are in the queue with
Qmail: # /var/qmail/bin/qmail-qstat messages in queue: 27645 messages in queue but not yet preprocessed: 82 If the queue has too many messages, try to discover the source of SPAM.
If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages (available since Plesk 8.x). Note that you must have the 'SMTP authorization' activated on the server to see these records:
# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n
The path to 'maillog' may differ depending on the OS you are using. The next step is to use "qmail-qread," which can be used to read the message headers:
# /var/qmail/bin/qmail-qread 18 Jul 2005 15:03:07 GMT
#2996948 9073 bouncing done remote user1@domain1.com done remote user2@domain2.com done remote user3@domain3.com .... This shows the senders and recipients of messages. If the message contains too many recipients, probably this is spam. Now try to find this message in the queue by its ID ( # 2996948 in our example):
# find /var/qmail/queue/mess/ -name 2996948 Examine the message and find the line "Received" to find out from where it was sent for the first time. For example, if you find: Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700 it means that this message was sent via a CGI by user with UID 10003. Using this UID, it is possible to find the domain:
# grep 10003 /etc/passwd If the 'Received' line contains a UID of a user 'apache' (for example invoked by uid 48), it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from/to or any other information).
It is usually very difficult to discover the source of spam. If you are absolutely sure that this time there is a script which sends spam (tail grows rapidly for no apparent reason), you can use the following script to determine what PHP scripts are running at this time:
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
You can also apply this which describes the procedure of discovering which domains are sending mail through PHP scripts. Lines in Received section like Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700 Received: from external_domain.com (192.168.0.1) Means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user.
Many email messages are sent from PHP scripts on the server. How can we find the domains on which these scripts are running? There is a way to determine from what folder the PHP script that sends mail was run. Note: Depending on your OS and Plesk version, the paths can slightly differ from those listed below.
1) Create a /var/qmail/bin/sendmail-wrapper script with the following content:
#!/bin/sh (echo X-Additional-Header: $PWD ;cat | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
Note, it should be two lines including '#!/bin/sh'.
2) Create a log file /var/tmp/mail.send and grant it "a+rw" rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper: ~
# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail
3) Wait for an hour and change back sendmail:
# rm -f /var/qmail/bin/sendmail
# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail
Examine the /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header:" pointing to domain folders where the scripts which sent the mail are located. You can see all the folders from where mail PHP scripts were run with the following command:
# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' ` If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.
SPAM CHECK
07:05 |
Category: |
3
comments
Comments (3)
Here we come up with the new solution EstNOC, which offers webhosting, virtual servers, dedicated servers, SSL certificates, domains and co-location hosted in Singapore with green energy at great prices.For more details please visit https://www.estnoc.ee
Awesome, this is very important to know for all of us about this information. I really like this blog and surely suggest it to my friends. Thanks keep it up. If you want to grow your business website you should choose Cheap Linux VPS Hosting . It gives the best quality of services at the most reasonable rates.
This blog post is really very informative. Where you are providing the information about “ Spamming Troubleshotting - Qmail ” That is really such nice information for those who need it. Here in this post, you are providing one of the most important things that is “ If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages (available since Plesk 8.x). ”. But here my opinion is that you should make a website for this as well as you need to promote also. So that you can choose Ritz Media World.