Identifying spam sources under Parallels Plesk (Postfix)

Expertise level: Medium

Identifying the php scripts that are sending mail is the first step to protecting yourself against would-be spammers. Follow these steps to find the domains on which these scripts are running using Postfix:

Determine from which folder the PHP script that sends mail was run.

Note: Depending on your operating system and Parallels Plesk version, the paths can differ slightly from those listed below.

  1. Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

    Create a file and open it for editing:

    #touch /usr/sbin/sendmail.postfix-wrapper
    #vi /usr/sbin/sendmail.postfix-wrapper
    

    Add the following content:

    #!/bin/sh
    (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"
    

    Note: this should be two lines, including #!/bin/sh.

  2. Create a log file, /var/tmp/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper. Run these commands:

    ~# touch /var/tmp/mail.send
    ~# chmod a+rw /var/tmp/mail.send
    ~# chmod a+x /usr/sbin/sendmail.postfix-wrapper
    ~# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
    ~# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
    
  3. Wait 60 minutes and change the sendmail back:

    ~# rm -f /usr/sbin/sendmail.postfix
    ~# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
    

Check the /var/tmp/mail.send file. There should be lines starting with X-Additional-Header: pointing to the domain folders where the scripts that sent the mail are located.

You can see all the folders from which mail PHP scripts were run with the following command:

    ~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

NOTE: If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Parallels Plesk virtual hosts directory.

That may indicate one of the mail accounts has been compromised. Check the login attempt count:

# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

An unusually high number of login attempts indicates it is very likely that accounts have been compromised. You can identify these accounts with the following:

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk