Identifying spam sources under Parallels Plesk (Qmail)

Expertise level: Medium

Identifying the php scripts that are sending mail is the first step to protecting yourself against would-be spammers. Follow these steps to find the domains on which these scripts are running using Postfix:

Warning: this method may increase server load due to the additional steps of processing for each message submitted to the local mail server. If you experience problems with high server load after applying the instructions in step 2, revert them using the instructions in step 3.

There is a way to determine from which folder the PHP script that sends mail was run.

Note: Depending on your Operating System and Plesk version, the paths may differ from those listed below.

1) Create a /var/qmail/bin/sendmail-wrapper script with the following content:

(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

Note: this script should be on two lines including #!/bin/sh

2) Create a log file /var/tmp/mail.send and grant it "a+rw" rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper:

~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

3) Wait for two hours and change sendmail back:

~# rm -f /var/qmail/bin/sendmail
~# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header:", pointing to the domain folders where the scripts which sent the mail are located.

You can see all the folders from where mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

If you dont't see output from the above command, no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.

If the /var/tmp/mail.send file only contains:

X-Additional-Header: /var/www

without pointing to a particular domains folder, change permissions for the Perl binary:

~# chmod 700 /usr/bin/perl


Article is closed for comments.
Powered by Zendesk