Plesk – check where spam is coming from

Lots of  e-mails in mail queue. Question is – where is this coming from. Am I source of spam of just the vicitm? Maybe one of plesk users has got badly written PHP scripts that allows rely via server.

/var/qmail/bin/qmail-qread

Output will be houndreds of line, I just give one here as example:

28 Jan 2012 01:54:29 GMT #64329783 368 <anonymous@some.domain.dom>
 remote 2343696059@some.domain.dom

Record the # number from this output and then run:

find /var/qmail/queue/mess/ -name 64329783

/var/qmail/queue/mess/2/64329783

cat /var/qmail/queue/mess/2/64329783

Received: (qmail 10770 invoked by uid 48); 28 Jan 2012 01:53:58 -0500
 Date: 28 Jan 2012 01:53:58 -0500
 Message-ID: <20120128065358.10768.qmail@some.domain.dom>
 X-Additional-Header: /var/tmp/send
 To: 2343696059@some.domain.dom
 Subject: pls.call
 From: qhsc <wnagtq@some.domain.dom>
 Content-Type: text/html
Body intentionally removed.

We are looking in here for UID – in this case it is 48 – apache user.

cat /etc/passwd | grep 48

apache:x:48:48:Apache:/var/www:/sbin/nologin

Now we know that our server is a source of spam. Next run this command to see which domain is this coming from.

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ { if(!str) { str=$1 } else { str=str”,”$1}}END{print str}’` | grep vhosts | grep php

Comments are welcome.

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ { if(!str) { str=$1 } else { str=str”,”$1}}END{print str}’` | grep vhosts | grep php

Leave a Reply