Find the source of Spamming – Plesk !!

Check how many messages are in the queue with Qmail

# /var/qmail/bin/qmail-qstat

If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages :

// Note that you must have the ‘SMTP authorization’ activated on the server to see these records //

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk ‘{print $11}’ |sort |uniq -c |sort -n

The next step is to use “qmail-qread,” which can be used to read the message headers:

# /var/qmail/bin/qmail-qread

This shows the senders and recipients of messages. If the message contains too many recipients, probably this is spam. Now try to find this message in the queue by its ID
# find /var/qmail/queue/mess/ -name 2996948 ( <- Message ID )

Examine the message and find the line “Received” to find out from where it was sent for the first time. For example, if you find:

Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via a CGI by user with UID 10003. Using this UID, it is possible to find the domain:

# grep 10003 /etc/passwd

Now, to determine from what folder the PHP script that sends mail was run :

Create a /var/qmail/bin/sendmail-wrapper script with the following content:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

Create a log file /var/tmp/mail.send and grant it “a+rw” rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:
~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

Now wait for some time for logs to be generated, then :

~# rm -f /var/qmail/bin/sendmail
~# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with “X-Additional-Header:” pointing to domain folders where the scripts                                      which sent the mail are located.

You can see all the folders from where mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

# Another case of spamming

When checking the qmail maillogs (usr/local/psa/var/log/maillog) if we find something
similar to this :

Oct 8 00:17:00 xxxx smtp_auth: SMTP connect from (null)@(null) [xx.xx.xx.xx]
Oct 8 00:17:00 xxxx smtp_auth: smtp_auth: SMTP user xxxxx: logged in from (null)@(null) [xx.xx.xx.xx]

We can confirm that  spamming is being done by brute forcing Plesk
email passwords and then authenticating using base 64 encoding on the username.

The built in qmail logging cannot handle this encoding and as a result the logs will just show (null) instead of the username used.

From parallels forums :
http://forum.parallels.com/showthread.p ... il-logging
http://forum.parallels.com/pda/index.php/t-82043.html

The only solution would be to upgrade Plesk to a more stable version.