Articles in this section

How to identify spam source on Plesk for Linux Server

Yevgeniy Shimanskiy
Updated
kb: how-to Plesk for Linux ABT: Group A FR:PPM-2148

Applicable to:

  • Plesk for Linux

Question

Many email messages are being sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?

Answer


Warning: If you do not have SSH access, contact your service provider or server administrator.

Note: This article is applicable to the Postfix mail server only.

Note: Adding mail.add_x_header directive will provision X-PHP-Originating-Script that will include the UID of the script followed by the filename, which will further facilitate the search for spamming PHP scripts. Entry can be set in php.ini, .htaccess, httpd.conf or .user.ini . More details on this option: https://www.php.net/manual/en/mail.configuration.php

Note: Starting from Plesk Obsidian 18.0.76, Plesk sendmail wrapper will print more information to the maillog, including the calling script/application, working directory, and vhost if possible (if `mail.add_x_header` is `on` in PHP settings).

There is a way to determine from which directory the PHP script sending mail is run.

  1. Connect to the server via SSH.

  2. Create a /usr/local/bin/sendmail-trace script with the following content:

    CONFIG_TEXT: #!/bin/sh
    echo "PWD=$PWD" >&2
    echo "X-Additional-Header: $PWD"
    cat
    echo PASS >&2

  3. Make this newly created script executable:

    # chmod +x /usr/local/bin/sendmail-trace

  4. Execute the command below to make use of the newly created script. Now  PWD  will be printed in the maillog and as a header in the messages:

    # /usr/local/psa/admin/sbin/mail_handlers_control --add --priority=5 --name=trace --queue=before-sendmail --type=global --executable=/usr/local/bin/sendmail-trace --enabled

  5. Check /var/log/maillog. There should be lines starting with "PWD=" pointing to the domain folders where the scripts that sent the mail are located.

    The directories from which mail PHP scripts are run can be checked using the following command:

    # grep "PWD=" /var/log/maillog

    Note: If no output is shown from the command above, it means no mail was sent using the PHP mail function from the Plesk virtual host's directory.

    Usually, that means one of the mail accounts has been compromised. Check the login attempt count:

    # zgrep -c 'sasl_method=LOGIN' /var/log/maillog*
    /var/log/maillog:221000 
    /var/log/maillog.processed:362327 
    /var/log/maillog.processed.1.gz:308956

    If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:

    # zgrep -h 'sasl_method' /var/log/maillog* | cut -d' ' -f9 | cut -d= -f2 | sort | uniq -c | sort -nr
    891574 sasl_username=admin@example.com

  6. To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

    Also, check Administrator's Guide

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.