Applicable to:
- Plesk for Linux
Question
Many email messages are being sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?
Answer
Warning: if you do not have SSH access contact your service provider or server administrator.
Note: this article is for Postfix only. If qmail is used as a mail server, use the following article: Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Qmail is used?
There is a way to determine from which directory the PHP script sending mail is run.
Note: depending on the operating system and Plesk version, paths can slightly differ. For example: for Debian and Ubuntu use /usr/sbin/sendmail
instead of /usr/sbin/sendmail.postfix
in the commands below.
-
Connect to the server via SSH.
-
Create a
/usr/sbin/sendmail.postfix-wrapper
script with the following content:CONFIG_TEXT: #!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@" -
Create
/var/tmp/mail.send
log file and seta+rw
permissions. Make the wrapper executable, rename the oldsendmail.postfix
file, and link it to the new wrapper:# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /usr/sbin/sendmail.postfix-wrapper
# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix -
Wait for a while to collect data: 30 -60 min.
-
Rename
sendmail.postfix-bin
back to/usr/sbin/sendmail.postfix
:# mv /usr/sbin/sendmail.postfix /root/backup__sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfixNote: File
/var/tmp/mail.send
is not rotated automatically and it is not recommended to leave it for a long period of time as it could consume a server disk space. Delete and create a new file/var/tmp/mail.send
after every check up. -
Check
/var/tmp/mail.send
file. There should be lines starting with "X-Additional-Header" pointing to the domain folders where the scripts that sent the mail are located.The directories, from which mail PHP scripts are run, can be seen using the following command:
# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
Note: If no output is shown from the command above, it means no mail was sent using the PHP mail function from the Plesk virtual host's directory.
Usually, that means one of the mail accounts has been compromised. Check the login attempt count:
# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:
# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com -
To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.
Also, check Administrator's Guide
Comments
5 comments
i not see data in mail.send
Hello @Witawat,
In case the provided steps were done correctly, the cause of such behavior is that there were no messages sent by a script.
Followed steps 1-4, send multiple mails through phpmailer, mail.send stays empty.
Need a solution to monitor ALL outgoing mail..
Plesk 17.8.11 Update #38
Postfix 2.10.1
@Bjorn, the method from this article works in case mail sent through mail() function which uses /usr/bin/sendmail binary (on Plesk it is link to Postfix). phpmailer has own SMTP server implementation by PHP code, it does not use mail server installed on OS, thus it is not possible to track such messages.
The only way is to block all mail that goes not through Postfix by iptables (see additional information section).
@Anton, Thanks for your quick reply, I opened a forum post: https://talk.plesk.com/threads/microsoft-mail-servers-keep-blacklisting-server-ip.351225/
Please sign in to leave a comment.