Many email messages are sent from PHP scripts on a Plesk server. How to find domains on which these scripts are running if Postfix is used?

Updated August 09, 2022 10:16

Plesk for Linux FR:PPM-2148 kb: how-to ABT: Group A

Applicable to:

Plesk for Linux

Question

Many email messages are being sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?

Answer

Warning: if you do not have SSH access contact your service provider or server administrator.

Note: This article is applicable to the Postfix mail server only.
If the Qmail mail server is used, see Many email messages are sent from PHP scripts on Plesk server. How to find domains on which these scripts are running if Qmail is used?

There is a way to determine from which directory the PHP script sending mail is run.

Note: depending on the operating system and Plesk version, paths can slightly differ. For example: for Debian and Ubuntu use /usr/sbin/sendmail instead of /usr/sbin/sendmail.postfix in the commands below.

Click on a section to expand

RHEL/CentOS

Connect to the server via SSH.
Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

CONFIG_TEXT: #!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"
Create /var/tmp/mail.send log file and set a+rw permissions. Make the wrapper executable, rename the old sendmail.postfix file, and link it to the new wrapper:

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /usr/sbin/sendmail.postfix-wrapper
# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
Wait for a while to collect data: 30 -60 min.
Rename sendmail.postfix-bin back to /usr/sbin/sendmail.postfix:

# mv /usr/sbin/sendmail.postfix /root/backup__sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

Note: File /var/tmp/mail.send is not rotated automatically and it is not recommended to leave it for a long period of time as it could consume a server disk space. Delete and create a new file /var/tmp/mail.send after every check up.
Check /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header" pointing to the domain folders where the scripts that sent the mail are located.

The directories, from which mail PHP scripts are run, can be seen using the following command:

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

Note: If no output is shown from the command above, it means no mail was sent using the PHP mail function from the Plesk virtual host's directory.

Usually, that means one of the mail accounts has been compromised. Check the login attempt count:

# zgrep -c 'sasl_method=LOGIN' /var/log/maillog*
/var/log/maillog:221000
/var/log/maillog.processed:362327
/var/log/maillog.processed.1.gz:308956

If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:

# zgrep -h 'sasl_method' /var/log/maillog* | cut -d' ' -f9 | cut -d= -f2 | sort | uniq -c | sort -nr
891574 sasl_username=admin@example.com
To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

Also, check Administrator's Guide

Click on a section to expand

Debian/Ubuntu

Connect to the server via SSH.
Create a /usr/sbin/sendmail-wrapper script with the following content:

CONFIG_TEXT: #!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail-bin "$@"
Create /var/tmp/mail.send log file and set a+rw permissions. Make the wrapper executable, rename the old sendmail file, and link it to the new wrapper:

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /usr/sbin/sendmail-wrapper
# mv /usr/sbin/sendmail /usr/sbin/sendmail-bin
# ln -s /usr/sbin/sendmail-wrapper /usr/sbin/sendmail
Wait for a while to collect data: 30-60 min.
Rename sendmail-bin back to /usr/sbin/sendmail:

# mv /usr/sbin/sendmail /root/backup__sendmail
# mv /usr/sbin/sendmail-bin /usr/sbin/sendmail

Note: File /var/tmp/mail.send is not rotated automatically and it is not recommended to leave it for a long period of time as it could consume a server disk space. Delete and create a new file /var/tmp/mail.send after every check up.
Check /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header" pointing to the domain folders where the scripts that sent the mail are located.

The directories, from which mail PHP scripts are run, can be seen using the following command:

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

Note: If no output is shown from the command above, it means no mail was sent using the PHP mail function from the Plesk virtual host's directory.

Usually, that means one of the mail accounts has been compromised. Check the login attempt count:

# zgrep -c 'sasl_method=LOGIN' /var/log/maillog*
/var/log/maillog:221000
/var/log/maillog.processed:362327
/var/log/maillog.processed.1.gz:308956

If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:

# zgrep -h 'sasl_method' /var/log/maillog* | cut -d' ' -f9 | cut -d= -f2 | sort | uniq -c | sort -nr
891574 sasl_username=admin@example.com
To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

Also, check Administrator's Guide

Comments

10 comments

Witawat Piyarattanavong August 19, 2018 08:42 (Edited August 19, 2018 08:42)

i not see data in mail.send

0

Comment actions Permalink
Ivan Postnikov August 20, 2018 08:00

Hello @Witawat,

In case the provided steps were done correctly, the cause of such behavior is that there were no messages sent by a script.

0

Comment actions Permalink
Bjorn Joosen February 06, 2019 23:24 (Edited February 06, 2019 23:30)

Followed steps 1-4, send multiple mails through phpmailer, mail.send stays empty.
Need a solution to monitor ALL outgoing mail..

Plesk 17.8.11 Update #38
Postfix 2.10.1

0

Comment actions Permalink
Anton Maslov February 06, 2019 23:38

@Bjorn, the method from this article works in case mail sent through mail() function which uses /usr/bin/sendmail binary (on Plesk it is link to Postfix). phpmailer has own SMTP server implementation by PHP code, it does not use mail server installed on OS, thus it is not possible to track such messages.

The only way is to block all mail that goes not through Postfix by iptables (see additional information section).

0

Comment actions Permalink
Bjorn Joosen February 07, 2019 00:40

@Anton, Thanks for your quick reply, I opened a forum post: https://talk.plesk.com/threads/microsoft-mail-servers-keep-blacklisting-server-ip.351225/

0

Comment actions Permalink
Justin Lnch May 16, 2020 06:30 (Edited May 16, 2020 06:31)

I set this up but when I do a test from Joomla on Centos to use Sendmail as the mailer nothing shows in the log and I receive the email.

My sendmail points here
/usr/sbin/sendmail -> /etc/alternatives/mta

But I do see this
/usr/sbin/sendmail.postfix -> /usr/sbin/sendmail.postfix-wrapper
/usr/sbin/sendmail.postfix-bin -> /usr/lib64/plesk-9.0/sendmail/sendmail.postfix

I get this when checking alternatives
# alternatives --display mta |grep sendmail
link currently points to /usr/lib64/plesk-9.0/postfix-sendmail-wrapper
/usr/sbin/sendmail.postfix - priority 30
slave mta-sendmail: /usr/lib/sendmail.postfix
slave mta-sendmailman: /usr/share/man/man1/sendmail.postfix.1.gz
/usr/lib64/plesk-9.0/postfix-sendmail-wrapper - priority 90
slave mta-sendmail: /usr/lib64/plesk-9.0/postfix-sendmail-wrapper
slave mta-sendmailman: /usr/share/man/man1/sendmail.postfix.1.gz
Current `best' version is /usr/lib64/plesk-9.0/postfix-sendmail-wrapper.

Any ideas?

1

Comment actions Permalink
Anton Maslov June 03, 2020 20:49

Justin if message goes using Plesk server you should see entries in /var/log/maillog. I suggest to do this:

1. Monitor log in real time:

tail -fn0 /var/log/maillog

2. Send message, you should see entries in maillog for any possible errors in attempt to save to /var/tmp/mail.send

0

Comment actions Permalink
Fouad Ahmed Fouad June 30, 2022 11:18

I think there should be a more easier way to fix this! there is no script or command to find out directly what mailbox sent many mails outgoing?

0

Comment actions Permalink
Mikhail Shport July 01, 2022 07:11

Hello Fouad Ahmed Fouad,

Such scripts usually do not use the domain straightforwardly. Once a malicious script gets to a server it might send messages based on its own logic, besides the location. So, it is needed to perform the described operations to catch the events properly.

0

Comment actions Permalink
Emmanuel Delgado July 07, 2022 18:04

Hello everyone.

I manage a server with Plesk 18.0.44 Update 3 on
Ubuntu 20.04.4 LTS
Intel(R) Xeon(R) E-2356G CPU @ 3.20GHz (12 core(s)) and 32 GB RAM

There are 33 domains and 300 email accounts registered on the server.

I have made the solution to check the SPAM because our IP is blocked at least once a week and this is the result:

---------------------
root@server2:~# zgrep -h 'sasl_method' /var/log/maillog* | cut -d' ' -f9 | cut -d= -f2 | sort | uniq -c | sort -nr
3798 DIGEST-MD5,
740CRAM-MD5,
233 PLAIN,
51 login,

root@server2:~# zgrep -c 'sasl_method=LOGIN' /var/log/maillog*
/var/log/maillog:0
/var/log/maillog.processed:0
/var/log/maillog.processed.1.gz:0
/var/log/maillog.processed.2.gz:0
/var/log/maillog.processed.3.gz:0
--------------------------

I was wondering if this is normal?

Best Regards

Emmanuel D

0

Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Articles in this section

Applicable to:

Question

Answer

Related articles