Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?

Created:

2016-11-16 12:49:00 UTC

Modified:

2017-08-17 20:55:00 UTC

28

Was this article helpful?


Have more questions?

Submit a request

Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?

Applicable to:

  • Plesk for Linux

Question

Many email messages are being sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?

Answer

Note: this article is for Postfix only. If qmail is used as a mail server, use the following article: Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Qmail is used?

There is a way to determine from which directory the PHP script sending mail is run.

Note: depending on the operating system and Plesk version, paths can slightly differ.

  1. Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

    #!/bin/sh
    (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"
  2. Create /var/tmp/mail.send log file and set a+rw permissions. Make the wrapper executable, rename the old sendmail.postfix file, and link it to the new wrapper:

    # touch /var/tmp/mail.send
    # chmod a+rw /var/tmp/mail.send
    # chmod a+x /usr/sbin/sendmail.postfix-wrapper
    # mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
    # ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
  3. Wait for a while and rename sendmail.postfix-bin back to /usr/sbin/sendmail.postfix:

    # rm /usr/sbin/sendmail.postfix
    # mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

Check /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header" pointing to the domain folders where the scripts that sent the mail are located.

The directories, from which mail PHP scripts are run, can be seen using the following command:

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

Note: if no output is shown from the command above, it means no mail was sent using the PHP mail function from the Plesk virtual host's directory.

Usually, that means one of the mail accounts has been compromised. Check the login attempt count:

# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

Also visit Administrator's Guide.

Have more questions? Submit a request
Please sign in to leave a comment.