SPAM email PHP Plesk
The Originail post is from http://www.uk-cheapest.co.uk/blog/2012/01/how-to-find-an-anonymous-spammer-on-a-plesk-server/
# /var/qmail/bin/qmail-qread
remote ankush_krishna2137@yahoo.com
6 Jan 2012 09:14:53 GMT #34012584 2987 <anonymous@server.microlite8.com>
2) Now we have a message ID, let’s search for the actual message:# find /var/qmail/queue/ -name 34012584 /var/qmail/queue/info/0/34012584 /var/qmail/queue/remote/0/34012584 /var/qmail/queue/mess/0/340125843) Great! Now let’s see what’s in the message to get out that all telling UID:
# cat /var/qmail/queue/mess/0/34012584 Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000 Date: 6 Jan 2012 09:14:50 +0000 Message-ID: <20120106091450.9934.qmail@server.microliteX.com> To: annette@recdom.wandoo.co.uk Subject: Urgent Reply From: Mrs.Farida Waziri <faridawaziri@hotmail.com>4) Let’s map the UID to a domain name on the Plesk server:
# cat /etc/passwd | grep 10820 admin947932:x:10820:2523::/var/www/vhosts/thisisthespammer.com:/bin/false5) Spammer caught
The originail post is from http://kb.parallels.com/en/1711
Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?
Article ID: 1711
Created On: Feb 20, 2007
Last Review: Apr 7, 2013
Views:
APPLIES TO:
- Parallels Plesk Panel
Resolution
Note: This article is for Qmail, if you are using Postfix mail server see this article instead:
114845 Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?
Warning: using this method may increase server load due to additional steps of processing for each message submitted to local mail server. If you experience problems with high server load after applying instructions on step #2, revert them using instructions in step #3.There is a way to determine from what folder the PHP script that sends mail was run. Note: Depending on your OS and Plesk version, the paths can slightly differ from those listed below.
1) Create a /var/qmail/bin/sendmail-wrapper script with the following content:
#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
Note, it should be two lines including '#!/bin/sh'.
2) Create a log file /var/tmp/mail.send and grant it "a+rw" rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:
~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail
3) Wait for an hour and change back sendmail:
~# rm -f /var/qmail/bin/sendmail
~# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail
Examine the /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header:" pointing to domain folders where the scripts which sent the mail are located.
You can see all the folders from where mail PHP scripts were run with the following command:
~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.
Script to clean up the SPAM (copy and paste in the command line):
for i in `/var/qmail/bin/qmail-qread |awk -F"#" '{print $2}' |awk '{print $1}' |sort |grep [0-9]`; do find /var/qmail/queue/ -name $i >> /tmp/SPAM01; done
for j in `cat /tmp/SPAM01`; do rm -rf $j; done
Comments