Detecting Spam Sending Domains On Plesk Server Using Postfix

By default, newer versions of Plesk use Postfix as the MTA. If your Plesk server sends many spam messages and you are not able to find the culprit, this article will help to find domains that contain spamming scripts.

Use ‘mailmang’ utility

First, use the ‘mailmang’ utility to confirm the current MTA.

#plesk sbin mailmng-server –features | grep SMTP_Server

The result will be like the following if it uses Postfix.

$features[‘SMTP_Server’] = “Postfix”;

Find Directory

Now we need to find the directory from which the PHP spam script is executed. For this, we need to create a postfix wrapper script.

Create a file named /usr/sbin/sendmail.postfix-wrapper with the following content.
#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

Create An Additional Logfile

Create an additional log file /var/tmp/mail.send with a+rw permissions, make the wrapper script executable and follow steps below:

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /usr/sbin/sendmail.postfix-wrapper
# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

It may take around 30 to 60 minutes for the script to collect data. Hence, wait for some time.

Rename The Sendmail

Rename the Sendmail postfix-bin back to /usr/sbin/sendmail.postfix

# mv /usr/sbin/sendmail.postfix /root/backup__sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

Note: The file /var/tmp/mail.send will not be rotated automatically. So keeping this file for a longer time could consume large disk space.

Verify Log File

Check the /var/tmp/mail.send log file and find the lines starting with “X-Additional-Header” which will be pointing to the domain directories from which the scripts are being executed.

#grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

This command will show you directories from which spam or bulk emails are being sent. If the output is empty, it means there were no scripts with PHP mail function was executed from the ‘vhosts’ directory. Verify scripts under this directory and remove if you find any scripts with injected content. You can scan the web directory of this domain to check whether there is any other malware exists and change the account’s password if you suspect its password is compromised.

If the above command didn’t show any directories, we can use the following script to find the email account which has an unusual number of login attempts.

#zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

The result will be like:

32436 sasl_username=user@domain.tld

Change Password Of Mail

Change the password of this email account to stop spamming.

This will help to stop spamming in Postfix. Note that it is very important to stop malicious activities and spamming on servers to keep a good reputation of IP addresses for enhanced Plesk support.