• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Check Mail logs

H

hugemonkey

Guest
Hi,

I have recently had a problem with someone sending loads of spam through my server.

Is there a way to look at a log to show me details of all the messages sent via my server?

Thanks in advance.
 
The mail log is normally in /usr/local/psa/var/log/maillog

It can be confusing but give it a little time and you'll get to grips with it.

The problem is that if the emails are being generated by a script on one of your customer's sites then you will be unable to tell which site it is from the maillog alone.

Seach for "nobody spammer" on the forum for a topic that gives you some possible ways to trace them.

Faris.
 
Thanks a lot for your help...your right about it being difficult to interpret!!!

At least I have something to try and read now.
 
Your better bet to determine how and what outbound spam was sent from your host is to go to /var/qmail/queue/messages. Run find ./ and see how many files there are -- if a spammer had a recent outbound attack from your host, withing the last few days, there are hundreds to tens of thousands emails sitting here, the ones that were undeliverable.

If you find messages, view them and see if they are spam. Look closely at the first line of each message. Here is an example of one:

Received: (qmail 23269 invoked by uid 48); 7 Jul 2007 17:31:34 -0700

If the uid listed above ("invoked by uid 48") is the uid of the apache user (which is either nobody, www, apache or www-'something', depending on your OS), it means the spam was sent from apache and most likely means a contact form or similar was compromised. You can then take the date and time listed (7 Jul 2007 17:31:34) and look through the apache access logs (for each domain, it's easy if you script this) for hits that occurred at that time. Most likely you'll find the hit that caused the mail and can remove the script from your server.

This method works about 60% of the time. Some spammers are trickier and install processes used to send spam. To find them, do 'ps -ef | grep $APACHE_USER' and ignore the valid ones showing your webserver, like /usr/sbin/httpd. If you see something like /tmp/a or /usr/sbin/httdp it's 99% sure a hacker script. Finding out how they installed it is a bit tougher.
 
You must log in or register to reply here.

Similar threads

B
Question Plesk email relay incoming emails to another server
Replies
1
Views
378
bit
B
P
Question Limit the number of recipients for a single message on outgoing emails
Replies
3
Views
584
MSandakov
M
H.W.B
Issue Php mail always spam
Replies
7
Views
1K
ivanes82
I
I
Issue Mail delivery deferred (4.4.2 delivery temporarily suspended)
Replies
1
Views
368
iainh
I
I
Question Mail only for notifications from Plesk
Replies
0
Views
291
Igdirli76
I
Back
Top