How to block sending spam

[musictus]

I run Plesk 10.1.1 on Centos 5

Somebody is sending spam, probably with SMTP or IMAP connection, using a stolen account. I cannot find the way to find which user has been corrupted.

These are the info I found

On /usr/local/psa/var/log/maillog

Apr 8 10:53:08 aresca6 qmail-queue-handlers[27599]: [email protected]
Apr 8 10:53:08 aresca6 qmail-queue-handlers[27599]: [email protected]
Apr 8 10:53:08 aresca6 qmail-queue-handlers[27599]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 8 10:53:08 aresca6 qmail-queue-handlers[27599]: recipient[3] = '[email protected]'
Apr 8 10:53:08 aresca6 qmail-queue-handlers[27599]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/[email protected]'
Apr 8 10:53:08 aresca6 qmail-queue-handlers[27599]: starter: submitter[27601] exited normally
Apr 8 10:53:08 aresca6 qmail: 1302252788.841893 new msg 10846538
Apr 8 10:53:08 aresca6 qmail: 1302252788.841966 info msg 10846538: bytes 2696 from <[email protected]> qp 27601 uid 2020
Apr 8 10:53:08 aresca6 qmail: 1302252788.866258 starting delivery 9007: msg 10846538 to remote [email protected]
Apr 8 10:53:08 aresca6 qmail: 1302252788.866366 status: local 0/10 remote 1/20

and on /var/log/messages

Apr 8 10:53:07 aresca6 kernel: qmail-smtpd[27596]: segfault at 0000000000000000 rip 000000370289abc2 rsp 00007fffdeacfac0 error 4

and it's probably this one:

# lsof -p 27580
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
qmail-smt 27580 qmaild cwd DIR 9,1 4096 3276805 /var/qmail
qmail-smt 27580 qmaild rtd DIR 9,1 4096 2 /
qmail-smt 27580 qmaild txt REG 9,1 57976 3310024 /var/qmail/bin/qmail-smtpd
qmail-smt 27580 qmaild mem REG 9,1 10000 16187432 /lib64/libcom_err.so.2.1
qmail-smt 27580 qmaild mem REG 9,1 613896 39696305 /usr/lib64/libkrb5.so.3.3
qmail-smt 27580 qmaild mem REG 9,1 35728 39692742 /usr/lib64/libkrb5support.so.0.1
qmail-smt 27580 qmaild mem REG 9,1 153720 39696304 /usr/lib64/libk5crypto.so.3.1
qmail-smt 27580 qmaild mem REG 9,1 190976 39696306 /usr/lib64/libgssapi_krb5.so.2.2
qmail-smt 27580 qmaild mem REG 9,1 1366272 46202889 /lib64/libcrypto.so.0.9.8e
qmail-smt 27580 qmaild mem REG 9,1 315032 46333956 /lib64/libssl.so.0.9.8e
qmail-smt 27580 qmaild mem REG 9,1 139416 16187400 /lib64/ld-2.5.so
qmail-smt 27580 qmaild mem REG 9,1 1718120 16187429 /lib64/libc-2.5.so
qmail-smt 27580 qmaild mem REG 9,1 23360 16187452 /lib64/libdl-2.5.so
qmail-smt 27580 qmaild mem REG 9,1 85608 39696882 /usr/lib64/libz.so.1.2.3
qmail-smt 27580 qmaild mem REG 9,1 247496 16187617 /lib64/libsepol.so.1
qmail-smt 27580 qmaild mem REG 9,1 95464 16187623 /lib64/libselinux.so.1
qmail-smt 27580 qmaild mem REG 9,1 92736 16187696 /lib64/libresolv-2.5.so
qmail-smt 27580 qmaild mem REG 9,1 9472 16187693 /lib64/libkeyutils-1.2.so
qmail-smt 27580 qmaild 0u IPv4 984815553 TCP aresca6.teknosurf.it:smtp->host-92-15-182-248.as43234.net:55919 (ESTABLISHED)
qmail-smt 27580 qmaild 1u IPv4 984815553 TCP aresca6.teknosurf.it:smtp->host-92-15-182-248.as43234.net:55919 (ESTABLISHED)
qmail-smt 27580 qmaild 2u IPv4 984815553 TCP aresca6.teknosurf.it:smtp->host-92-15-182-248.as43234.net:55919 (ESTABLISHED)
qmail-smt 27580 qmaild 4u unknown /proc/27580/fd/4 (readlink: No such file or directory)
qmail-smt 27580 qmaild 6u unknown /proc/27580/fd/6 (readlink: No such file or directory)

Any idea of where to search or how to find which username it's using?

 

[musictus]

Nobody has a tip on where to look into this issue which is repeating daily on my server?

 

[CCHickman]

musictus: Take a look at atomicturtle's distributions. He has 'qmail-scanner' which scans both incoming and outgoing spam. This solution has been a core part of my anti-spam strategy since PLESK 7 -- and I've had the same problems that you have had.

View your mail queue and look carefully through all of the headers -- you might find some clues as to what site is sending it. Additionally, if there are services like Python and Perl that you don't need enabled on accounts, you might try closing those off incase the script that is sending spam uses them.

Another tip - atomicorp.com offers 'Atomic Secured Linux' that will set you back $200/yr, but if your server is turning a profit for you and your clients depend on you, it's a very solid investment.

http://www.atomicorp.com/products/asl.html

Lastly, all of Atomicorp.com's products have their own issues -- especially when you are having them play with new versions of PLESK. Qmail-Scanner and PLESK have historically battled each other over permissions and ASL will by default stop HORDE from sending mail as well as cause PLESK 10's License Manager to return an Internal Server error (caused by PLESK using ptrace).... all of the known issues with ASL can be read about on the ASL Wiki (although they are not really addressed as being issues, but the solutions are all there).

I really feel for you as these sorts of problems are extremely frustrating. Hiring someone to look for the problem can be costly too... I've yet to find someone who can immediately know how to track these things down -- which is why a good defense that stops BAD behavior is smart.