1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

How-to-Track Down Source of Spam on Linux-Plesk Server

Discussion in 'Plesk 11.x for Linux' started by bradz, Dec 14, 2012.

  1. bradz

    bradz Regular Pleskian

    25
    57%
    Joined:
    Jan 19, 2008
    Messages:
    105
    Likes Received:
    0
    From time to time, I run into this issue and I often feel that I do not have a step by step approach.
    I am hoping can get some help.

    This is some of my present steps I use.

    1. Log into Plesk and check the mail queue ...look at volume and sender.

    Question: if it states
    Subject Undelivered Mail Returned to Sender
    Sender MAILER-DAEMON@..... (Mail Delivery System)
    Does this mean it is a Script on the server, that a spammer is using?

    2. Look log files
    ....# tail -n 1100 /var/log/messages
    ....# tail -f /usr/local/psa/var/log/maillog ------ use ctrl c to exit

    3. If client states they have tons of junk mail and a slow running computer, look for infection.

    4. Look for Scripts, but this is hard (Question: does plesk have a way to help?)

    5. Look for email accounts that are getting large volume of emails (very timely)

    What do you do?
    Thanks for any help.
    Brad
     
  2. DaveKay

    DaveKay Regular Pleskian

    17
    85%
    Joined:
    Jan 2, 2012
    Messages:
    226
    Likes Received:
    0
    One thing that helped me when I initially transferred a number of domains to Plesk Panel, was to ensure that in the subscription mail settings, I had selected "reject" under the what to do with mail sent to non-existent recipients.

    To help me further, I installed Webmin, which enabled me to easily read the mails that were stuck in the mail-queue. It helped me work out where these non-delivery reports were coming from ie which domains were causing them.

    Spammers quite often send emails to random@domain.com. If your mail server can not find a mailbox for the user, it tries to send a non-delivery report to the sender. If the senders address doesn't exist, it will sit in the mail-queue until the server gives up.

    When I initially transferred around 50 domains to a Plesk server, I often had hundreds of non-delivery report emails in the mail-queue until I changed the option to reject unknown addresses server-wide.

    EDIT TO ADD: Also, by having the server attempt to send non-delivery emails (bounce) your server IP can end up black-listed for BACKSCATTER!
     
    Last edited: Dec 14, 2012
  3. bradz

    bradz Regular Pleskian

    25
    57%
    Joined:
    Jan 19, 2008
    Messages:
    105
    Likes Received:
    0
    Thanks!

    Very good points Dave, I am taking notes and I am going to research Webmin.
    Brad
     
  4. bradz

    bradz Regular Pleskian

    25
    57%
    Joined:
    Jan 19, 2008
    Messages:
    105
    Likes Received:
    0
    Webapps view

    Finding which domains have webapps may also help
    go to Tools & Setting ---> Summary Report ---> change it for Full Report and then look at Domains
     
  5. DaveKay

    DaveKay Regular Pleskian

    17
    85%
    Joined:
    Jan 2, 2012
    Messages:
    226
    Likes Received:
    0
    Another thing to check is that any contact forms on hosted websites are using up-to-date script versions. Any CMS software updated to latest releases etc. All general good security practices. Not always the easiest to stay on top of if your are providing hosting to customers.
     
  6. bradz

    bradz Regular Pleskian

    25
    57%
    Joined:
    Jan 19, 2008
    Messages:
    105
    Likes Received:
    0
    scripts

    They are one of my problems, I normally do not install large cms systems, but I do use scripts for forms and a mini CMS I have developed. The problem is that over time, I make them more secure but I worry about domains I may have forgotten to update the scripts in. Or I worry about if client has installed one.
    Question, does anyone have a way to determine if a script is involved (I use php) and which domain to inspect?
     
Loading...