• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

How-to-Track Down Source of Spam on Linux-Plesk Server

bradz

bradz

Regular Pleskian
From time to time, I run into this issue and I often feel that I do not have a step by step approach.
I am hoping can get some help.

This is some of my present steps I use.

1. Log into Plesk and check the mail queue ...look at volume and sender.

Question: if it states
Subject Undelivered Mail Returned to Sender
Sender MAILER-DAEMON@..... (Mail Delivery System)
Does this mean it is a Script on the server, that a spammer is using?

2. Look log files
....# tail -n 1100 /var/log/messages
....# tail -f /usr/local/psa/var/log/maillog ------ use ctrl c to exit

3. If client states they have tons of junk mail and a slow running computer, look for infection.

4. Look for Scripts, but this is hard (Question: does plesk have a way to help?)

5. Look for email accounts that are getting large volume of emails (very timely)

What do you do?
Thanks for any help.
Brad
 
One thing that helped me when I initially transferred a number of domains to Plesk Panel, was to ensure that in the subscription mail settings, I had selected "reject" under the what to do with mail sent to non-existent recipients.

To help me further, I installed Webmin, which enabled me to easily read the mails that were stuck in the mail-queue. It helped me work out where these non-delivery reports were coming from ie which domains were causing them.

Spammers quite often send emails to [email protected]. If your mail server can not find a mailbox for the user, it tries to send a non-delivery report to the sender. If the senders address doesn't exist, it will sit in the mail-queue until the server gives up.

When I initially transferred around 50 domains to a Plesk server, I often had hundreds of non-delivery report emails in the mail-queue until I changed the option to reject unknown addresses server-wide.

EDIT TO ADD: Also, by having the server attempt to send non-delivery emails (bounce) your server IP can end up black-listed for BACKSCATTER!
 
Last edited:
Thanks!

Very good points Dave, I am taking notes and I am going to research Webmin.
Brad
 
Webapps view

Finding which domains have webapps may also help
go to Tools & Setting ---> Summary Report ---> change it for Full Report and then look at Domains
 
Another thing to check is that any contact forms on hosted websites are using up-to-date script versions. Any CMS software updated to latest releases etc. All general good security practices. Not always the easiest to stay on top of if your are providing hosting to customers.
 
scripts

They are one of my problems, I normally do not install large cms systems, but I do use scripts for forms and a mini CMS I have developed. The problem is that over time, I make them more secure but I worry about domains I may have forgotten to update the scripts in. Or I worry about if client has installed one.
Question, does anyone have a way to determine if a script is involved (I use php) and which domain to inspect?
 
You must log in or register to reply here.

Similar threads

D4NY
Issue Outgoing mail queue, how to find the source of the spam?
Replies
19
Views
3K
mow
M
M
Issue Can't open Port 25. Please help
Replies
2
Views
324
mhogue
M
A
Question Plesk Email Security: sent SPAM mails
Replies
0
Views
631
Atramasis
A
Ehud
Question Is Plesk Email SRS fully configured, or it requires an extension?
Replies
0
Views
1K
Ehud
Ehud
P
Outgoing email messages not DKIM signed when enabled for a domain and in server settings
2
Replies
20
Views
5K
enerspace
enerspace
Back
Top