• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

How-to-Track Down Source of Spam on Linux-Plesk Server

bradz

Regular Pleskian
From time to time, I run into this issue and I often feel that I do not have a step by step approach.
I am hoping can get some help.

This is some of my present steps I use.

1. Log into Plesk and check the mail queue ...look at volume and sender.

Question: if it states
Subject Undelivered Mail Returned to Sender
Sender MAILER-DAEMON@..... (Mail Delivery System)
Does this mean it is a Script on the server, that a spammer is using?

2. Look log files
....# tail -n 1100 /var/log/messages
....# tail -f /usr/local/psa/var/log/maillog ------ use ctrl c to exit

3. If client states they have tons of junk mail and a slow running computer, look for infection.

4. Look for Scripts, but this is hard (Question: does plesk have a way to help?)

5. Look for email accounts that are getting large volume of emails (very timely)

What do you do?
Thanks for any help.
Brad
 
One thing that helped me when I initially transferred a number of domains to Plesk Panel, was to ensure that in the subscription mail settings, I had selected "reject" under the what to do with mail sent to non-existent recipients.

To help me further, I installed Webmin, which enabled me to easily read the mails that were stuck in the mail-queue. It helped me work out where these non-delivery reports were coming from ie which domains were causing them.

Spammers quite often send emails to [email protected]. If your mail server can not find a mailbox for the user, it tries to send a non-delivery report to the sender. If the senders address doesn't exist, it will sit in the mail-queue until the server gives up.

When I initially transferred around 50 domains to a Plesk server, I often had hundreds of non-delivery report emails in the mail-queue until I changed the option to reject unknown addresses server-wide.

EDIT TO ADD: Also, by having the server attempt to send non-delivery emails (bounce) your server IP can end up black-listed for BACKSCATTER!
 
Last edited:
Thanks!

Very good points Dave, I am taking notes and I am going to research Webmin.
Brad
 
Webapps view

Finding which domains have webapps may also help
go to Tools & Setting ---> Summary Report ---> change it for Full Report and then look at Domains
 
Another thing to check is that any contact forms on hosted websites are using up-to-date script versions. Any CMS software updated to latest releases etc. All general good security practices. Not always the easiest to stay on top of if your are providing hosting to customers.
 
scripts

They are one of my problems, I normally do not install large cms systems, but I do use scripts for forms and a mini CMS I have developed. The problem is that over time, I make them more secure but I worry about domains I may have forgotten to update the scripts in. Or I worry about if client has installed one.
Question, does anyone have a way to determine if a script is involved (I use php) and which domain to inspect?
 
Back
Top