• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

[QMAIL] Find source of spam

V

vincenzot

Regular Pleskian
Hello,

I have an problem, I have my server that send many email spam but I have problem to find the source of spam, the source don't is an php scripts, in the ehader of the email I see that:

Received: (qmail 4181 invoked from network); 1 Oct 2010 22:35:23 +0200
Received: from localhost (HELO www.DOMAINS.it) (127.0.0.1)
by localhost with SMTP; 1 Oct 2010 22:35:23 +0200
Received: (qmail 47240 invoked by uid 33); 01 Oct 2010 20:35:23 +0000
Date: 01 Oct 2010 20:35:23 +0000
Message-ID: <[email protected]>
Subject: ALL PILLS IN BEST ONLINE DRUGSTORE !!!!
Reply-To: [email protected]
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
From: <[email protected]>
To: [email protected]
X-Priority: 3

But network is an smtp auth users, but how I can find it if the ip is localhost (127.0.0.1) ? in the domain.it I have an address of my hosted site internet but without change the password the poblem don't is resolved, how I can block this problem? I use centos + qmail

I hope in your answer

Regards
 
Did you tried to check your server with chkrootkit of with rkhunter at least?

Also you can try to investigate Plesk maillog /usr/local/psa/var/logs/maillog
 
Hello,

I have check already with chkrootkit nothing worn or other suspicius files found, I have read the maillog I view the spam message start and I see

Oct 4 09:22:04 web qmail: 1286176924.169129 starting delivery 996: msg 35128411 to remote [email protected]
Oct 4 09:22:04 web qmail: 1286176924.169192 status: local 0/10 remote 1/100
Oct 4 09:22:04 web qmail-remote-handlers[22575]: Handlers Filter before-remote for qmail started ...
Oct 4 09:22:04 web qmail-remote-handlers[22575]: [email protected]
Oct 4 09:22:04 web qmail-remote-handlers[22575]: [email protected]
Oct 4 09:22:04 web qmail-remote-handlers[22575]: hook_dir = '/usr/local/psa/handlers/before-remote'
Oct 4 09:22:04 web qmail-remote-handlers[22575]: recipient[3] = [email protected]'
Oct 4 09:22:04 web qmail-remote-handlers[22575]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/[email protected]'
Click to expand...

I have many email send from rx_canadanline how I can find the username that send them?

For example I see that

Oct 4 09:22:07 web imapd: IMAP connect from @ [Server_IP_Address]INFO: LOGIN, [email protected], ip=[Server_IP_Address], protocol=IMAP

Is possible that this email account have the same ip of the server into both login?
 
Hello

this is the result

mysql> select * from mail where mail_name='rx_canadanline24117';
Empty set (0.00 sec)
Click to expand...

But the email don't is always the same the number 24117 change for every send email ...is possible to find the domain or another solution? My mailserver today is in blacklist :(

Thanks for your time
 
Well. Looks like you have installed spamsender script somewhere in your system. I think that it would be better to contact support team if you can't find it by yourself. Check all temp directories like /tmp, /var/tmp for files and directories with suspicious names or with names beginning with a dot. Check all processes with 'ps aux' and try to find suspicious processes at least.
 
Try to use mod_security and also to check which UID sending out and check which PHP file are requested too many times with a contact form (or send email)
 
Hello

no tmp suspicius fils anyway I have deleted all data into /tmp and /var/tmp.

The email don't is send from an phpscripts but is from account because the qmail is "invoked by network" other question, how I can see in /var/log/messages the username that do the login? I view only the ipaddress but how I can see the username?

I see many of that access:

Oct 4 21:29:49 web xinetd[2378]: START: smtp pid=26568 from=127.0.0.1
Oct 4 21:30:34 web xinetd[2378]: START: smtp pid=27030 from=127.0.0.1
Oct 4 21:31:06 web xinetd[2378]: START: smtp pid=27264 from=127.0.0.1
Oct 4 21:32:31 web xinetd[2378]: START: smtp pid=28301 from=127.0.0.1
Oct 4 21:32:33 web xinetd[2378]: START: smtp pid=28333 from=127.0.0.1
Oct 4 21:33:41 web xinetd[2378]: START: smtp pid=28897 from=127.0.0.1
Oct 4 21:34:05 web xinetd[2378]: START: smtp pid=29126 from=127.0.0.1
Oct 4 21:34:10 web xinetd[2378]: START: smtp pid=29162 from=127.0.0.1
Oct 4 21:34:57 web xinetd[2378]: START: smtp pid=29524 from=127.0.0.1
Oct 4 21:36:44 web xinetd[2378]: START: smtp pid=30459 from=127.0.0.1
Oct 4 21:37:05 web xinetd[2378]: START: smtp pid=30656 from=127.0.0.1
Oct 4 21:37:07 web xinetd[2378]: START: smtp pid=30682 from=127.0.0.1
Oct 4 21:37:48 web xinetd[2378]: START: smtp pid=30934 from=127.0.0.1
Oct 4 21:38:34 web xinetd[2378]: START: smtp pid=31315 from=127.0.0.1
Oct 4 21:39:32 web xinetd[2378]: START: smtp pid=32049 from=127.0.0.1
Oct 4 21:40:04 web xinetd[2378]: START: smtp pid=32346 from=127.0.0.1
Oct 4 21:40:27 web xinetd[2378]: START: smtp pid=32547 from=127.0.0.1
Oct 4 21:40:44 web xinetd[2378]: START: smtp pid=32659 from=127.0.0.1
Oct 4 21:41:54 web xinetd[2378]: START: smtp pid=726 from=127.0.0.1
Oct 4 21:42:48 web xinetd[2378]: START: smtp pid=1211 from=127.0.0.1
Oct 4 21:44:26 web xinetd[2378]: START: smtp pid=1989 from=127.0.0.1
Oct 4 21:47:28 web xinetd[2378]: START: smtp pid=3494 from=127.0.0.1
Oct 4 21:47:33 web xinetd[2378]: START: smtp pid=3537 from=127.0.0.1
Click to expand...

The email are send from 127.0.0.1 but how I can see the email account that do this access? THe smtp is only for autenticated users
 
Received: (qmail 47240 invoked by uid 33); 01 Oct 2010 20:35:23 +0000
Click to expand...
uid 33 = User ID 33 should give you a clue as to who is sending out spam on your system.
 
I would double check your /etc/passwd, otherwise your system has been seriously hacked. on my system, uid 33 is www-data aka apache, which means you have a php script most likely that is being abused, and used to send spam. check your site directories for 777 permissions, make sure your php applications are all the latest versions,
 
You must log in or register to reply here.

Similar threads

D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
614
drdna
D
L
Resolved Mails marked as Spam
Replies
6
Views
1K
tramvainqueur
tramvainqueur
D4NY
Issue Outgoing mail queue, how to find the source of the spam?
Replies
19
Views
5K
mow
M
A
Resolved SPF always gives PASS
Replies
13
Views
3K
Kaspar
K
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
4K
Alex Presland
Alex Presland
Back
Top