Unable to trace Spam

[Byron R]

Hi there, I am wondering if anyone can help me with an issue I am currently having.

My server is saturated in SPAM e-mails being sent from it, however I am struggling in tracing the root of this problem. I have now exhausted 4 IP addresses and our provider is blocking port 25 automatically on a number of occasions now.

I have used the KB article: http://kb.odin.com/en/114845 to help trace the highest senders of e-mail, however this has proved to be unsuccessful in finding "all" of the offending domains.

I have suspended e-mail and domains on a number of subscriptions due to the high number of e-mails being sent from the system. I have also enabled outbound mail control and set limits to 10/hr however there are domains attempting to exceed this on an hourly basis. I have investigated these subscriptions but am not able to find anything offending. Is there any feature within plesk that can show me exactly where the spam is coming from or a command or program I can install to help with this?

 

[Tsi-Shawn]

Open your php.ini

nano /etc/php.ini

and look for these

; Add X-PHP-Originaiting-Script: that will include uid of the script followed by the filename
mail.add_x_header = On

; Log all mail() calls including the full path of the script, line #, to address and headers
mail.log = /var/log/phpmail.log

Set them as they are above. Once this is done then you can go to:

Tools & Settings -> Mail Server Settings -> Mail Queue.

If you look in the email header of each email you will see the script that it is running from in the filed mail.add_x_header

 

[Byron R]

I've tried using the above solution, however when editing the php.ini I restart the httpd instance to reload the configuration and it doesn't seem to be loading the new php.ini instance.

The Outgoing mail limit program within Plesk is set to 10 e-mails per second however does the limit include mail sent with sendmail feature.

 

[Tsi-Shawn]

Does it error out? If you run a phpinfo() you can see where the php.ini is loading from.

 

[Byron R]

There appeared to be an issue with the php version as it didn't want to load in php 5.3.3 so I upgraded php to 5.4 and the logging works, however it doesn't log all mail sent with PHP which is kind of weird.

 

[Tsi-Shawn]

Another way (and this can suck) is to pull up your mail queue with mailq you should see something like this:

3048FA88A 1422 Tue Aug 27 09:38:04 [email protected] (host 206.247.145.161[206.247.145.161] said: 452 Too many recipients received this hour.

You then have to dig down: nano /var/spool/postfix/deferred/3048FA88A

In that you should see something of value. nano spreads it out in one line so it can be hard to read. I think vim processes it so you can see it better.


I also wrote this to find who is sending the most emails (email addresses login in the most) in an attempt to locate high volume senders;

# Runs a search and looks for the most used email accounts. These could be suspect spammers/hacked accounts
#
zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

 

[Byron R]

I believe I've found the offender and none of the suggestions made by forums here or across the Internet have really helped. Your recommendation I've used to try and find the culprit however it doesn't show all mail sent. In the end I disabled a subscription and watched the FAILURE notices come in to the server manually. Have made a suggestion that plesk introduce a more comprehensive addon for the panel to monitor this. Seeing how much e-mail domains are sending helps but it doesn't allow full diagnosis of the problem