{"id":493,"date":"2014-07-31T23:36:41","date_gmt":"2014-07-31T23:36:41","guid":{"rendered":"https:\/\/qbytes.cloud\/?p=493"},"modified":"2014-07-31T23:36:41","modified_gmt":"2014-07-31T23:36:41","slug":"troubleshoot-qmail-spam-2","status":"publish","type":"post","link":"https:\/\/www.qbytes.cloud\/index.php\/2014\/07\/31\/troubleshoot-qmail-spam-2\/","title":{"rendered":"Troubleshoot Postfix Spam"},"content":{"rendered":"

RE:\u00a0http:\/\/kb.parallels.com\/en\/114845<\/a><\/p>\n

[stextbox id=”info”]Symptoms: Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?[\/stextbox]<\/p>\n

[stextbox id=”warning”]Note: \u00a0This article is for Postfix. \u00a0If you are using the Qmail mail server, see this:\u00a0https:\/\/qbytes.cloud\/troubleshoot-qmail-spam\/<\/a>[\/stextbox]<\/p>\n

Resolution<\/strong><\/p>\n

Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?<\/p>\n

There is a way to determine from which folder the PHP script that sends mail was run.<\/p>\n

Note: Depending on your OS and Parallels Plesk Panel (Plesk) version, the paths can slightly differ from those listed below.<\/p>\n

Create a \/usr\/sbin\/sendmail.postfix-wrapper script with the following content:<\/p>\n

Create a file and open it for editing:<\/p>\n

#touch \/usr\/sbin\/sendmail.postfix-wrapper\n#vi \/usr\/sbin\/sendmail.postfix-wrapper\n\n<\/pre>\n
Add the following content:<\/p>\n
#!\/bin\/sh\n(echo X-Additional-Header: $PWD ;cat) | tee -a \/var\/tmp\/mail.send|\/usr\/sbin\/sendmail.postfix-bin "$@"\n\n<\/pre>\n
Note that this should be two lines, including #!\/bin\/sh.<\/p>\n
Create a log file, \/var\/tmp\/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper. Then run the commands below:<\/p>\n
~# touch \/var\/tmp\/mail.send\n~# chmod a+rw \/var\/tmp\/mail.send\n~# chmod a+x \/usr\/sbin\/sendmail.postfix-wrapper\n~# mv \/usr\/sbin\/sendmail.postfix \/usr\/sbin\/sendmail.postfix-bin\n~# ln -s \/usr\/sbin\/sendmail.postfix-wrapper \/usr\/sbin\/sendmail.postfix\n\n<\/pre>\n
Wait for an hour and change the sendmail back:<\/p>\n
~# rm -f \/usr\/sbin\/sendmail.postfix\n~# mv \/usr\/sbin\/sendmail.postfix-bin \/usr\/sbin\/sendmail.postfix\n\n<\/pre>\n
Check the \/var\/tmp\/mail.send file. There should be lines starting with X-Additional-Header: pointing to the domain folders where the scripts that sent the mail are located.<\/p>\n
You can see all the folders from which mail PHP scripts were run with the following command:<\/p>\n
~# grep X-Additional \/var\/tmp\/mail.send | grep `cat \/etc\/psa\/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's\/HTTPD_VHOSTS_D\/\/' `\n\n<\/pre>\n
[stextbox id=”alert”]NOTE: If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Parallels Plesk Panel virtual hosts directory.[\/stextbox]<\/p>\n
Usually, that means one of the mail accounts has been compromised. Check login attempt count:<\/p>\n
# zgrep -c 'sasl_method=LOGIN' \/usr\/local\/psa\/var\/log\/maillog*\n\/usr\/local\/psa\/var\/log\/maillog:221000\n\/usr\/local\/psa\/var\/log\/maillog.processed:362327\n\/usr\/local\/psa\/var\/log\/maillog.processed.1.gz:308956\n\n<\/pre>\n
If you see an unusually high number of login attempts, it is very likely that accounts were compromised. You can try to identify these accounts in the following way:<\/p>\n
# zgrep 'sasl_method=LOGIN' \/usr\/local\/psa\/var\/log\/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head\n891574 sasl_username=admin@example.com\n\n<\/pre>\n
To stop spam from being sent, change passwords for compromised accounts and restart the Postfix service.<\/p>\n","protected":false},"excerpt":{"rendered":"
RE:\u00a0http:\/\/kb.parallels.com\/en\/114845 [stextbox id=”info”]Symptoms: Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?[\/stextbox] [stextbox id=”warning”]Note: \u00a0This article is for Postfix. \u00a0If you are using the Qmail mail server, see this:\u00a0https:\/\/qbytes.cloud\/troubleshoot-qmail-spam\/[\/stextbox] Resolution Many email messages are sent from … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[86,92,108],"tags":[],"class_list":["post-493","post","type-post","status-publish","format-standard","hentry","category-plesk","category-qmail","category-spam"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=493"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/493\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}