How to find which domain or vhost is spamming

How to find a spamming script hiding in under a vhost if your running qmail and parallel plesk

I am writing this because im sure everyone has runs into the issue of mail queues potentially running high for no apparent reason due to an excessive amount of spam in your mail queue.

Now this is being written on the premise that you running qmail as your MTA(mail server) and parallel’s plesk, however the principle is the same with any mail server and you can use this with ideology with any setup.

This is also the written on the basis your running redhat.

  • Also how to setup qmHandle, which will help you manage qmail more efficiently
  • So what we are setting is a send mail wrapper that will be logging Mail X-header information to a log file
  • This will give you the ability to see which domain or vhost is sending out a large amount of mail through scripts
  • Once you determine which domain is sending a high volume of mail through the mail server, then you can go to the document root of that vhost or domain and start grepping through the files to see if there is anything suspicious.
How to setup qmHandle
1. log into your server and download qmHandle
2. untar the file by running “tar -zxvf qmhandle-1.3.2.tar.gz”
3. Once you have untarred the files you can run the following commands which will allow you to view the mail queue more efficiently.
./qmhandle (any of the following parameters can be used below)

Available parameters:
-a : try to send queued messages now (qmail must be running)
-l : list message queues
-L : list local message queue
-R : list remote message queue
-s : show some statistics
-mN : display message number N
-dN : delete message number N
-fsender : delete message from sender
-f’re’ : delete message from senders matching regular expression re
-Stext : delete all messages that have/contain text as Subject
-h’re’ : delete all messages with headers matching regular expression re (case insensitive)
-b’re’ : delete all messages with body matching regular expression re (case insensitive)
-H’re’ : delete all messages with headers matching regular expression re (case sensitive)
-B’re’ : delete all messages with body matching regular expression re (case sensitive)
-t’re’ : flag messages with recipients in regular expression ‘re’ for earlier retry (note: this lengthens the time message can stay in queue)
-D : delete all messages in the queue (local and remote)
-V : print program version

Additional (optional) parameters:
-c : display colored output
-N : list message numbers only
(to be used either with -l, -L or -R)

How I used it

./qmHandle -l (List all the queues)

./qmHandle -L (this will actually list the individual id’s sitting the queue

./qmHandle -m(replace with ID here) This will let you look at the actual contents of the message
eg. ./qmHandle -m12345

The reason why you want to find look at the contents is later down this tutorial, you are going to attempt to locate the culprit spamming script, after you have localized the area its coming from.

How to setup the Send mail wrapper to localize which vhost/domain the spam is emenating from

1) Create a /var/qmail/bin/sendmail-wrapper script with the following content:

(echo X-Additional-Header: $PWD ;cat) | tee –a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail “$@”

Note, it should be two lines including ‘#!/bin/sh’.

2) Create a log file /var/tmp/mail.send and grant it “a+rw” rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:

~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

3) Wait for an hour and change back sendmail:

Examine the /var/tmp/mail.send file. There should be lines starting with “X-Additional-Header:” pointing to domain folders where the scripts which sent the mail are located.
You can see all the folders from where mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e ‘s/HTTPD_VHOSTS_D//’ `

If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.

4) Once you have located the domain that appears to be sending the heavy mail, you can change the mail server back to sendmail by running the following commands below.

~# rm -f /var/qmail/bin/sendmail
~# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Tracking down the culprit script

Now that you have localized the area from which the spam script is most likely emanating from and your inside the document root and there just tons of files and directories, you want to sift through them looking for clues, so earlier you viewed a message ID using qmHandle, which showed you the contents of the message.

Note: keep in mind when attempting to track down the culprit there is no exact science to this, it take practice and determination to find them sometimes. What I am outlining below is to get you started in the right direction, and is usually successful.

1. Type “./qmHandle -m12345” this will shows the contents of the spam message, highlight a section of the first line, something thats most likely not going to be in the application webfiles.

2. While inside the document root of the domain grep for the spam string something like inidicated below. This sometimes takes a few goes, and you may need to even go throug several message Id’s and strings before you locate the culprit.

grep -R ‘Viagra blah blah blah’ /var/www/vhosts/ * (This will search recursively for the string in all directories from the parents specified).  

Thats the end of my Tutorial. I hope this helps you if you have questions email




Leave a Reply

Your email address will not be published. Required fields are marked *