Troubleshoot Postfix Spam

RE: http://kb.parallels.com/en/114845

[stextbox id=”info”]Symptoms: Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?[/stextbox]

[stextbox id=”warning”]Note:  This article is for Postfix.  If you are using the Qmail mail server, see this: http://geekdecoder.com/troubleshoot-qmail-spam/[/stextbox]

Resolution

Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?

There is a way to determine from which folder the PHP script that sends mail was run.

Note: Depending on your OS and Parallels Plesk Panel (Plesk) version, the paths can slightly differ from those listed below.

Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

Create a file and open it for editing:

#touch /usr/sbin/sendmail.postfix-wrapper
#vi /usr/sbin/sendmail.postfix-wrapper

Add the following content:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

Note that this should be two lines, including #!/bin/sh.

Create a log file, /var/tmp/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper. Then run the commands below:

~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /usr/sbin/sendmail.postfix-wrapper
~# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
~# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

Wait for an hour and change the sendmail back:

~# rm -f /usr/sbin/sendmail.postfix
~# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

Check the /var/tmp/mail.send file. There should be lines starting with X-Additional-Header: pointing to the domain folders where the scripts that sent the mail are located.

You can see all the folders from which mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

[stextbox id=”alert”]NOTE: If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Parallels Plesk Panel virtual hosts directory.[/stextbox]

Usually, that means one of the mail accounts has been compromised. Check login attempt count:

# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

If you see an unusually high number of login attempts, it is very likely that accounts were compromised. You can try to identify these accounts in the following way:

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change passwords for compromised accounts and restart the Postfix service.