Tracking down spamming in Plesk – 1

Finding the source of spamming in a server provisioned with Plesk is a tough job.

Some of the useful commands which might help you are given down.

  • Find the number of mails hung in the queue :

# /var/qmail/bin/qmail-qstat

  • To get an idea about the the message headers of mails in queue :

# /var/qmail/bin/qmail-qread

The above one shows the senders and recipients of messages. Now try to find this message in the queue by its ID

# find /var/qmail/queue/mess/ -name XXXXXX ( <- Message ID )

cat the o/p file of the above command and inspect the message headers closely.

Examine the message and find the line “Received” to find out from where it was sent for the first time.

For example, if you find:

1-> Received: (qmail 19514 invoked by uid xxxx ); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via a CGI by user with UID xxxx . Using this UID, it is possible to find the domain:

# grep xxxx /etc/passwd

2-> Received: (qmail 19622 invoked from network); date/time
Received: from external_domain.com (xx.xx.xx.xx)

It means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user. This might mean that the password of the email account has been compromised.

You can use the following command to find the users which have attempted to login via authentication. If you find lots of authentication attempts to a particular user/from a particular IP, then it might be the vulnerability present in your server.

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user

Also, when you check the headers of the mail in the queue, if you find that the mails are received from a particular IP address, like :

Received: (qmail 10728 invoked from network); date

Received: from unknown (HELO User) (xx.xx.xx.xx)

by domain.com with SMTP ; date

We can use the tool tcpdump to find out what is being communicated over the network from/to the IP in question :

# tcpdump -i venet0:0 -n src xx.xx.xx.xx \or dst xx.xx.xx.xx -s 2048 -w /home/wiresharklog.pcap

– Replace  venet0:0 with your appropriate interface

– Replace xx.xx.xx.xx with the IP in question.

You will obtain the logs in /home/wiresharklog.pcap. Open this pcap file using wireshark ( or any related softwares ) and have a glance through the ‘Statistics -> Flow graph’ . Check this if you can spot the connections/packets being sent over.

3-> If the “Received” line contains a UID of the user “apache” (for example, invoked by UID 48), it means that spam was sent through a PHP script. Find this post useful for dealing with this.

There is another case of spamming which has been noticed.

– When checking the qmail maillogs (usr/local/psa/var/log/maillog) :

date  xxxx smtp_auth: SMTP connect from (null)@(null) [xx.xx.xx.xx]
date  xxxx smtp_auth: smtp_auth: SMTP user xxxxx: logged in from (null)@(null) [xx.xx.xx.xx]

We can see that spamming is being done by brute forcing Plesk
email passwords and then authenticating using base 64 encoding on the username.

The built in qmail logging cannot handle this encoding and as a result the logs will just show (null) instead of the username used. This is applicable for servers running on older versions of Plesk.

The solution would be to upgrade Plesk to a more stable version.

Note : You can also check if there are any email accounts within your hosting environments which uses the mail name ‘test’. Around 90% of the accounts created as test are employed with weak passwords which make it easier for hackers to brute-force attack them.

Use this query to find if any such ones are there :

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

# SELECT m.mail_name, d.name FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name='test' ;

Hope this was helpful 🙂