Tracking down spamming in Plesk – 2

This post will help you to track down spamming from a Plesk server, if its employed using PHP scripts in any of the domains.

– Use this one to view the folders which have mail PHP scripts enabled and running.

# vi /var/qmail/bin/sendmail-wrapper

(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

– Wait for at some time and then change sendmail back:

# rm -f /var/qmail/bin/sendmail
# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Once this is completed, run the following command, which will show you all the folders from where mail PHP scripts were run :

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

– If your PHP version is greater than 5.3, you can also consider about enabling extended logging which will help to add a header to all outgoing email and that will help you to track the location of the script which is involved in spamming.

Add the following line to your php.ini file :

mail.add_x_header = On

– Check out the headers ( check this post know about finding the headers from the queue ) and spot the script involved.