Skip to content

Find Origin of spam

Como buscar el origen de spam en un servidor con qmail y plesk

This can be very helpful if someone is using your server to send spam and want to see its source.

Check the number of messages in Qmail queue by running the following command:

/var/qmail/bin/qmail-qstat

you pay off something like siguientemessages in queue: 27843messages in queue but not yet preprocessed: 256
If the queue has many messages is that something is wrong and are using the server to send SPAM, see how to discover the culprit.
If mail is being sent through the SMTP server, but not from a PHP script, you can run the following command:

cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep-in user |black |uniq-c |sort-n

smtp connections appear with the username and password and ip access, if there are many connections from the same user may have found the culprit.

For once the headers of messages in the queue can run:

/var / qmail / bin / qmail-QReader

and shows the senders and recipients of messages. If a message needs to be investigated sospechsos if SPAM. You can search the message by its id, such as 64166987

find /var/qmail/queue/mess/ -name 64166987cat /var/qmail/queue/mess/0/64166987

examines the message and find the line "Received" to know from where it sent the first, for example, if you find:

Received: (qmail 24019 invoked by uid 1007); 3 Nov 2010 12:46:52 +0100

Means that this message was sent through a script by user with uid 1007. Using this uid can find the domain you are sending mail:

grip 1007 /etc/passwd

If the uid is 48 (Apache) means that the mail was sent through a script PHP.En this case, You can try to find the spammer using their own email information (Directions to / from, issue or any other data). It is usually very difficult to discover the source of spam in these cases, and if you have many domains on a server.

If the line "Received" is as follows:

Received: (qmail 22672 invoked from network); 03 nov 2010 15:30:12 +08002 Received: from dominio.com (192.168.1.1)

means that the message has been accepted and delivered via the SMTP server and the sender is a user authorized mail.

 

Tambien cabe la posibilidad de buscar el origen si es un scrip del siguiente modo, ejecutando el siguiente comando vía ssh

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ { if(!str) { str=$1 } else { str=str”,”$1}}END{print str}’` | grep vhosts | grep php

 

Source: http://todohosting.es/2010/11/03/como-buscar-el-origen-de-spam-en-un-servidor-con-qmail-y-plesk/

http://todohosting.es/category/plesk/

http://blogofsysadmins.com/como-luchar-contra-el-spam-en-plesk-con-qmail