Detecting Spam Sending Domains On Plesk Server Using Postfix

Plesk servers typically use Postfix as the Mail Transfer Agent (MTA) in newer versions. If your server is sending out spam and you cannot identify the source, this tutorial provides a step-by-step method to detect and resolve spam scripts in domains.

Step 1: Confirm the Current MTA

Verify that Postfix is the active MTA using the mailmng utility. Run the following command:

# plesk sbin mailmng-server –features | grep SMTP_Server
                                

If Postfix is in use, you will see output similar to:

$features['SMTP_Server'] = "Postfix";
                                

Step 2: Identify the Source of the Spam Script

To locate the directory from which spam emails are sent, create a Postfix wrapper script.

• Create the Wrapper Script

  Save the following content in a file named /usr/sbin/sendmail.postfix-wrapper:

  bash Copy

  
  #!/bin/sh
  (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send | /usr/sbin/sendmail.postfix-bin "$@"
  
                                  

• Set Up Logging

  Create a log file to capture the output of the wrapper script:

  bash Copy

  
  # touch /var/tmp/mail.send
  # chmod a+rw /var/tmp/mail.send
  
                                  

• Make the Script Executable

  bash Copy

  
  # chmod a+x /usr/sbin/sendmail.postfix-wrapper
  # mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
  # ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
  
                                  

• Note: Allow 30-60 minutes for the script to collect sufficient data.

Step 3: Restore the Original Configuration

After data collection, restore the original Postfix configuration:

# mv /usr/sbin/sendmail.postfix /root/backup_sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

                                

Warning: The log file (/var/tmp/mail.send) does not rotate automatically. Monitor its size and delete it if necessary to avoid disk space issues.

Step 4: Analyze the Log File

To find directories associated with spam scripts, run:

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

                                

This command will display directories containing scripts that sent spam emails. If the output is empty, no PHP mail function was executed from the vhosts directory.

• If malicious scripts are found:

  • Inspect and remove injected or malicious content.

  • Scan the domain’s web directory for additional malware.

  • Change the account’s password to prevent unauthorized access.

Step 5: Detect Email Accounts with Unusual Activity

If the above command doesn’t yield results, identify email accounts with a high number of login attempts:

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

                                

Example output:

32436 sasl_username=user@domain.tld

                                

Step 6: Mitigate the Issue

If a suspicious email account is identified:

• Change the password immediately.

• Review account activity for further anomalies.

By following these steps, you can efficiently stop spam and malicious activity on your Plesk server. This not only protects your server but also ensures your IP addresses maintain a good reputation. Regular monitoring is essential for maintaining a secure and reliable server environment.