Detecting Spam Sending Domains On Plesk Server Using Postfix

Learn how to detect spam-sending domains on a Plesk server using Postfix. Step-by-step guide to identify and stop malicious scripts and secure your email environment.

Detecting Spam Sending Domains On Plesk Server Using Postfix

Plesk servers typically use Postfix as the Mail Transfer Agent (MTA) in newer versions. If your server is sending out spam and you cannot identify the source, this tutorial provides a step-by-step method to detect and resolve spam scripts in domains.

Step 1: Confirm the Current MTA

Verify that Postfix is the active MTA using the mailmng utility. Run the following command:

bash

# plesk sbin mailmng-server –features | grep SMTP_Server
                                

If Postfix is in use, you will see output similar to:

bash

$features['SMTP_Server'] = "Postfix";
                                

Step 2: Identify the Source of the Spam Script

To locate the directory from which spam emails are sent, create a Postfix wrapper script.

  • Create the Wrapper Script

    Save the following content in a file named /usr/sbin/sendmail.postfix-wrapper:

    bash
    
    #!/bin/sh
    (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send | /usr/sbin/sendmail.postfix-bin "$@"
    
                                    
  • Set Up Logging

    Create a log file to capture the output of the wrapper script:

    bash
    
    # touch /var/tmp/mail.send
    # chmod a+rw /var/tmp/mail.send
    
                                    
  • Make the Script Executable

    bash
    
    # chmod a+x /usr/sbin/sendmail.postfix-wrapper
    # mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
    # ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
    
                                    
  • Note: Allow 30-60 minutes for the script to collect sufficient data.

Step 3: Restore the Original Configuration

After data collection, restore the original Postfix configuration:

bash

# mv /usr/sbin/sendmail.postfix /root/backup_sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

                                

Warning: The log file (/var/tmp/mail.send) does not rotate automatically. Monitor its size and delete it if necessary to avoid disk space issues.

Step 4: Analyze the Log File

To find directories associated with spam scripts, run:

bash

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

                                

This command will display directories containing scripts that sent spam emails. If the output is empty, no PHP mail function was executed from the vhosts directory.

  • If malicious scripts are found:

    • Inspect and remove injected or malicious content.

    • Scan the domain’s web directory for additional malware.

    • Change the account’s password to prevent unauthorized access.

Step 5: Detect Email Accounts with Unusual Activity

If the above command doesn’t yield results, identify email accounts with a high number of login attempts:

bash

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

                                

Example output:

plaintext

32436 sasl_username=user@domain.tld

                                

Step 6: Mitigate the Issue

If a suspicious email account is identified:

  • Change the password immediately.

  • Review account activity for further anomalies.

By following these steps, you can efficiently stop spam and malicious activity on your Plesk server. This not only protects your server but also ensures your IP addresses maintain a good reputation. Regular monitoring is essential for maintaining a secure and reliable server environment.

Discover iDatam Dedicated Server Locations

iDatam servers are available around the world, providing diverse options for hosting websites. Each region offers unique advantages, making it easier to choose a location that best suits your specific hosting needs.

Up