Plesk servers typically use Postfix as the Mail Transfer Agent (MTA) in newer versions. If your server is sending out spam and you cannot identify the source, this tutorial provides a step-by-step method to detect and resolve spam scripts in domains.
Step 1: Confirm the Current MTA
Verify that Postfix is the active MTA using the mailmng
utility. Run the following command:
# plesk sbin mailmng-server –features | grep SMTP_Server
If Postfix is in use, you will see output similar to:
$features['SMTP_Server'] = "Postfix";
Step 2: Identify the Source of the Spam Script
To locate the directory from which spam emails are sent, create a Postfix wrapper script.
-
Create the Wrapper Script
Save the following content in a file named
/usr/sbin/sendmail.postfix-wrapper:
bash#!/bin/sh (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send | /usr/sbin/sendmail.postfix-bin "$@"
-
Set Up Logging
Create a log file to capture the output of the wrapper script:
bash# touch /var/tmp/mail.send # chmod a+rw /var/tmp/mail.send
-
Make the Script Executable
bash# chmod a+x /usr/sbin/sendmail.postfix-wrapper # mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin # ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
-
Note: Allow 30-60 minutes for the script to collect sufficient data.
Step 3: Restore the Original Configuration
After data collection, restore the original Postfix configuration:
# mv /usr/sbin/sendmail.postfix /root/backup_sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
Warning: The log file (/var/tmp/mail.send)
does not rotate automatically. Monitor its size and delete it if necessary to avoid disk space issues.
Step 4: Analyze the Log File
To find directories associated with spam scripts, run:
# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
This command will display directories containing scripts that sent spam emails. If the output is empty, no PHP mail function was executed from the vhosts
directory.
-
If malicious scripts are found:
-
Inspect and remove injected or malicious content.
-
Scan the domain’s web directory for additional malware.
-
Change the account’s password to prevent unauthorized access.
-
Step 5: Detect Email Accounts with Unusual Activity
If the above command doesn’t yield results, identify email accounts with a high number of login attempts:
# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
Example output:
32436 sasl_username=user@domain.tld
Step 6: Mitigate the Issue
If a suspicious email account is identified:
-
Change the password immediately.
-
Review account activity for further anomalies.
By following these steps, you can efficiently stop spam and malicious activity on your Plesk server. This not only protects your server but also ensures your IP addresses maintain a good reputation. Regular monitoring is essential for maintaining a secure and reliable server environment.
iDatam Recommended Tutorials
![How to Resolve the 5 Most Common Linux Server Problems Banner](/assets/images/resolve-common-linux-server-problems.png)
Linux
Solving the 5 Most Common Linux Server Problems
Master the art of Linux server problem solving with this comprehensive guide. Learn how to diagnose and fix common server issues including network problems, disk space management, security vulnerabilities, and performance bottlenecks.
![right-arrow](/assets/images/icons8-right-arrow-50.png)
![How To Create a New User and Grant Permissions in MySQL](/assets/images/mysql-bg.png)
Mysql
How To Create a New User and Grant Permissions in MySQL
Learn how to create a new MySQL user and grant permissions with this comprehensive guide. Understand the essential commands, best practices, and troubleshooting tips for effective user and permission management in MySQL.
![right-arrow](/assets/images/icons8-right-arrow-50.png)
![Plesk Server Security](/assets/images/plesk-server-security-banner-2.png)
Control Panel, Security
Plesk Server Security Tutorial: A Step-by-Step Guide to Secure Your Web Infrastructure
Secure your Plesk server with our in-depth tutorial! Learn step-by-step techniques, from updates and advanced configurations to code-level protections and emergency strategies, to fortify your web infrastructure against potential threats.
![right-arrow](/assets/images/icons8-right-arrow-50.png)
Discover iDatam Dedicated Server Locations
iDatam servers are available around the world, providing diverse options for hosting websites. Each region offers unique advantages, making it easier to choose a location that best suits your specific hosting needs.