When unsolicited emails, or spam, are simultaneously sent indiscriminately to multiple mail boxes on your server, there may be too many messages in the queue. Then the server can become overloaded with spam and mail is delivered slowly.
To get rid of spam on your Qmail mail server:
- Make sure that all domains have the option What to do with mail sent to non-existent users set to Reject.To change the value of this option for a domain, open it in the Control Panel, go to the Mail tab and click Change Settings.
- Make sure that there are no untrusted IP addresses or networks in the white list.To do this, go to Home > Mail Server Settings > White List tab. To remove untrusted IP addresses or networks, select them in the list and click Remove Selected.
- Check how many messages there are in the Qmail queue with:
# /var/qmail/bin/qmail-qstat messages in queue: 27645 messages in queue but not yet preprocessed: 82
If there are too many messages in the queue, try to find out where the spam is coming from. If the mail is being sent by an authorized user, but not from a PHP script, you can find out which user sent most of the messages with the following command:# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n
Note that the SMTP authorization option should be enabled on the server to see these records. The path to maillog may be different depending on the OS you use. - Use the
qmail-qread
utility to read the messages headers:# /var/qmail/bin/qmail-qread 18 Jul 2005 15:03:07 GMT #2996948 9073 <user@domain.com> bouncing done remote user1@domain1.com done remote user2@domain2.com done remote user3@domain3.com ....
Theqmail-qread
utility shows message senders and recipients. If a message has too many recipients, then it is probably spam. - Try to find the message in the queue by it’s ID (for example, the message ID is #1234567):
# find /var/qmail/queue/mess/ -name 1234567
- Look at the message and find the last
Received
line. This shows where the message was initially sent from.- If you find something like:
Received: (qmail 19514 invoked by uid 12345); 10 Sep 2008 17:48:22 +0700
it means that this message was sent via a CGI script by user with UID 12345. Use this UID to find a corresponding domain:# grep 12345 /etc/passwd
- Received lines like:
Received: (qmail 19622 invoked from network); 10 Sep 2008 17:52:36 +0700 Received: from external_domain.com (192.168.0.1)
means that the message was accepted for delivery via SMTP and the sender is an authorized mail user. - If the
Received
line contains an UID of an apache user (for exampleinvoked by uid 48
), it means that the spam was sent via a PHP script. In this case you can try to find the spammer using information from the spam emails (from/to addresses, subjects, etc). But it is usually hard to find the spam source in this case. If you are sure that a script is sending spam at the current moment (for example, because the queue is growing very fast), you can use this little script to find out what PHP scripts are running in real-time:# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
To try to find out from what folder the PHP script that is sending mail was run, create/var/qmail/bin/sendmail-wrapper
script with the following content:#!/bin/sh (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
Note, the paths can slightly differ depending on your OS and Plesk version.Create a log file/var/tmp/mail.send
and grant ita+rw
rights, make the wrapper executable, rename oldsendmail
and link it to the new wrapper:# touch /var/tmp/mail.send # chmod a+rw /var/tmp/mail.send # chmod a+x /var/qmail/bin/sendmail-wrapper # mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail # ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail
Wait for about an hour and revertsendmail
back:# rm -f /var/qmail/bin/sendmail # ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail
Examine the/var/tmp/mail.send
file. There should be lines starting withX-Additional-Header
pointing to domain folders where the script that sends the mail is located.You can see all the folders from which mail PHP scripts were run by using the following command:# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
If you see no output from the command above, it means that no mail was sent using thePHP mail()
function from the Plesk virtual hosts directory.
Không có nhận xét nào:
Đăng nhận xét