I need help figuring out a spam issue on my server. I have TONS of spam outgoing from my server and have been unable to track it down. I have firewalled many IPs and enabled MAPS and they are still getting in. I am willing to pay someone to go in and FIX this problem. Please Help!

It sounds like a classic Open Relay problem to me Digital HQ. First check your mail settings for the server.

Log into the control panel as Admin and navigate to Server > Mail > White List. Make sure the IP number white listed there is not 127.0.0.1/8. The /8 subnet mask leaves your server with an open relay no matter what you set anywhere else. If it's /8 remove that one and set it up as 127.0.0.1/32. This will allow the server to still send mail using scripts and such, but will close your open relay.

Second, go into the Preferences tab in the same Server > Mail area to make sure you're not allowing an open relay there. Personally, I've always used Authorization is required and a POP3 lock time of 20 minutes. This seems to work quite well for everybody and keeps the server from being overrun with spammers.

If all of those were already set correctly, the next step is to track down scripts on your server that may be unsecure. Those are a lot harder to find. But I'd almost be willing to bet that your server was running with /8 white listed. It's always been the default setting for Plesk for some unknown reason.

White list is already /32 and Authorization is required and a POP3 lock are already in place. I have also check running scripts using:

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php


All with no luck tracking anything down.

Have you looked at some of the spam while it's still in the outgoing queue D-HQ? The thing I'd want to know is what UID is sending the mail. This should tell you if it's a real person or a php script. A php script would show up as UID 48, which is the Apache user.

That's the first step. Figuring out if one of your real users has had their PC's SMTP hacked, if it's a CGI/Perl script (which would show up in your /var/log/httpd/suexec_log file) or if it's a typical PHP mail() exploit. The php exploits are the most common these days. That's why I asked specifically about UID 48.

Assuming it'll end up being a php mail() exploit, there are a few different ways to find out who's doing it and and what script they're using. If you don't have many domains on the server you can figure out pretty quickly what domain it's coming from by making a small vhost.conf tweak on each domain. Basically this adds a header parameter to any outgoing mail initiated by php to help you track it down.

So you would log in as root and set up a vhost.conf for each domain on the server. The new vhost.conf would look something like:

[code]
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fXXXX"


(Change the Directory path if need be to suit your server's path.)

The -fXXXX is going to be your internal code for each domain. So you'll want to change the X's out with something that'll help you tie it to the domain.

After this is done anytime php mail() is executed from one or the domains on the server the vhost.conf will add your special code to the mail headers. Of course you need to remember to reconfigure all of your vhosts after changing the vhost.conf files. That command would be /usr/local/psa/admin/sbin/websrvmng -a -v

The above also assumes that the server is secure and that no one has been allowed to upload the spamming script outside of the normal web accessible locations. If you suspect something like this you'll want to install and run both CHKRootKit and RKHunter. The above would also help to let you know if this is the case though. Because if you see the spam still rolling through but your new header line isn't in the mail you know it's coming from somewhere other than a domain location.

Again, if you find that it's a php script doing the sending you can always set up a little script to log additional information for you to research. The first post in this thread on the Plesk forums has one you can use. As does the 2nd post in this Plesk forum thread.

Here is the last header I was able to capture...


Received: (qmail 26421 invoked by uid 2020); 24 Apr 2006 07:02:38 -0500
Received: from unknown (HELO User) (89.32.54.64)
by pagecomm.com with SMTP; 24 Apr 2006 07:02:37 -0500
Reply-To:
From: "support@wamu.com"
Subject: Washington Mutual Survey
Date: Mon, 24 Apr 2006 15:02:33 +0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Well, the good news is it's not a php script. You have a UID of 2020, which is one of the defaults for qmail. So it's SMTP. That's very good news in the time it'll take to track 'em down.

It could be someone exploiting the bounced mail settings on a domain, but that's a long shot. It would be more likely that either a user's PC has become infected or someone has a very unsecure user/password for their mail.

You've got the IP number of the real sender in the mail too. It's in the second line there written as (89.32.54.64).

Grep your maillog around the same time that email was sent/stamped. Like:

grep 89.32.54.64 /usr/local/psa/var/log/maillog

You're probably going to get a lot of stuff. What you'll want to look for is lines where this user is logging in and logging out. Especially the LOGOUT lines. Those will give you the location of that user's mailbox, which also gives you their domain name.

Your choice on whether you want to tell the user before or after you change their mail password that they've been hacked. But you'll definitely want to change it, and force them to virus/worm scan their computer(s) and keep a close eye on things again once they can get back to their mail login.

My smtp is set so that authorisation is required to send outgoing email.

Are there no scripts out there that can log how many emails are being sent from each user? This would make it far easier to track down mail abuse.

... Fizz

what does this script exectly do ?
as i ran this and i found some lines coming up on my ssh terminal

plz help me