The Planet Forums > HOWTO: Find which site is sending spam email from apache@yourdomain

Full Version: HOWTO: Find which site is sending spam email from apache@yourdomain

The Planet Forums > System Administration > HOWTOs

galfau

Jul 4 2008, 10:13 AM

When you have a lot of clients (Domains) on your server, it's almost impossible to track all emails sent from your server through php scripts.

So i found a solution and i going to share with everyone.

Requeriments
Linux
Ensim
root access

1. Go to virtualhost's apache conf in my server is /etc/httpd/conf/virtual

CODE

cd /etc/httpd/conf/virtual

2. Now you can list all sites in your server

CODE

3. Now you have to edit each site's config file. [use your favorite file editor]

CODE

nano site1 <-- change filename for each site name listed on that directory

4. Search for ifModule mod_php (Mine looks like this <IfModule mod_php4.c>)

5. Inside that tag put the next code

CODE

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f emailcop@sitename" <-- replace sitename with the domain name of that client.

6. now search in the same file for ifmodule sapi_apache (Mine looks like this <IfModule sapi_apache2.c>)

7. Inside that tag put the same code as php tag code

CODE

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f emailcop@sitename" <-- replace sitename with the domain name of that client.

8. Save file

9. Repeat same procedure for each site listed on the directory

10. Finally restart apache/httpd

CODE

type: service httpd restart

Now you can look at your /var/log/maillog folder and see which site is sending email through php scritps the line will look something like this:
[

CODE

Jul  4 11:31:00 secure sendmail[7890]: m64FV0HG007890: Authentication-Warning: yourservername: apache set sender to emailcop@domainname using -f
Jul  4 11:31:07 secure sendmail[7890]: m64FV0HG007890: from=emailcop@domainname, size=308, class=0, nrcpts=1, msgid=<200807041531.m64FV0HG007890@yourservername>, relay=apache@localhost
Jul  4 11:31:07 secure sm-acceptingconnections[13146]: m64FV7cp013146: from=<emailcop@domainname>, size=665, class=0, nrcpts=1, msgid=<200807041531.m64FV0HG007890@yourservername>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jul  4 11:31:07 secure sendmail[7890]: m64FV0HG007890: to=dest@domain-dest, ctladdr=emailcop@domainname (48/48), delay=00:00:07, xdelay=00:00:00, mailer=relay, pri=30308, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (m64FV7cp013146 Message accepted for delivery)

]

Voila!! email identified!! going out through domainanme, if you think is spam you should go to that domain root folder and scan for scripts sending email.

Thanks for reading

Feel free to suggest/comment.

markcausa

Jul 15 2008, 09:19 AM

Pinned! Just caught site of this one as well. Great job, Galfau.

Penguin

Jul 15 2008, 02:45 PM

Two things I would add to this - firstly, if you run sites in high security instead (which to be honest there are very few reasons not to) then this is basically done already and you can easily track which site(s) are sending spam. Secondly, if you edit a site or perform any updates (ie run through maintenance mode), your changes listed will be overwritten. High security is a better solution all round.

santosh

Sep 5 2008, 11:47 AM

QUOTE (galfau @ Jul 4 2008, 04:13 PM)

CODE

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f emailcop@sitename" <-- replace sitename with the domain name of that client.

Do you now how this can be done on a server running Plesk and qmail?

ChuFuong

Dec 29 2008, 05:09 PM

probably the same way... might need to substitute the macros.

wdriver

Apr 20 2009, 09:55 PM

PLESK Solution. I tested it and it is working fine on PSA 8.6. While it was running i monitored it with the following command instead of waiting for an hour like it suggests:

tail -f /var/tmp/mail.send

See http://kb.parallels.com/en/1711

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.