This post will help you to track down spamming from a Plesk server, if its employed using PHP scripts in any of the domains.
– Use this one to view the folders which have mail PHP scripts enabled and running.
# vi /var/qmail/bin/sendmail-wrapper
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail
– Wait for at some time and then change sendmail back:
# rm -f /var/qmail/bin/sendmail
# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail
Once this is completed, run the following command, which will show you all the folders from where mail PHP scripts were run :
# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
– If your PHP version is greater than 5.3, you can also consider about enabling extended logging which will help to add a header to all outgoing email and that will help you to track the location of the script which is involved in spamming.
Add the following line to your php.ini file :
mail.add_x_header = On
– Check out the headers ( check this post know about finding the headers from the queue ) and spot the script involved.