Sourcing spam on your DV server


Browse by products and services

  • Applies to: DV 4.0
    • Difficulty: Hard
    • Time Needed: 30
    • Tools Required: Plesk administrator, SSH, root or sudo access, vi knowledge
  • Applies to: DV
    • Difficulty: Hard
    • Time Needed: 30
    • Tools Required: Plesk administrator, SSH, root or sudo access, vi knowledge

Introduction

This article has been mirrored from the Parallels Knowledge Base as a courtesy to our DV server customers. As they are the authoritative source of the information covered in this article, we encourage you to check their original article. Keep in mind that this content is subject to change.

Requirements

Before you start, this article has the following dependencies:

READ ME FIRST

This article is provided as a courtesy. Installing, configuring, and troubleshooting third-party applications is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.

Instructions

TIP:

These instructions are for the DV server running Plesk 11 or above. If you are on a DV 4.0 and are running an earlier version of Plesk, please see this article for upgrade information: How do I upgrade Plesk?

    1. First of all, make sure that all domains have Mail to nonexistent user set to Reject.
      1. Log into the Plesk Control Panel for your domain.
      2. Click on the Mail tab at the top.

      3. Next, click on Change Settings.
      4. Select Reject and click the OK button.
    2. Next, you'll need to determine if your server is using qmail or Postfix. To do so, you can run the following SSH command:
      rpm -qa | grep -e qmail -e postfix
      • If you're running Postfix, your result will look something like this:
        postfix-2.8.17-14042513.x86_64
      • If you're running Qmail, your result will look something like this:
        psa-qmail-rblsmtpd-0.88-cos5.build110120606.19
        psa-qmail-1.03-cos5.build110120606.19

      NOTE:

      If you're running Qmail, you'll want the (dv) 4.0 version of this article. Scroll up and select the (dv) 4.0 tab. Otherwise, continue on! If you're running Postfix, you'll want the DV version of this article. Scroll up and select the DV tab. Otherwise, continue on!

    3. Next, you'll want to check how many messages there are in the qmail queue with the following SSH command:

             # /var/qmail/bin/qmail-qstat
                messages in queue: 27645
                messages in queue but not yet preprocessed: 82
            

for q in maildrop incoming active defer deferred; do count=$(find /var/spool/postfix/$q ! -type d -print | wc -l); echo $q $count; done
            

Example output:


maildrop 0
incoming 0
active 0
defer 0
deferred 0
            
TIP:

In Plesk 11 and onward, you can also view and manage the mail queue within Plesk itself.

  • If the queue has a large number of messages waiting to be delivered and they cannot be accounted for, it's likely that you have a spam problem. At this point, you will need to determine where it's coming from.

    The first step is to have a look at your mail log, so you can see what's being sent out. You can use the following SSH command to view all the mail sent on a specific date. This example would show the 11AM hour for Jan 15th:

    
    cat /usr/local/psa/var/log/maillog* | awk '/Jan 15 11:*/'
            

One of the first lines of each message log should contain a line similar to the following:


Jul 17 16:56:42 mnnj-2hfr postfix/pickup[828]: 8AE3E25E3E: uid=10000 from=serveradmin@yourdomain.com
        

Received: (qmail 19514 invoked by uid 10000); 13 Sep 2015 17:48:22 +0700
        

In this line, look for the "uid=XXXXX" "invoked by uid 10000" portion. That number indicates the 'user' on the server which invoked this message. A user in this case can refer to the mail server, if it is sent by an individual email address; the webserver, if it is sent by a script; or another component of your server.

You can cross-reference this against the /etc/passwd file to determine what component the uid corresponds to.

For example, you could run the following command, where '10000' is the uid you're searching for:

grep 10000 /etc/passwd
        
    1. If the uid you've searched for corresponds to a mail service, like Postfix, Qmail, or an SMTP service, then it is being sent from an actual mail user rather than a script. You can find what user sent most of the messages with the command below. Note that 'SMTP authorization' should be enabled on the server to see these records:

      # awk '$5 == "smtp_auth:" && $7 == "user" {print $8}' /usr/local/psa/var/log/maillog | sort | uniq -c | sort -n

      With this information, you should be able to make an educated decision about what user is compromised, if any. Make sure this user's password is reset and that they are using a strong password.

    2. If the uid you've searched for corresponds to the Apache service (usually uid 48) or a Plesk user (looks like 'example:x:10001:503::/var/www/vhosts/example.com:/bin/false'), then the messages are most likely being sent from a PHP script. You will need to determine which script is doing this. Keep in mind, there may be spam coming from multiple scripts.

      1. To start, list the full contents of the mail queue, using the following command:
        
        postqueue -p
                      
        
        qmHandle -l
                      
      2. From the queue, select a message you believe to be spam. Locate the message ID. This will be the first item on each line. (e.g. "376892D66410644640") View the message's headers by running the following command, replacing the example message ID with the one you have selected from your queue:
        
        postcat -q 376892D664
                      
        
        qmHandle -m"10644640"
                      
      3. In the resulting message headers (at the top of the message), look for a line beginning with "X-PHP-Originating-Script". Example:
        
        X-PHP-Originating-Script: 48:menu21.php
                    
      4. In the above example, we can see that the message is coming from a file called “menu21.php". To determine the location of this file, you can use the 'find' command. Example:
        
        find / -type f -name menu21.php
                    

        This command will give us the location of this script within the file system. From here, you can delete the script, quarantine it, or clean it, based on the contents and if you determine the message to be legitimate or spam. Use your own judgement in this regard.

  1. If you determine that the source of the spam is a compromised file, please see the next section for additional information.

If you determine that your server is compromised

If, by following the above steps, you determine that the spam is coming from a compromised or malicious script or file, please be aware of the following:

    1. This script did not get there by itself. If your server contains compromised files, then there is a vulnerability you will need to address. For more information on this, please see the following resource:
    2. Hackers never compromise a single file or upload only one malicious script. You can use the following command to check for additional running PHP scripts that may be suspicious:
      # lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php 
ct_kb_1 

CloudTech Can Help!

Additional assistance is available via CloudTech, our premium support service:

  • The CloudTech Security Pack is a service for those needing consistent monitoring to help prevent and protect your site from compromise.
  • The one-time malware cleanup service can assist you in cleaning and delisting an already-infected website.