Skip to main content
All CollectionsGeneral
Spam postfix - identify sources
Spam postfix - identify sources
Antonio avatar
Written by Antonio
Updated over a year ago

The first step to protect yourself against possible spammers is to identify the PHP scripts that are sending emails. Follow these steps to find the domains on which these scripts are running with Postfix:

Determine from which folder the PHP script that sends the email was executed.

Important: Depending on your operating system and the version of Parallels Plesk, the steps to follow may differ slightly from those indicated below.

Create a script /usr/sbin/sendmail.postfix-wrapper with the following content:

Create a file and open it to edit:

#touch /usr/sbin/sendmail.postfix-wrapper
#vi /usr/sbin/sendmail.postfix-wrapper
Add the following content:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"
Note: this should be two lines, including #!/bin/sh.

Create a log file /var/tmp/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the previous

sendmail

and link it to the new wrapper. Execute these commands:

~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /usr/sbin/sendmail.postfix-wrapper
~# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
~# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
Wait an hour and modify the sendmail again:

~# rm -f /usr/sbin/sendmail.postfix
~# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
Examine the file /var/tmp/mail.send. You should be able to see lines starting with X-Additional-Header pointing to the folders of the domain where the scripts that sent the emails are located.

You can see all the folders from which PHP mail scripts were executed by issuing the following command:

~# grep X-Additional /var/tmp/mail.send | grep cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//'
IMPORTANT: If running this command returns no output, this means that no email was sent using the PHP mail() function from the virtual hosts directory of Parallels Plesk.

This may indicate that one of the email accounts has been compromised. Check the login attempt count:

# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956
An unusually high number of login attempts indicates that it is very likely that the accounts have been compromised. You can identify these accounts with the following commands:

zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

891574 [email protected]
To stop the sending of unwanted email, change the passwords of the accounts in danger and restart the Postfix service.

Did this answer your question?