RESOLUTION
First of all make sure that all domains have 'Mail to nonexistent user' set to 'Reject' but not to bounce. This can be changed for all domains using "Group Operations" on the "Domains" page in Plesk CP. 'Reject mail to nonexistent user' feature is available since Plesk 7.5.3.Also, make sure that there are no untrusted IPs and networks in white list.
Check how many messages there are in Qmail queue with:
# /var/qmail/bin/qmail-qstat
messages in queue: 27645
messages in queue but not yet preprocessed: 82 If the queue has too many messages, try to find where the SPAM is coming from.
If the mail is being sent by authorized user, but not from the PHP script, you can find what user sent most of the messages with the command below (since Plesk 8), note that 'SMTP authorization' should be enabled on the server to see these records:
# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n The path to 'maillog' may be differ depending the OS you use.
The next step is `qmail-qread` utility that can be used for the messages headers reading:
# /var/qmail/bin/qmail-qread
18 Jul 2005 15:03:07 GMT #2996948 9073 <user@domain.com> bouncing
done remote user1@domain1.com
done remote user2@domain2.com
done remote user3@domain3.com
.... It shows messages' sender and recipients. If the message has too many recipients, then it is mostly SPAM. Now try to find this message in queue by it's ID #2996948:
# find /var/qmail/queue/mess/ -name 2996948 look into the message and find the first from the end "Received" line to find where it was initially sent from, for example if you find something like:
Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700
It means that this message was sent via some CGI script by user with UID 10003. Using this UID you can find a corresponding domain:
# grep 10003 /etc/passwd If 'Received' line contains UID of 'apache' user (for example "invoked by uid 48") - it means that the SPAM was sent via some PHP script. In this case you can try to find the spammer using information from the spam mails (from/to addresses, subjects or anything else). But usually it is very hard to find SPAM source in this case. If you are sure that at the current moment some script is sending SPAM (queue grows very fast), you can use this little script to find out what PHP scripts are running in real-time:
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php Also you may apply to the article 1711 that describes how to find out domains mail is sent via PHP scrips from.
Received lines like:
Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700
Received: from external_domain.com (192.168.0.1)
means that the message was accepted for delivery via SMTP and the sender is an authorized mail user.
NOTE: how to rebuild Qmail queue you can find at http://kb.swsoft.com/en/252
English
Chinese
French
German
Japanese
Russian
Spanish