By default, newer versions of Plesk use Postfix as the MTA. If your Plesk server sends many spam messages and you are not able to find the culprit, this article will help to find domains that contain spamming scripts.
Use ‘mailmang’ utility
First, use the ‘mailmang’ utility to confirm the current MTA.
#plesk sbin mailmng-server –features | grep SMTP_Server
The result will be like the following if it uses Postfix.
$features[‘SMTP_Server’] = “Postfix”;
Find Directory
Now we need to find the directory from which the PHP spam script is executed. For this, we need to create a postfix wrapper script.
Create a file named /usr/sbin/sendmail.postfix-wrapper with the following content.
#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"
Create An Additional Logfile
Create an additional log file /var/tmp/mail.send with a+rw permissions, make the wrapper script executable and follow steps below:
# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /usr/sbin/sendmail.postfix-wrapper
# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
It may take around 30 to 60 minutes for the script to collect data. Hence, wait for some time.
Rename The Sendmail
Rename the Sendmail postfix-bin back to /usr/sbin/sendmail.postfix
# mv /usr/sbin/sendmail.postfix /root/backup__sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
Note: The file /var/tmp/mail.send will not be rotated automatically. So keeping this file for a longer time could consume large disk space.
Verify Log File
Check the /var/tmp/mail.send log file and find the lines starting with “X-Additional-Header” which will be pointing to the domain directories from which the scripts are being executed.
#grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
This command will show you directories from which spam or bulk emails are being sent. If the output is empty, it means there were no scripts with PHP mail function was executed from the ‘vhosts’ directory. Verify scripts under this directory and remove if you find any scripts with injected content. You can scan the web directory of this domain to check whether there is any other malware exists and change the account’s password if you suspect its password is compromised.
If the above command didn’t show any directories, we can use the following script to find the email account which has an unusual number of login attempts.
#zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
The result will be like:
32436 sasl_username=user@domain.tld
Change Password Of Mail
Change the password of this email account to stop spamming.
This will help to stop spamming in Postfix. Note that it is very important to stop malicious activities and spamming on servers to keep a good reputation of IP addresses for enhanced Plesk support.

 
									 
	 
	![How to Fix: Could Not Connect to Server in FileZilla [Solved]](https://www.serveradminz.com/blog/wp-content/uploads/2022/02/THUMB-500x383.png) 
	 
	
Leave A Comment
You must be logged in to post a comment.