Article ID: 114845, created on Sep 26, 2012, last review on May 9, 2016

  • Applies to:
  • Plesk Automation 11.5
  • Plesk for Linux/Unix
  • Plesk 12.5 for Windows

Question

Many email messages are being sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?

Answer

Note: This article is for Postfix. If Qmail is used as a mail server, see article
1711: Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?

There is a way to determine from which directory the PHP script sending mail is run.

Note: Depending on the operating system used and Plesk version, the paths can differ slightly from those listed below.

  1. Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

    Create a file and open it for editing:

    # touch /usr/sbin/sendmail.postfix-wrapper
    # vi /usr/sbin/sendmail.postfix-wrapper
    

    Add the following content:

    #!/bin/sh
    (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"
    

    Note that this should be two lines, including #!/bin/sh.

  2. Create a log file, /var/tmp/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper. Then run the commands below:

    # touch /var/tmp/mail.send
    # chmod a+rw /var/tmp/mail.send
    # chmod a+x /usr/sbin/sendmail.postfix-wrapper
    # mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
    # ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
    
  3. Wait for an hour and change the sendmail back:

    # rm -f /usr/sbin/sendmail.postfix
    # mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
    

Check the /var/tmp/mail.send file. There should be lines starting with X-Additional-Header: pointing to the domain folders where the scripts that sent the mail are located.

The directories, from which mail PHP scripts are run, can be seen using the following command:

    # grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

NOTE: If no output is shown from the above command, it means no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.

Usually, that means one of the mail accounts has been compromised. Check the login attempt count:

# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

For Plesk 12 also visit Administrator's Guide page

Search Words

spam

spam issue

Deferred E-Mails In Queue Not Delivering

wrapper

Spam on PPA Node

Mail Spamming

spam from external domain

mail queue spam

mail queue

error wrapper

mails rdns do not match to SMTP banner

Nonostante sia stato attivata la'utentificazione smtp, da giorni in coda mail ci sono svariate mail inviate da WORLDST-UQ3K9Q0

thousands of spam for an email address that doesn't exist

Spam mails getting sent

sending email name of someone else

outgoing spam

Spam being sent to our SMTP

plesk server mail not nbeing sent

Script can be send mail but the option was disable on hosting plan

plesk panel running slow

DNS Flood Analysis

Suspicious E-Mail Headers In Mail Queue

spammer

script

apache

a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c e0aff7830fa22f92062ee4db78133079 29d1e90fd304f01e6420fbe60f66f838 33a70544d00d562bbc5b17762c4ed2b3 caea8340e2d186a540518d08602aa065 8b661cab116c79dbe6c4ac5bbdf1c8cb 85a92ca67f2200d36506862eaa6ed6b8 a766cea0c28e23e978fa78ef81918ab8

Email subscription for changes to this article
Save as PDF