Introduction

This article has been mirrored from the Parallels Knowledge Base as a courtesy to our (dv) Dedicated-Virtual Server customers. As they are the authoritative source of the information covered in this topic we encourage you to check their original article since this content is subject to change.

(mt) Media Temple makes a best effort to ensure the accuracy of all content contained herein. Please use our feedback form below if you would like to report any inaccuracies. Please note that our feedback form is not an official support channel.

The publishing of this information does not imply support of this article. This article is provided solely as a courtesy to our customers. Please consult our (dv) Scope of Support for further information.

Instructions

1. First of all, make sure that all domains have Mail to nonexistent user set to Reject.
   1. Log into the Plesk Control Panel for your domain. See Figure 1:

      
      Figure 1:The Plesk Control Panel.

      TIP:

      If you log into Plesk with the admin user, you will be in the Server Administration Panel by default. To get to the Control Panel, click on Domains, then on the Control Panel link next to your domain.

      You can also create a user that will log into the Control Panel by default, which will save you a few clicks on day-to-day webmaster tasks. See (dv)_4.0:Control Panel user.

   2. Click on the Mail tab at the top. See Figure 2:

      
      Figure 2. Click on Mail.

   3. Next, click on Change Settings, see Figure 3.

      
      Figure 3.

   4. Select Reject and click the OK button, see Figure 4.

      
      Figure 4.

   This can be changed for all domains using "Group Operations" on the "Domains" page in Plesk control panel. 'Reject mail to nonexistent user' feature is available since Plesk 7.5.3.
   
   

2. Also, make sure that there are no untrusted IPs and networks in white list.
3. You can look at your maillog to see a list of all mail activity within a given hour for a specified date. This example would show the 11AM hour for Jan 15th:

   
   cat /usr/local/psa/var/log/maillog* | awk '/Jan 15 11:*/'
   

   • Check how many messages there are in the qmail queue with:

     
     # /var/qmail/bin/qmail-qstat
     messages in queue: 27645
     messages in queue but not yet preprocessed: 82

     If the queue has too many messages, try to find where the SPAM is coming from.

     
     

     If the mail is being sent by an authorized user, but not from the PHP script, you can find what user sent most of the messages with the command below.  Note that 'SMTP authorization' should be enabled on the server to see these records:
      

     # awk '$5 == "smtp_auth:" && $7 == "user" {print $8}' /usr/local/psa/var/log/maillog | sort | uniq -c | sort -n

     
     awk '$5 == "smtp_auth:" && $8 == "user" {print $9}' /usr/local/psa/var/log/maillog | sort | uniq -c | sort -n
     

     The next step is the 'qmail-qread' utility that can be used to read message headers:
     
     

     # /var/qmail/bin/qmail-qread
     18 Jul 2005 15:03:07 GMT  #2996948  9073  <user@domain.com>  bouncing
       done  remote  user1@domain1.com
       done  remote  user2@domain2.com
       done  remote  user3@domain3.com
     .... 

     This will show the sender and recipients for a message. If the message has too many recipients, then it is most likely SPAM. Now try to find this message in queue using it's ID #2996948:
     
     

     # find /var/qmail/queue/mess/ -name 2996948 

     Look into the message and find the first line from the end that starts with "Received."  This will tell you where an article was sent from.
     
     

     
     Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700
     

     This message was sent via a CGI script by user with UID 10003. Using this UID you can find a corresponding domain:
     
     

     # grep 10003 /etc/passwd  

     If 'Received' line contains UID of 'apache' user, for example "invoked by uid 48" - it means that the SPAM was sent via some PHP script. In this case you can try to find the spammer using information from the spam emails themselves.  However it is usually very hard to find SPAM sources in this case.
     
     If you are sure that at the current moment some script is sending SPAM (queue grows very fast), you can use this little script to find out what PHP scripts are running in real-time:
     
     

     # lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php 

     
     Also you may want to read article 1711 that describes how to find out which domain is generationg mail sent via PHP scripts.
     
     Received lines like the following mean that the message was accepted for delivery via SMTP and the sender is an authorized mail user:
     
     

     Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700
     
     Received: from external_domain.com (192.168.0.1)