Skip to content
  • Solutions
    By Role
    • For Developers
    • For Content Managers
    • For Agencies
    • For IT Admins
    • For Web Hosters
    • For Developers
    • For Content Managers
    • For Agencies
    • For IT Admins
    • For Web Hosters
    By Infrastructure
    • Overview
    • AWS
    • Microsoft Azure
    • Alibaba Cloud
    • Google Cloud Platform
    • Vultr
    • Overview
    • AWS
    • Microsoft Azure
    • Alibaba Cloud
    • Google Cloud Platform
    • Vultr
    • Digital Ocean
    • Linode
    • Upcloud
    • Oracle
    • OVH
    • Digital Ocean
    • Linode
    • Upcloud
    • Oracle
    • OVH
  • Product
    • Plesk Features
    • Plesk Editions
    • What’s new
    • Pricing
    • Roadmap
    • Lifecycle Policy
    • Extensions Catalogue
  • Pricing
  • Extensions
    Featured Extensions
    • SocialBee
    • WP Toolkit
    • Sitejet Builder for Plesk
    • SEO Toolkit
    • Joomla! Toolkit
    • Premium Email
    • Email Security
    • SocialBee
    • WP Toolkit
    • Sitejet Builder for Plesk
    • SEO Toolkit
    • Joomla! Toolkit
    • Premium Email
    • Email Security
    Bundles and packs:
    • Business and Collaboration Edition
    • WP pack
    • Hosting pack
    • Power pack
    • Language pack
    • Business and Collaboration Edition
    • WP pack
    • Hosting pack
    • Power pack
    • Language pack

    See all Extensions

  • For Partners
    • Plesk Contributor Program
    • Plesk Partner Program
    • Affiliate program
    • Plesk University
  • Help Center
    • Documentation
    • Professional Services
    • Support
    • Contact Us
    • Wiki
    • Forum
  • Plesk 360 login
  • Free Trial
  • Pricing
  • Solutions
    • By Role
      • For Developers
      • For Content Managers
      • For Agencies
      • For IT Admins
      • For Web Hosters
    • By Infrastructure
      • Overview
      • Plesk on Amazon Web Services (AWS & Lightsail)
      • Microsoft Azure
      • Alibaba Cloud
      • Google Cloud Platform
      • Vultr
      • DigitalOcean
      • Linode
      • UpCloud
      • Oracle
      • OVH
  • Products
  • Pricing
  • Extensions
    • Featured Extensions
      • SocialBee
      • WP Toolkit
      • Sitejet Builder for Plesk
      • SEO Toolkit
      • Joomla! Toolkit
      • Premium Email
      • Email Security
    • Bundles and packs:
      • Business and Collaboration Edition
      • WP pack
      • Hosting pack
      • Power pack
      • Language pack
      • See all Extensions
  • For Partners
    • Plesk Contributor Program
    • Plesk Partner Program
    • Affiliate Program
    • Plesk University
  • Help Center
    • Documentation
    • Professional Services
    • Support
    • Contact Us
    • Wiki
    • Forum
  • Plesk 360 login
  • Free Trial
  • Pricing
  • Solutions
    • By Role
      • For Developers
      • For Content Managers
      • For Agencies
      • For IT Admins
      • For Web Hosters
    • By Infrastructure
      • Overview
      • Plesk on Amazon Web Services (AWS & Lightsail)
      • Microsoft Azure
      • Alibaba Cloud
      • Google Cloud Platform
      • Vultr
      • DigitalOcean
      • Linode
      • UpCloud
      • Oracle
      • OVH
  • Products
  • Pricing
  • Extensions
    • Featured Extensions
      • SocialBee
      • WP Toolkit
      • Sitejet Builder for Plesk
      • SEO Toolkit
      • Joomla! Toolkit
      • Premium Email
      • Email Security
    • Bundles and packs:
      • Business and Collaboration Edition
      • WP pack
      • Hosting pack
      • Power pack
      • Language pack
      • See all Extensions
  • For Partners
    • Plesk Contributor Program
    • Plesk Partner Program
    • Affiliate Program
    • Plesk University
  • Help Center
    • Documentation
    • Professional Services
    • Support
    • Contact Us
    • Wiki
    • Forum
  • Plesk 360 login
  • Free Trial
Plesk 360 login
Free Trial

Knowledge Base

How to identify spam source on Plesk for Linux Server

 
centosdebiandomainsemailguide

Question

Many email messages are being sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?

Answer

Warning: if you do not have SSH access contact your service provider or server administrator.

Note: This article is applicable to the Postfix mail server only.

There is a way to determine from which directory the PHP script sending mail is run.

Note: depending on the operating system and Plesk version, paths can slightly differ. For example: for Debian and Ubuntu use /usr/sbin/sendmail instead of /usr/sbin/sendmail.postfix in the commands below.

RHEL/CentOS

  1. Connect to the server via SSH.

  2. Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

    #!/bin/sh
    (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

  3. Create /var/tmp/mail.send log file and set a+rw permissions. Make the wrapper executable, rename the old sendmail.postfix file, and link it to the new wrapper:

    # touch /var/tmp/mail.send
    # chmod a+rw /var/tmp/mail.send
    # chmod a+x /usr/sbin/sendmail.postfix-wrapper
    # mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
    # ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

  4. Wait for a while to collect data: 30 -60 min.

  5. Rename sendmail.postfix-bin back to /usr/sbin/sendmail.postfix:

    # mv /usr/sbin/sendmail.postfix /root/backup__sendmail.postfix
    # mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

    Note: File /var/tmp/mail.send is not rotated automatically and it is not recommended to leave it for a long period of time as it could consume a server disk space. Delete and create a new file /var/tmp/mail.send after every check up.

  6. Check /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header" pointing to the domain folders where the scripts that sent the mail are located.

    The directories, from which mail PHP scripts are run, can be seen using the following command:

    # grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

    Note: If no output is shown from the command above, it means no mail was sent using the PHP mail function from the Plesk virtual host's directory.

    Usually, that means one of the mail accounts has been compromised. Check the login attempt count:

    # zgrep -c 'sasl_method=LOGIN' /var/log/maillog*
    /var/log/maillog:221000
    /var/log/maillog.processed:362327
    /var/log/maillog.processed.1.gz:308956

    If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:

    # zgrep -h 'sasl_method' /var/log/maillog* | cut -d' ' -f9 | cut -d= -f2 | sort | uniq -c | sort -nr
    891574 [email protected]

  7. To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

    Also, check Administrator's Guide

Debian/Ubuntu

  1. Connect to the server via SSH.

  2. Create a /usr/sbin/sendmail-wrapper script with…

Tweet
Share
Share
Email
0 Shares
Read the full article
Related Posts

Exploring Plesk’s Added Value Solutions So Far in 2023

Read More »

Unveiling Sitejet Builder: The Perfect Match for Your Effortless Website Creation Needs

Read More »

Dynamic List vs. Active List: A Comprehensive Comparison – Unveiling the Ultimate Winner!

Read More »
Knowledge Base

Websites on Plesk server are slow or show error 500 or PHP mail cannot be sent: ap_pass_brigade failed

Read More »

Mail delivery does not work: do not list domain in BOTH mydestination and virtual_mailbox_domains

Read More »

Unable to send mail from Plesk server: deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)

Read More »

Email header analysis reports SPF failed for localhost IP on mail sent from Plesk hosted mailbox: SPF Authentication : SPF Failed for IP – 127.0.0.1

Read More »

Hosting Wiki

  • Server Redundancy
  • QMAIL
  • Sendmail
  • Postfix
  • Linux Containers
  • Bare Metal Server
  • PhpMyAdmin
  • phpPgAdmin
  • Oracle VM Server
  • Server Virtualization Software
  • Windows Server
  • Linux
  • PHP
  • Domain
  • Plesk
  • Web Server
  • DNS Server
  • SSH
  • Email Autoresponder
  • Mailing Lists
  • Email Alias
  • Email Virus Protection
  • Email Forwarding
  • Webmail
  • SpamAssassin
  • SPAM filter
  • SPAM
X-twitter Linkedin Youtube Reddit Github
  • Product
  • Login
  • Pricing
  • Editions
  • For Partners
  • Partner Program
  • Contributor Program
  • Affiliate Program
  • Plesk University
  • Company
  • Blog
  • Careers
  • Events
  • About Plesk
  • Our Brand
  • Resources
  • User and Admin guides
  • Help Center
  • Migrate to Plesk
  • Contact Us
  • Hosting Wiki
  • Forum
  • Legal
  • Legal
  • Privacy Policy
  • Imprint

© 2025 WebPros International GmbH

Part of the WebPros®  Family