Many email messages are being sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?
Warning: if you do not have SSH access contact your service provider or server administrator.
Note: This article is applicable to the Postfix mail server only.
If the Qmail mail server is used, see Many email messages are sent from PHP scripts on Plesk server. How to find domains on which these scripts are running if Qmail is used?
There is a way to determine from which directory the PHP script sending mail is run.
Note: depending on the operating system and Plesk version, paths can slightly differ. For example: for Debian and Ubuntu use
/usr/sbin/sendmail instead of
/usr/sbin/sendmail.postfix in the commands below.
Connect to the server via SSH.
/usr/sbin/sendmail.postfix-wrapperscript with the following content:
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "[email protected]"
/var/tmp/mail.sendlog file and set
a+rwpermissions. Make the wrapper executable, rename the old
sendmail.postfixfile, and link it to the new wrapper:
# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /usr/sbin/sendmail.postfix-wrapper
# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
Wait for a while to collect data: 30 -60 min.
# mv /usr/sbin/sendmail.postfix /root/backup__sendmail.postfix
# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
/var/tmp/mail.sendis not rotated automatically and it is not recommended to leave it for a long period of time as it could consume a server disk space. Delete and create a new file
/var/tmp/mail.sendafter every check up.
/var/tmp/mail.sendfile. There should be lines starting with “X-Additional-Header” pointing to the domain folders where the scripts that sent the mail are located.
The directories, from which mail PHP scripts are run, can be seen using the following command:
# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e ‘s/HTTPD_VHOSTS_D//’ `
Note: If no output is shown from the command above, it means no mail was sent using the PHP mail function from the Plesk virtual host’s directory.
Usually, that means one of the mail accounts has been compromised. Check the login attempt count:
# zgrep -c ‘sasl_method=LOGIN’ /var/log/maillog*
If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:
# zgrep -h ‘sasl_method’ /var/log/maillog* | cut -d’ ‘ -f9 | cut -d= -f2 | sort | uniq -c | sort -nr
891574 [email protected]
To stop spam…