{"id":109,"date":"2010-03-20T04:03:27","date_gmt":"2010-03-20T04:03:27","guid":{"rendered":"http:\/\/xbmc\/wordpress\/?p=109"},"modified":"2011-08-14T11:45:03","modified_gmt":"2011-08-14T16:45:03","slug":"the-server-is-saturated-with-spam-there-are-many-messages-in-the-queue-the-mail-is-sent-slowly","status":"publish","type":"post","link":"https:\/\/xfloyd.net\/blog\/?p=109","title":{"rendered":"The server is saturated with SPAM. There are many messages in the queue. The mail is sent slowly."},"content":{"rendered":"<div>\n<div>\n<div>\n<div>\n<div><strong>APPLIES TO:<\/strong><\/div>\n<div>\n<ul>\n<li>Plesk 7.5.x Reloaded<\/li>\n<li>Plesk 9.x for Linux\/Unix<\/li>\n<li>Plesk 8.x for Linux\/Unix<!-- articleProperty --><!-- frame --><\/li>\n<\/ul>\n<\/div>\n<div id=\"article-content\">\n<h2>Resolution<\/h2>\n<p>First check that all domains have the option &#8216;Mail to non-existing user&#8217; set to &#8216;reject&#8217; but not to &#8216;forward&#8217;. You can change this setting to all domains using &#8220;Group Operations&#8221; in the &#8220;Domains&#8221; tab in Parallels Plesk Control Panel. The option &#8220;Reject mail to nonexistent user&#8221; is available since Parallels Plesk Panel 7.5.3.\u00a0<!--more--><\/p>\n<p>Also, please, check that all the IPs and networks in the white lists are reliable and familiar to you.<\/p>\n<p>Check how many messages are in the queue with Qmail:<\/p>\n<div><code><code># \/var\/qmail\/bin\/qmail-qstat<br \/>\nmessages in queue: 27645<br \/>\nmessages in queue but not yet preprocessed: 82<\/code><\/code><\/div>\n<p><code><br \/>\n<\/code>If the queue has too many messages, try to discover the source of SPAM.<\/p>\n<p>If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages (available since Plesk 8.x). Note that you must have the &#8216;SMTP authorization&#8217; activated on the server to see these records:<\/p>\n<p><code># cat \/usr\/local\/psa\/var\/log\/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n<\/code><\/p>\n<p><code><br \/>\n<\/code>The path to &#8216;maillog&#8217; may differ depending on the OS you are using.<\/p>\n<p>The next step is to use is &#8220;qmail-qread&#8221;, which can be used to read the message headers:<\/p>\n<div><code><code># \/var\/qmail\/bin\/qmail-qread<br \/>\n18 Jul 2005 15:03:07 GMT #2996948 9073 &lt;user@domain.com&gt; bouncing<br \/>\ndone remote user1@domain1.com<br \/>\ndone remote user2@domain2.com<br \/>\ndone remote user3@domain3.com<\/code><br \/>\n<code>....<\/code><\/code><code><br \/>\n<\/code>This shows the senders and recipients of messages. If the message contains too many recipients, probably this is spam. Now try to find this message in the queue by its ID ( # 2996948 in our example):<code><br \/>\n<\/code><\/div>\n<div><code><code># find \/var\/qmail\/queue\/mess\/ -name 2996948<\/code><\/code><code><br \/>\n<\/code>Examine the message and find the line &#8220;Received&#8221; to find out from where it was sent for the first time, for example, if you find: <code><br \/>\n<\/code><br \/>\nReceived: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700<\/div>\n<p>it means that this message was sent via a CGI by user with UID 10003. Using this UID it is possible to find the domain:<\/p>\n<div><code><code># grep 10003 \/etc\/passwd<\/code><\/code><\/div>\n<p><code><br \/>\n<\/code>If the &#8216;Received&#8217; line contains a UID of a user &#8216;apache&#8217; (for example invoked by uid 48) &#8211; it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from\/to or any other information). It is usually very difficult to discover the source of SPAM. If you are absolutely sure that this time there is a script which sends SPAM (tail grows rapidly for no apparent reason), you can use the following script to know what PHP scripts are running at this time:<\/p>\n<div><code><code># lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str\",\"$1}}END{print str}'` | grep vhosts | grep php<\/code><\/code><\/div>\n<p><code><br \/>\n<\/code>You can also apply KB article which describes the <a href=\"http:\/\/kb.parallels.com\/en\/1711\">procedure of discovering which domains are sending mail through PHP scripts<\/a>.<\/p>\n<div><code><br \/>\nLines in Received section like<\/code><\/div>\n<p>&nbsp;<\/p>\n<div><code>Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700<br \/>\nReceived: from external_domain.com (192.168.0.1)<code><br \/>\n<\/code><br \/>\nmean that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user.\u00a0<\/code><\/div>\n<h3>Many email messages are sent from PHP scripts on the server. How can I find what domains these scripts are running on?<\/h3>\n<div>\n<div>\n<div>\n<div>\n<div>Article ID: 1711<\/div>\n<div>Last Review: Nov,25 2009<\/div>\n<p><strong>APPLIES TO:<\/strong><\/p>\n<div>\n<ul>\n<li>Plesk 9.x for Linux\/Unix<\/li>\n<li>Plesk 8.x for Linux\/Unix<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<div id=\"article-content\">\n<h2>Resolution<\/h2>\n<p>There is a way to find what the folder the PHP script that sends mail was run from. Note, the paths can be slightly differ from the listed below depending on your OS and Plesk version:<\/p>\n<p><strong>1) <\/strong>create \/var\/qmail\/bin\/sendmail-wrapper script with the content:<\/p>\n<p>#!\/bin\/sh<br \/>\n(echo X-Additional-Header: $PWD ;cat) | tee -a \/var\/tmp\/mail.send|\/var\/qmail\/bin\/sendmail-qmail &#8220;$@&#8221;<\/p>\n<p>Note, it should be the two lines including &#8216;#!\/bin\/sh&#8217;.<br \/>\n<strong>2) <\/strong>then create log file \/var\/tmp\/mail.send and grant it &#8220;a+rw&#8221; rights, make the wrapper executable, rename old sendmail and link it to the new wrapper:<\/p>\n<p>~# touch \/var\/tmp\/mail.send<br \/>\n~# chmod a+rw \/var\/tmp\/mail.send<br \/>\n~# chmod a+x \/var\/qmail\/bin\/sendmail-wrapper<br \/>\n~# mv \/var\/qmail\/bin\/sendmail \/var\/qmail\/bin\/sendmail-qmail<br \/>\n~# ln -s \/var\/qmail\/bin\/sendmail-wrapper \/var\/qmail\/bin\/sendmail<\/p>\n<p><strong>3) <\/strong>Wait for an hour or so and revert sendmail back:<\/p>\n<p>~# rm -f \/var\/qmail\/bin\/sendmail<br \/>\n~# ln -s \/var\/qmail\/bin\/sendmail-qmail \/var\/qmail\/bin\/sendmail<\/p>\n<p>Examine \/var\/tmp\/mail.send file, there should be lines starting with &#8220;X-Additional-Header:&#8221; pointing out to domains&#8217; folders where the scripts which sent the mail are located.<br \/>\nYou can see all the folders mail PHP scripts were run from with the following command:<\/p>\n<p>~# grep X-Additional \/var\/tmp\/mail.send | grep `cat \/etc\/psa\/psa.conf | grep HTTPD_VHOSTS_D | sed -e &#8216;s\/HTTPD_VHOSTS_D\/\/&#8217; `<\/p>\n<p>f you see no output from the command above, it means that no mail was sent using PHP mail() function from the Plesk virtual hosts directory.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>APPLIES TO: Plesk 7.5.x Reloaded Plesk 9.x for Linux\/Unix Plesk 8.x for Linux\/Unix Resolution First check that all domains have the option &#8216;Mail to non-existing user&#8217; set to &#8216;reject&#8217; but not to &#8216;forward&#8217;. You can change this setting to all domains using &#8220;Group Operations&#8221; in the &#8220;Domains&#8221; tab in Parallels Plesk Control Panel. The option [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"_links":{"self":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/109"}],"collection":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=109"}],"version-history":[{"count":1,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/109\/revisions"}],"predecessor-version":[{"id":406,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/109\/revisions\/406"}],"wp:attachment":[{"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}