Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?

Article ID: 114845, created on Sep 26, 2012, last review on Dic 18, 2015

APLICABLE A:

  • Plesk for Linux/Unix
  • Plesk Automation 11.5

Symptoms

Many email messages are being sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?

Resolution

Note: This article is for Postfix. If you are using the Qmail mail server, see article
1711: Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?

There is a way to determine from which folder the PHP script that sends mail was run.

Note: Depending on your operating system and Plesk version, the paths can differ slightly from those listed below.

  1. Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

    Create a file and open it for editing:

    #touch /usr/sbin/sendmail.postfix-wrapper
    #vi /usr/sbin/sendmail.postfix-wrapper
    

    Add the following content:

    #!/bin/sh
    (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"
    

    Note that this should be two lines, including #!/bin/sh.

  2. Create a log file, /var/tmp/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper. Then run the commands below:
    ~# touch /var/tmp/mail.send
    ~# chmod a+rw /var/tmp/mail.send
    ~# chmod a+x /usr/sbin/sendmail.postfix-wrapper
    ~# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
    ~# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix
    
  3. Wait for an hour and change the sendmail back:
    ~# rm -f /usr/sbin/sendmail.postfix
    ~# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix
    

Check the /var/tmp/mail.send file. There should be lines starting with X-Additional-Header: pointing to the domain folders where the scripts that sent the mail are located.

You can see all the folders from which mail PHP scripts were run with the following command:

    ~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

NOTE: If you see no output from the above command, it means no mail was sent using the PHP mail() function from the Plesk virtual hosts directory.

Usually, that means one of the mail accounts has been compromised. Check the login attempt count:

# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

If you see an unusually high number of login attempts, it is very likely accounts were compromised. You can try identifying these accounts in the following way:

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

For Plesk 12 also visit Administrator’s Guide page

Palabras de búsqueda:

Deferred E-Mails In Queue Not Delivering

wrapper

Spam on PPA Node

Mail Spamming

spam from external domain

11

pleskfatalexception

sending email name of someone else

SPam

mail

Script can be send mail but the option was disable on hosting plan

Suspicious E-Mail Headers In Mail Queue

Hello, Since last update to plesk12 have many problems of spam received as sent. We have verified that the settings wrapper in plesk 11.5 is not equal in plesk 12. I followed the steps in the kb http://kb.sp.parallels.com/1711 but not correct for plesk12. Could you install wrapper to ples12, please? Thanks.

php ini plesk

apache

spam

spam issue

mail queue spam

mail queue

error wrapper

mails rdns do not match to SMTP banner

Nonostante sia stato attivata la’utentificazione smtp, da giorni in coda mail ci sono svariate mail inviate da WORLDST-UQ3K9Q0

thousands of spam for an email address that doesn’t exist

postfix/smtp: certificate verification failed for gmail Equifax Secure Certificate Authority

outgoing spam

Spam mails getting sent

Spam being sent to our SMTP

plesk server mail not nbeing sent

DNS Flood Analysis

sql

spammer

plesk panel running slow

Mail Spmming

script