How to find an anonymous spammer on a Plesk server

Re: Finding Plesk Spammer, Qmail spam source, Anonymous spam

So you’ve done all the basics, looked through the maillogs and you’ve determined the spammer is sending from “anonymous” which means a vulnerable script somewhere on the server. But where? Great, so now let’s delve a little deeper to find the UID of the spammer.

1) Let’s take a look in the mail queue and read one of those spam email references:

# /var/qmail/bin/qmail-qread

remote ankush_krishna2137@yahoo.com
6 Jan 2012 09:14:53 GMT #34012584 2987 <anonymous@server.microlite8.com>

2) Now we have a message ID, let’s search for the actual message:

# find /var/qmail/queue/ -name 34012584

/var/qmail/queue/info/0/34012584
/var/qmail/queue/remote/0/34012584
/var/qmail/queue/mess/0/34012584

3) Great! Now let’s see what’s in the message to get out that all telling UID:

# cat /var/qmail/queue/mess/0/34012584

Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <20120106091450.9934.qmail@server.microliteX.com>
To: annette@recdom.wandoo.co.uk
Subject: Urgent Reply
From: Mrs.Farida Waziri <faridawaziri@hotmail.com>

4) Let’s map the UID to a domain name on the Plesk server:

# cat /etc/passwd | grep 10820

admin947932:x:10820:2523::/var/www/vhosts/thisisthespammer.com:/bin/false

5) Spammer caught 😀

Please share this page on Facebook or Google+ if you found this article useful.