I just found a great tutorial of plesk control panel.
Here is the link:
I just found a great tutorial of plesk control panel.
Here is the link:
Install qmhandle-1.3.2 from:
http://downloads.sourceforge.net/sourceforge/qmhandle/qmhandle-1.3.2.tar.gz?use_mirror=nchc
cd qmhandle-1.3.2
./qmHandle -s
shows the stats of mails.
To view the mails in queue, please do
# /var/qmail/bin/qmail-qstat
messages in queue: 758
messages in queue but not yet preprocessed: 0
Let’s examine the queue with qmail-qread. Seeing a bunch of strange email addresses in the recipient list usually it’s meaning spam.
# /var/qmail/bin/qmail-qread
Please examine the email content of the emails in the queue using vi or cat command. Firstly we should find message’s id using qmail-qread, then find the file holding the email in/var/qmail/queue with find command.
# find /var/qmail/queue/ -name (msg id)
Find the IP address from the mail header and remove spam from the queue using qmail-remove
Now, remove spams, they all will end up in the/var/qmail/queue/yanked directory :
# /etc/init.d/qmail stop
# qmail-remove -r -p ‘mail@address.com’
In a few minutes we do have more emails with the same patterns from the same ip address. That’s great, we do have opportunity to examine smtp traffic from the spammer’s ip address. Run tcpdumpand wait a few minutes.
# tcpdump -i eth0 -n src xxx.xxx.xxx.xxx \or dst xxx.xxx.xxx.xxx -w smtp.tcpdump -s 2048
Examining log file with vi we found that spammer is sending spam using LOGIN authentication:
—————————————————
220 ulise.domain.com ESMTP
ehlo User
250-ulise.domain.com
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdA==
334 UGFzc3dvcmQ6
MTIzNDU=
235 go ahead
—————————————————
Then decode the user/pass to see which account is used:
# perl -MMIME::Base64 -e ‘print decode_base64(“dGVzdA==”)’ test
# perl -MMIME::Base64 -e ‘print decode_base64(“MTIzNDU=”)’ 12345
So, someone created a test account with a weak password and someone else guessed it and is sending spam through the server.
Let’s find the domain owning of the mailbox:
[root@ulise ~]# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name=’test’ AND a.password=’12345′;
+———–+————+———-+
| mail_name | name | password |
+———–+————+———-+
| test | example.com | 12345 |
+———–+————+———-+
1 row in set (0.01 sec)
Next step is to delete test mailbox and send a warning to client.
To improve your server’s security you’ll need to enable:
Server -> Mail -> Check the passwords for mailboxes in the dictionary
Reference : http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/
Create the following cron:
————————————————————————————————
9,24,39,54 * * * * /usr/local/psa/admin/sbin/backupmng >/dev/null 2>&1
10 1 * * * /usr/local/psa/admin/sbin/statistics >/dev/null 2>&1
10 1 * * * /usr/local/psa/admin/sbin/statistics –calculate-one –domain-name=xxx.com
————————————————————————————————
and run the script for checking :
/usr/local/psa/admin/sbin/statistics –calculate-one –domain-name=xxx.com
where xxx.com is your domainname.com
Server wide :
cd /etc/httpd/conf/
cp -p httpd.conf httpd.conf.bak
vi httpd.conf
uncomment AddHandler cgi-script .cgi
service httpd restart
or
1. create an .htaccess file in your cgi-bin directory, that file should have the following
AddType text/x-server-parsed-html .html
AddType application/x-httpd-cgi .cgi .pl
Make sure you upload it in ASCII format, not binary.
2 set the permissions on your scripts correctly.. usually to 755
a) add the following to /etc/services smtp-26 26/tcp mail
b) Copy /etc/xinetd.d/smtp_psa to /etc/xinetd.d/smtp_psa-26
c) Change the first line from service smtp to service smtp-26
d) Restart xinetd