How to find the source of unknown mail when using qmail

If your server has a vulnerable script or a weak password, sometimes it's hard to find the point of origin. The best way to accomplish this is to set up a sendmail wrapper script.

To do this, log in to your server via ssh. Create a file at /var/qmail/bin/sendmail-wrapper with the following content:

(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

Create a log file /var/tmp/mail.send and grant it "a+rw" rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:

~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

After a few minutes (or more, depending on the volume of email being sent), switch back to sendmail using the following commands:

~# rm -f /var/qmail/bin/sendmail
~# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with "X-Additional-Header:" pointing to domain folders where the scripts which sent the mail are located. You can see all the folders from where mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep ´cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' ´ 

If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Plesk virtual hosts directory. In this instance, you may have a compromised email user rather than a vulnerable script.

This article has been provided by Codero Hosting, the leading provider of reliable dedicated, managed and cloud hosting services. Need more information on this topic or to learn more about Codero’s hosting services please visit 
www.codero.comchat with us online or give us a call at 866-2-CODERO. 

Posted in
Last update:
2015-12-03 20:39
Average rating:0 (0 Votes)