Posts Tagged ‘Tracking’

Spam Tracking qmail Plesk

September 9, 2010 Leave a comment

Firstly we should look at the server’s queue:

# /var/qmail/bin/qmail-qstat

messages in queue: 758
messages in queue but not yet preprocessed: 0

We do have 758 mails in the queue. Let’s examine the queue with qmail-qread. Seeing a bunch of strange email addresses in the recipient list usually it’s meaning spam.

 # /var/qmail/bin/qmail-qread

You can examine the email content of the emails in the queue using  Plesk interface or just less command. Firstly we should  find message’s id using qmail-qread, then find the  file holding the email in /var/qmail/queue with find command.
# /var/qmail/bin/qmail-qread
18 Jul 2008 02:01:11 GMT  #22094026  1552  <>

# find /var/qmail/queue/ -name 22094026

# less /var/qmail/queue/mess/19/22094026
Received: (qmail 10728 invoked from network); 22 Jul 2008 19:40:46 +0300
Received: from unknown (HELO User) (
  by with SMTP; 22 Jul 2008 19:40:46 +0300
Reply-To: <>
From: "PayPal"<>
Subject: Dispute Transaction
Date: Tue, 22 Jul 2008 19:40:52 +0300
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Oops, we do have some spam in the queue that’s received from the network (IP: We should remove spam from the queue or the server IP address will finish listed in the RBLs, qmail-remove is the right tool for this job.

Check the number of the spams with the spam pattern (”” in this case):

# qmail-remove -p ''

Now, remove spams (notice the ‘-r’ switch), they all will end up in the /var/qmail/queue/yanked directory. Don’t forget to stop qmail daemon before (/etc/init.d/qmail stop) :

# qmail-remove -r -p ''

In a few minutes we do have more emails with the same patterns from the same ip address. That’s great, we do have opportunity to examine smtp traffic from the spammer’s ip address. Run tcpdump and wait a few minutes.

# tcpdump -i eth0 -n src \or dst -w smtp.tcpdump -s 2048

Examining log file with less or vi we found that spammer is sending spam using LOGIN authentication:

ehlo User
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 go ahead

Interesting, let’s decode the user/pass to see which account is used:

# perl -MMIME::Base64 -e ‘print decode_base64(“dGVzdA==”)’

# perl -MMIME::Base64 -e 'print decode_base64("MTIzNDU=")'

So, someone created a test account with a weak password and someone else guessed it and is sending spam through the server.

Let’s find the domain owning of the mailbox:

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> SELECT m.mail_name,, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = AND m.account_id = WHERE m.mail_name='test' AND a.password='12345';
| mail_name | name       | password |
| test      | | 12345    |
1 row in set (0.01 sec)

Next step is to delete test mailbox and send a warning to client.

To improve your server’s security you’ll need to enable:
Server -> Mail -> Check the passwords for mailboxes in the dictionary

Reference :

Categories: plesk, qmail Tags: , , ,