The qmail queue on my server (running Plesk on CentOS 5.2) balloons up to 120,000+ messages in the queue overnight. The messages in the queue are obviously spam.
I’ve cleared them out over the last day using qmHandle, but I can’t determine how they are still being sent. The email address they are sent from has even been added to the qmail badmailfrom file (and I’ve tested through Telnet that it does indeed block email from that address), but the emails continue to flood in.
I’m almost positive that the attack is exploiting a web form from one of the domains hosted on the server. I’m fairly confident I can find a way to secure the form if I could determine which one it is. The question is, how do I determine which form the emails are coming from?
Answer:
Here’s the solution! Each piece of spam email will have a uid in the headers showing which account on the server is being used to send the emails. I was able to see the headers of the emails in the qmail queue by looking in Plesk (8.6.0) in Server > Mail > Mail Queue. When I clicked on the subject, I could see on the first line something like:
qmail 11850 invoked by uid 10059 The uid 10059 identifies the user on the server that invoked qmail. To see which user this is, login to your server as root and run the following command from the terminal:
grep 10059 /etc/passwd This will search the passwd file on your server for the string 10059 and return the resulting text.
After I found out which user this was, I was able to disable shell access, add CAPTCHAs to all the webforms on the site, and change FTP and other associated passwords. Doing so helped me stop the spammer that had gained control.