spam issue on a ASL server

josesan311 · **Joined:** Tue Dec 01, 2009 11:14 pm **Posts:** 4

Hey guys,

I hope this is the right section to post this.
Im having some weird spam issue on a Plesk 9.5 w/ ASL 3.0.18,

This spam issue happens only once per week, mostly every sunday and I cant seem to find the source, where this is being sent from. Heres the qmail log report I got based on the time the RBL list shown as last blacklisted,

Code:

Feb  5 16:41:46 as8 /var/qmail/bin/relaylock[476038]: /var/qmail/bin/relaylock: mail from 127.0.0.1:53108 (localhost)
Feb  5 16:41:46 as8 qmail-queue-handlers[476040]: Handlers Filter before-queue for qmail started ...
Feb  5 16:41:46 as8 qmail-queue-handlers[476040]: from=viagra-soft.offer6@plazahomemortgage.com
Feb  5 16:41:46 as8 qmail-queue-handlers[476040]: to=technical@my-order-status.info
Feb  5 16:41:46 as8 qmail-queue-handlers[476040]: hook_dir = '/usr/local/psa/handlers/before-queue'
Feb  5 16:41:46 as8 qmail-queue-handlers[476040]: recipient[3] = 'technical@my-order-status.info'
Feb  5 16:41:46 as8 qmail-queue-handlers[476040]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/technical@my-order-status.info'
Feb  5 16:41:46 as8 qmail: 1328470906.419293 new msg 28312064
Feb  5 16:41:46 as8 qmail: 1328470906.419645 info msg 28312064: bytes 1130 from <viagra-soft.offer6@plazahomemortgage.com> qp 476041 uid 2020
Feb  5 16:41:46 as8 qmail-queue-handlers[476040]: starter: submitter[476041] exited normally
Feb  5 16:41:46 as8 qmail: 1328470906.430371 starting delivery 2559: msg 28312064 to remote technical@my-order-status.info
Feb  5 16:41:46 as8 qmail: 1328470906.430713 status: local 0/10 remote 1/20
Feb  5 16:41:46 as8 qmail-remote-handlers[476042]: Handlers Filter before-remote for qmail started ...
Feb  5 16:41:46 as8 qmail-remote-handlers[476042]: from=viagra-soft.offer6@plazahomemortgage.com
Feb  5 16:41:46 as8 qmail-remote-handlers[476042]: to=technical@my-order-status.info
Feb  5 16:41:46 as8 qmail-remote-handlers[476042]: hook_dir = '/usr/local/psa/handlers/before-remote'
Feb  5 16:41:46 as8 qmail-remote-handlers[476042]: recipient[3] = 'technical@my-order-status.info'
Feb  5 16:41:46 as8 qmail-remote-handlers[476042]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/technical@my-order-status.info'
Feb  5 16:41:46 as8 qmail: 1328470906.859153 delivery 2559: failure: Sorry._Although_I'm_listed_as_a_best-preference_MX_or_A_for_that_host,/it_isn't_in_my_control/locals_
file,_so_I_don't_treat_it_as_local._(#5.4.6)/
Feb  5 16:41:46 as8 qmail: 1328470906.859488 status: local 0/10 remote 0/20
Feb  5 16:41:46 as8 qmail-queue-handlers[476044]: Handlers Filter before-queue for qmail started ...
Feb  5 16:41:46 as8 qmail-queue-handlers[476044]: from=
Feb  5 16:41:46 as8 qmail-queue-handlers[476044]: to=viagra-soft.offer6@plazahomemortgage.com
Feb  5 16:41:46 as8 qmail-queue-handlers[476044]: hook_dir = '/usr/local/psa/handlers/before-queue'
Feb  5 16:41:46 as8 qmail-queue-handlers[476044]: recipient[3] = 'viagra-soft.offer6@plazahomemortgage.com'
Feb  5 16:41:46 as8 qmail-queue-handlers[476044]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/viagra-soft.offer6@plazahomemortgage.com'
Feb  5 16:41:46 as8 qmail-queue-handlers[476044]: starter: submitter[476045] exited normally
Feb  5 16:41:46 as8 qmail: 1328470906.886055 bounce msg 28312064 qp 476044
Feb  5 16:41:46 as8 qmail: 1328470906.886208 end msg 28312064
Feb  5 16:41:46 as8 qmail: 1328470906.886670 new msg 28312115
Feb  5 16:41:46 as8 qmail: 1328470906.886730 info msg 28312115: bytes 1826 from <> qp 476045 uid 2522
Feb  5 16:41:46 as8 qmail: 1328470906.894618 starting delivery 2560: msg 28312115 to remote viagra-soft.offer6@plazahomemortgage.com
Feb  5 16:41:46 as8 qmail: 1328470906.894696 status: local 0/10 remote 1/20
Feb  5 16:41:46 as8 qmail-remote-handlers[476046]: Handlers Filter before-remote for qmail started ...
Feb  5 16:41:46 as8 qmail-remote-handlers[476046]: from=postmaster@as8.srv1.com
Feb  5 16:41:46 as8 qmail-remote-handlers[476046]: to=viagra-soft.offer6@plazahomemortgage.com
Feb  5 16:41:46 as8 qmail-remote-handlers[476046]: hook_dir = '/usr/local/psa/handlers/before-remote'
Feb  5 16:41:46 as8 qmail-remote-handlers[476046]: recipient[3] = 'viagra-soft.offer6@plazahomemortgage.com'
Feb  5 16:41:46 as8 qmail-remote-handlers[476046]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/viagra-soft.offer6@plazahomemortgage.com'

I have followed http://kb.parallels.com/766 and http://kb.parallels.com/en/1711 without luck, there a no important mails on the qmail queue (just 15) smtp_auth doesnt show any mailbox that tried to login at the same time and the sendmail wrapper didnt caught anything related to any of the two addresses shown on the logs.

I was wondering if you guys can help me reproduce from where this is coming from or if ASL has any feature that would help tracking the spammer.

Thanks in advance!

scott · **Posted:** Tue Feb 07, 2012 9:18 am

cgi bin script perhaps?

mikeshinn · **Posted:** Tue Feb 07, 2012 10:19 am

And if it is, a couple of things you can do:

1) read the spam article on the wiki for tools you can use to help you track down errant scripts and abusive users:

https://www.atomicorp.com/wiki/index.php/Spam

2) Install our version of PHP, which will add additional headers to the email message so you can see what the scripts name is from the email message

https://www.atomicorp.com/wiki/index.php/PHP

josesan311 · **Joined:** Tue Dec 01, 2009 11:14 pm **Posts:** 4

Thanks for the advice guys.

The thing is Im not getting any bounced message, I only have that information from the logs, there is no email on the queue that I could investigate for headers or something like that and I believe qmhandle requires at least to have a email so not sure if it will be helpful.

I tried looking at the xferlog for recently uploaded cgi scripts during all the day the IP got blacklisted and couldnt find anything relevant.

spam issue on a ASL server

Who is online