Home Miscellaneous Spamming in a Qmail Enabled Plesk Server – Finding the Culprit

Spamming in a Qmail Enabled Plesk Server – Finding the Culprit

by Bella

The following is the result of a live analysis done when spamming has been found from a Plesk server with the qmail mail server. This will help you to understand how to trace a qmail spamming in the server.

[root@server ~]# /var/qmail/bin/qmail-qstat

messages in queue: 758

messages in queue but not yet preprocessed: 0

We do have 758 mails in the queue. Let’s examine the queue with qmail-qread. Seeing a bunch of strange email addresses in the recipient list? Usually, it is meaning spam.

[root@server ~]# /var/qmail/bin/qmail-qread


You can examine the email content of the emails in the queue using the Plesk interface or just less command. Firstly we should find messages id using qmail-qread, then find the file holding the email in /var/qmail/queue with the find command.

[root@server ~]# /var/qmail/bin/qmail-qread


18 Jul 2008 02:01:11 GMT #22094026 1552 <>

remote user@yahoo.com


[root@server ~]# find /var/qmail/queue/ -name 22094026




[root@server ~]# less /var/qmail/queue/mess/19/22094026

Received: (qmail 10728 invoked from network); 22 Jul 2008 19:40:46 +0300

Received: from unknown (HELO User) (

by domain.com with SMTP; 22 Jul 2008 19:40:46 +0300

Reply-To: <support@PayPal.Inc.com>

From: “PayPal”<support@PayPal.Inc.com>

Subject: Dispute Transaction

Date: Tue, 22 Jul 2008 19:40:52 +0300

MIME-Version: 1.0

Content-Type: text/html;


Content-Transfer-Encoding: 7bit

X-Priority: 1

X-MSMail-Priority: High

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000


Oops, we do have some spam in the queue that’s received from the network (IP: We should remove spam from the queue or the server IP address will finish listed in the RBLs, qmail-remove is the right tool for this job.

Check the number of the spams with the spam pattern (PayPal.Inc.com in this case):

[root@server ~]# qmail-remove -p ‘PayPal.Inc.com’

Now, remove spams (notice the -r switch), they all will end up in the /var/qmail/queue/yanked directory. Don’t forget to stop qmail daemon before (/etc/init.d/qmail stop).

[root@server ~]# qmail-remove -r -p ‘PayPal.Inc.com’

In a few minutes, we do have more emails with the same patterns from the same IP address.

That’s great, we do have the opportunity to examine SMTP traffic from the spammers IP address. Run tcpdump and wait a few minutes.

[root@server ~]# tcpdump -i eth0 -n src \or dst -w smtp.tcpdump -s 2048

Examining log file with less or wireshark we found that spammer is sending spam using LOGIN authentication:

220 server.domain.com ESMTP

ehlo User








334 VXNlcm5hbWU6


334 UGFzc3dvcmQ6



Interesting, let us decode the user/pass to see which account is used:

[root@server ~]# perl -MMIME::Base64 -e ‘print decode_base64(“dGVzdA==”)’


[root@server ~]# perl -MMIME::Base64 -e ‘print decode_base64(“MTIzNDU=”)’


So, someone created a test account with a weak password and someone else guessed it and is sending spam through the server.

Let us find the domain owning of the mailbox.

[root@server ~]# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa


mysql> SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name=’test’ AND a.password=’12345′;


| mail_name | name | password |


| test | example.com | 12345 |


1 row in set (0.01 sec)

Next step is to delete test mailbox and send a warning to the client.

To improve your server’s security you’ll need to enable:

Server -> Mail -> Check the passwords for mailboxes in the dictionary

Creating a mailbox test with password “12345” is a stupid thing and spammers just love to exploit it.
If you require help, contact SupportPRO Server Admin

Server not running properly? Get A FREE Server Checkup By Expert Server Admins - $125 Value

Leave a Comment


Sales and Support

Phone: 1-(847) 607-6123
Fax: 1-(847)-620-0626
Sales: sales@supportpro.com
Support: clients@supportpro.com
Skype ID: sales_supportpro

Postal Address

1020 Milwaukee Ave, #245,
Deerfield, IL-60015

©2022  SupportPRO.com. All Rights Reserved