Find Qmail Spam Source
1) Let’s take a look in the mail queue and read one of those spam email references:
# /var/qmail/bin/qmail-qread
remote ankush_krishna2137@yahoo.com
6 Jan 2012 09:14:53 GMT #34012584 2987 <anonymous@server.microlite8.com>
2) Now we have a message ID, let’s search for the actual message:
# find /var/qmail/queue/ -name 34012584
/var/qmail/queue/info/0/34012584
/var/qmail/queue/remote/0/34012584
/var/qmail/queue/mess/0/34012584
3) Great! Now let’s see what’s in the message to get out that all telling UID:
# cat /var/qmail/queue/mess/0/34012584
Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <20120106091450.9934.qmail@server.microliteX.com>
To: annette@recdom.wandoo.co.uk
Subject: Urgent Reply
From: Mrs.Farida Waziri <faridawaziri@hotmail.com>
4) Let’s map the UID to a domain name on the Plesk server:
# cat /etc/passwd | grep 10820
admin947932:x:10820:2523::/var/www/vhosts/thisisthespammer.com:/bin/false
5) Spammer caught 😀