Identify the email header id from the queued emails.. I’m goingg to use “qmail-qstat” command to know the email header. ID will starts with # symbal eg. #1445826
[root@mail4 ~]# /var/qmail/bin/qmail-qread | more
4 Dec 2012 17:04:33 GMT #1442054 7146
remote admin@sample.com
4 Dec 2012 17:06:16 GMT #1442974 7048
remote admin@samplesouth.net
4 Dec 2012 17:08:47 GMT #1444078 7064
remote admin@sampleotmail.com

b. Find the messages associated with this email header.
[root@mail4 ~]# find /var/qmail/queue -iname 1445826
/var/qmail/queue/mess/0/1445826
/var/qmail/queue/info/0/1445826
/var/qmail/queue/remote/0/1445826

Now open the file to read the email body. Choose the file part contains message (/var/qmail/queue/mess/0/1445826)
[root@mail4 ~]# cat /var/qmail/queue/mess/0/1445826 | more
Received: (qmail 20473 invoked by uid 0); 4 Dec 2012 17:12:24 -0000
Date: 4 Dec 2012 17:12:24 -0000
Message-ID: <20121204171224.20472.qmail@mail4.test.com>
To: apet@aximo.com
Subject: Better than EQP
From: Uniline Promo Inc
Reply-To: Uniline Promo Inc
MIME-Version: 1.0
Content-type: multipart/alternative; boundary=”_d96476de58f15ff5cda2ac8a00860156″
This is a multi-part message in MIME format.
–_d96476de58f15ff5cda2ac8a00860156
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: 7bit

Now you can see the email subject from the email message part. You may need to install another third party tool to remove the email having the specified the Subject from the queue.

C. Install qmail-remove script
Download this package from http://www.linuxmagic.com/opensource/qmail/qmail-remove/qmail-remove-0.95.tar.gz
#wget http://www.linuxmagic.com/opensource/qmail/qmail-remove/qmail-remove-0.95.tar.gz
#tar -zxvf mail-remove-0.95.tar.gz
#cd mail-remove-0.95
#make && make install
#ln -s /usr/local/sbin/qmail-remove /usr/bin/qmail-remove
#mkdir -p /var/qmail/queue/yanked/

/var/qmail/queue/yanked/ –> This folder would have store all the files those are moved through this script.

D. Delete the specified emails having the same subject
#/etc/init.d/qmail stop
#qmail-remove -r -p “email subject name”

How to check the email sending statistics

[root@mail4 yanked]# /var/qmail/bin/qmail-qstat
messages in queue: 30835
messages in queue but not yet preprocessed: 230
[root@mail4 yanked]#

If you want to remove all the email from a particular user “spamsender@serveridol.com”, just execute the command as shown below
[root@rc-025 test]#qmail-remove -r -p “spamsender@serveridol.com”

Also I found another useful tool (qmHandle) for listing the email headers including sender,receiver address along with the email subject. So that we can identify the whether the email is spam or not and also we can use these information for pattern match deletion.

[root@rc-025 test]#http://nchc.dl.sourceforge.net/project/qmhandle/qmhandle-1.3/qmhandle-1.3.2/qmhandle-1.3.2.tar.gz
[root@rc-025 test]# tar -zxvf qmhandle-1.3.2.tar.gz && cd qmhandle-1.3.2
[root@rc-025 qmhandle-1.3.2]# cp qmHandle /usr/bin

How to list the Queued emails
[root@rc-025 test]# qmHandle -R
402725179 (9, 9/402725179)
Return-path: kathy@asd.com
From: Kathy Keeton
To: “themoonga5@ail.com” Subject: Cheer registration
Date: Wed, 3 Apr 2013 08:42:18 -0400
Size: 1147 bytes
Total messages: 1
Messages with local recipients: 0
Messages with remote recipients: 1
Messages with bounces: 0
Messages in preprocess: 0

Reviewing the queued emails [How to store all queued email informations before delete]
[root@rc-025 test]#qmHandle -R > /tmp/remotequeue.txt

RE: http://kb.parallels.com/en/114845

[stextbox id=”info”]Symptoms: Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?[/stextbox]

[stextbox id=”warning”]Note:  This article is for Postfix.  If you are using the Qmail mail server, see this: http://geekdecoder.com/troubleshoot-qmail-spam/[/stextbox]

Resolution

Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?

There is a way to determine from which folder the PHP script that sends mail was run.

Note: Depending on your OS and Parallels Plesk Panel (Plesk) version, the paths can slightly differ from those listed below.

Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

Create a file and open it for editing:

#touch /usr/sbin/sendmail.postfix-wrapper
#vi /usr/sbin/sendmail.postfix-wrapper

Add the following content:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

Note that this should be two lines, including #!/bin/sh.

Create a log file, /var/tmp/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper. Then run the commands below:

~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /usr/sbin/sendmail.postfix-wrapper
~# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
~# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

Wait for an hour and change the sendmail back:

~# rm -f /usr/sbin/sendmail.postfix
~# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

Check the /var/tmp/mail.send file. There should be lines starting with X-Additional-Header: pointing to the domain folders where the scripts that sent the mail are located.

You can see all the folders from which mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

[stextbox id=”alert”]NOTE: If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Parallels Plesk Panel virtual hosts directory.[/stextbox]

Usually, that means one of the mail accounts has been compromised. Check login attempt count:

# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

If you see an unusually high number of login attempts, it is very likely that accounts were compromised. You can try to identify these accounts in the following way:

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change passwords for compromised accounts and restart the Postfix service.

Changing postfix to qmail which will use the primary IP of the server (216.55.xxx.xxx) to send messages for all accounts is a great way to change the sending IP to one that is not blacklisted.

Qmail default IP
default mail ip in /var/qmail/control/outgoingip

Is the server sending spam. Try this.
http://kb.parallels.com/766

First, check that all domains have the option ‘Mail to non-existing user’ set to ‘reject’ but not to ‘forward.’ You can change this setting to all domains using “Group Operations” in the “Domains” tab in Parallels Plesk Control Panel. The option “Reject mail to nonexistent user” is available since Parallels Plesk Panel 7.5.3.
Also check that all the IPs and networks in the white lists are reliable and familiar to you.

Check how many messages are in the queue with Qmail:

# /var/qmail/bin/qmail-qstat

messages in queue: 27645
messages in queue but not yet preprocessed: 82

If the queue has too many messages, try to discover the source of SPAM.

If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages (available since Plesk 8.x). Note that you must have the ‘SMTP authorization’ activated on the server to see these records:

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n

The path to ‘maillog’ may differ depending on the OS you are using.

The next step is to use “qmail-qread,” which can be used to read the message headers:

# /var/qmail/bin/qmail-qread

18 Jul 2005 15:03:07 GMT #2996948 9073 <user@domain.com> bouncing
done remote user1@domain1.com
done remote user2@domain2.com
done remote user3@domain3.com
….

This shows the senders and recipients of messages. If the message contains too many recipients, probably this is spam. Now try to find this message in the queue by its ID ( # 2996948 in our example):

# find /var/qmail/queue/mess/ -name 2996948

Examine the message and find the line “Received” to find out from where it was sent for the first time. For example, if you find:

Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700

it means that this message was sent via a CGI by user with UID 10003. Using this UID, it is possible to find the domain:

# grep 10003 /etc/passwd

If the ‘Received’ line contains a UID of a user ‘apache’ (for example invoked by uid 48), it means that spam was sent through a PHP script. In this case, you can try to find the spammer using information from spam email (address from/to or any other information). It is usually very difficult to discover the source of spam. If you are absolutely sure that this time there is a script which sends spam (tail grows rapidly for no apparent reason), you can use the following script to determine what PHP scripts are running at this time:

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

You can also apply the KB article which describes the procedure of discovering which domains are sending mail through PHP scripts.

http://kb.sp.parallels.com/en/766

Lines in Received section like

Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700
Received: from external_domain.com (192.168.0.1)

means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user.

Check the emails going out and look for a sending user that is in plesk:

cat /usr/local/psa/var/log/maillog | grep ‘validuser@user@domain.com’

Output:

Nov 7 10:01:07 mail smtp_auth: SMTP user @user@domain.com : logged in from (null) [188.xx.xx.xx]

The multiple IP logins show that the spam is from a valid user.

Check email passwords:

mysql -uadmin -p`cat /etc/psa/.psa.shadow ` psa -e ‘select m.mail_name,a.password,d.name from mail m,accounts a,domains d where m.account_id=a.id and m.dom_id=d.id;’

Or


# /usr/local/psa/admin/bin/mail_auth_view

Delete qmail email queue


# /usr/local/psa/admin/sbin/mailqueuemng -D