rogue scripts, with the following two websites being useful for this practice:
http://www.stopthehacker.com/
http://www.exploit-db.com/

The following two websites can also be highly useful as additional resources when experiencing a security compromise.
http://google.com/webmasters/hacked/
http://stopbadware.org/webmaster-help

Check the header of an email


X-Spam-Status: No, score=0.1
X-Spam-Score: 1
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "server.domain.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

You can also add Barracuda RBL to Exim in WHM

For cPanel /home/username/.spamassassin/user_prefs as described:

Other Resources:

Improving SpamAssassin accuracy on cPanel (or any other) mail servers – with statistics

Check the mail queue in a plesk server:

# /usr/local/psa/admin/bin/mailqueuemng -s

mail queue is full of spam type messages like this:

Subject: Mr.: 14623c9d 65% off for you!
Sale Sale Sale!! Vigara – 0.54$, Cilias – 1.09$, Levtira – 1.15$.. and more more more… ”

Steps to take:

1. Check the mail queue for suspicious emails that are spam and remove them. Monitor the mail queue to see who is sending email and the content and locate the email account for spam delivery.

To remove all mail from the queue, enter:

# postsuper -d ALL

2. Check the passwords for the email accounts with this command logged in ssh as root:

# /usr/local/psa/admin/bin/mail_auth_view
Change all weak passwords to more secure passwords. (There are many simple email passwords).

3. Check any wordpress and joomla web sites for updates. Make sure all plugins and core software is up to date.

4. Check any forms on websites and ensure that they have captcha enabled so that they cannot be submitted automatically.

Here are some links to assist in installing an email wrapper to see if the sever is sending spam via a script:

If Postfix – http://kb.parallels.com/en/114845

Once the server is verified spam free you can contact us and we can help with any de-listing submissions.

Please let us know if you have any other questions.

RE: http://kb.parallels.com/en/114845

[stextbox id=”info”]Symptoms: Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?[/stextbox]

[stextbox id=”warning”]Note:  This article is for Postfix.  If you are using the Qmail mail server, see this: http://geekdecoder.com/troubleshoot-qmail-spam/[/stextbox]

Resolution

Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running?

There is a way to determine from which folder the PHP script that sends mail was run.

Note: Depending on your OS and Parallels Plesk Panel (Plesk) version, the paths can slightly differ from those listed below.

Create a /usr/sbin/sendmail.postfix-wrapper script with the following content:

Create a file and open it for editing:

#touch /usr/sbin/sendmail.postfix-wrapper
#vi /usr/sbin/sendmail.postfix-wrapper

Add the following content:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail.postfix-bin "$@"

Note that this should be two lines, including #!/bin/sh.

Create a log file, /var/tmp/mail.send, and grant it a+rw rights. Make the wrapper executable, rename the old sendmail, and link it to the new wrapper. Then run the commands below:

~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /usr/sbin/sendmail.postfix-wrapper
~# mv /usr/sbin/sendmail.postfix /usr/sbin/sendmail.postfix-bin
~# ln -s /usr/sbin/sendmail.postfix-wrapper /usr/sbin/sendmail.postfix

Wait for an hour and change the sendmail back:

~# rm -f /usr/sbin/sendmail.postfix
~# mv /usr/sbin/sendmail.postfix-bin /usr/sbin/sendmail.postfix

Check the /var/tmp/mail.send file. There should be lines starting with X-Additional-Header: pointing to the domain folders where the scripts that sent the mail are located.

You can see all the folders from which mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

[stextbox id=”alert”]NOTE: If you see no output from the above command, it means that no mail was sent using the PHP mail() function from the Parallels Plesk Panel virtual hosts directory.[/stextbox]

Usually, that means one of the mail accounts has been compromised. Check login attempt count:

# zgrep -c 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog*
/usr/local/psa/var/log/maillog:221000
/usr/local/psa/var/log/maillog.processed:362327
/usr/local/psa/var/log/maillog.processed.1.gz:308956

If you see an unusually high number of login attempts, it is very likely that accounts were compromised. You can try to identify these accounts in the following way:

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
891574 sasl_username=admin@example.com

To stop spam from being sent, change passwords for compromised accounts and restart the Postfix service.

PHP Spam Scripts

I finally decided this topic deserves its own page.
To find the script sending spam
Plesk

Ver -11.0


cat /var/www/vhosts/domain.com/statistics/logs/access_log | grep POST > /tmp/post.log

Ver 11.5+


cat /var/www/vhosts/system/domain.com/statistics/logs/access_log | grep POST > /tmp/post.log

WHM cPanel


cat /usr/local/apache/domlogs/domain.com | grep POST > /tmp/post.log

View the results


cat /etm/post.log

78.138.118.128 - - [02/Jan/2014:10:51:41 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
78.138.118.128 - - [02/Jan/2014:10:52:54 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
78.138.118.128 - - [02/Jan/2014:10:54:13 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
78.138.118.128 - - [02/Jan/2014:10:55:18 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
78.138.118.128 - - [02/Jan/2014:10:56:32 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"

Joomla

This file often appears in /tmp/sysNNNNNNNN.php file
1. /tmp is 777
2. the sysNNNNNNNN.php is usually accompanied by a .zip file
3. .php and .zip are owned by apache

To stop Spam:

drop SMTP on port 25, 465 and 587 to prevent further spam from being sent out by running the following commands:


# /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP
# /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 465 -j DROP
# /sbin/iptables -A INPUT -p tcp --dport 587 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 587 -j DROP

Restart:

# service iptables restart

Block an IP accessing the site:

# iptables -A INPUT -s 80.35.xx.xxx -j DROP

Restart:

# service iptables restart

After that – check the cpnael access logs for the domain and see that there is a 403 Error:

# tail -f /usr/local/apache/domlogs/gamedayboston.com

80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

If you cannot send emails to Outlook or Hotmail or MSN, then your server’s IP address maybe blacklisted. Here are some tips to get removed from the MSN blacklist.

Before jumping through the blacklist removal hoops, you may want to double-check that your emails are not simply going into the spam folder. This process will not help you with emails being dropped into the spam folder. This is for getting off of MSN’s blacklist. I am going to outline 3 steps.

Verify you are on the MSN blacklist.
Perform preliminary blacklist removal checks.
Submit MSN blacklist delisting request.

Delist Here – Sender Information for Outlook.com Delivery –

https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us&ccsid=635808707851479494&wa=wsignin1.0

MSN Blacklist Check

If MSN has blacklisted your IP, you will receive a delivery rejection notice from MSN or Hotmail. If you check your server’s logs or your email bounce you may see something like this:

SMTP error from remote mail server after end of data:
host mx1.hotmail.com [65.54.188.94]: 550 SC-001 (BAY0-MC2-F59) Unfortunately, messages from 216.55.xxx.xxx weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to <a href="http://mail.live.com/mail/troubleshooting.aspx#errors." target="_blank" rel="noopener">http://mail.live.com/mail/troubleshooting.aspx#errors.</a>

If you are seeing this or a similar email error, then your server’s IP has likely been blocked by MSN/Hotmail. There could be other response codes, but typically all MSN blacklist notifications will include a 500 series error. MSN’s postmaster service as a list of MSN’s blacklist codes.

MSN Blacklist Codes

I suggest you check this list to find the exact reason Hotmail or MSN is rejecting your emails.

There are some 400 series errors that deal with email volume rather than suspected spam. If you are sending high volumes of email to MSN, you may need to sign up for their bulk sender’s program.

If you are not seeing 500 errors, then you may not have an email blacklist problem but some other email delivery issue.
Preliminary Blacklist Delisting Tasks

Before requesting removal from MSN’s blacklist, you will want to take some steps to stop whatever caused the listing.

Make sure there is no unauthorized email going from your server.

  • Check the daily volume of email going to Hotmail, MSN or Outlook
  • Look for compromised user accounts.
  • Look for people forwarding email to Hotmail, MSN, or Outlook.com.
  • Do you have SPF and rDNS records set up?

If someone is forwarding email to Hotmail related addresses and then marketing it as spam, Hotmail will lower your server’s sender reputation. Window’s Live and related email services such as Hotmail and MSN.com emails work with Return Path to filter email. So email server reputation is more important for sending to these accounts than some of the other ISP’s covered in this series.

Hotmail/MSN Blacklist Removal Process

To start the process of getting removed from Hotmail’s blacklist, you will need to complete their sender information form.

Unfortunately since Microsoft maintains their own blacklist they have no obligation to accept email from anyone. Please have a look at some of their suggestions located at https://mail.live.com/mail/services.aspx

I would suggest signing up for both SNDS and Microsoft’s Junk Mail Reporting Program.

Submit to get Delisted!

Sender Information for Outlook.com Delivery – https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&ccsid=636529520240187401&wa=wsignin1.0

Provide all of the requested information. Unlike some other ISPs, MSN Support requires you to run some telnet tests from the command line on your server. If you do not know how to run these tests, you will need to get someone to help you.

In working with MSN, I have found it very important to provide accurate email headers. If you provide reliable information and are truly not spamming their systems, you will typically see removal in 2-3 business days. MSN is very picky about DNS. So be sure your DNS, PTR and SPF/SenderID records are in order before requesting removal.

If you have root access and need to send email now, try below:

Partial Solution:

Re-route the IP on port 25 if you have a linux box and you have another IP that is not blacklisted.

apply an iptables rule to route your outbound SMTP to a new IP

216.55.xxx.xxx


# iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source 216.55.xxx.xxx