How to check if some one is spamming from my server Linux Plesk

If you see a lot of smtp connections or your server gets constantly in spam black lists, maybe you should check if some bot spams through your server.

The are 2 cases of spamming through a box:

1)using unsecure php forms that bots abuse
2)using smtp connection from an outside client

this artice is about the 2nd case,

in plesk 8.x ususaly the log files of the smtp connections are located at file /usr/local/psa/var/log/maillog so all you have to do is run a check

cat /usr/local/psa/var/log/maillog | grep "smtp_auth:"

to find connections like this one repeated some thousand times:

Nov 1 22:49:04 server smtp_auth: SMTP connect from unknown@somehostingprovider.tld [ip address]
Nov 1 22:49:04 server smtp_auth: smtp_auth: SMTP user test : /var/qmail/mailnames/domain.tld/test logged in from unknown@somehostingprovider.tld [ip address]

mostly this happens to users who have email accounts with weak passwords like “12345″ or “password” or “test” spam bots can use these to send thousands of emails with hundreds of bcc’s.

you can also use this command to check the smtp connection in real time:

tail -f /usr/local/psa/var/log/maillog | grep "smtp_auth:"

the solution is to block the email addresses and force your client to change his password.

Leave a comment