Spam Tracking in Plesk qmail

Install qmhandle-1.3.2 from:

cd qmhandle-1.3.2
./qmHandle -s
shows the stats of mails.

To view the mails in queue, please do

# /var/qmail/bin/qmail-qstat
messages in queue: 758
messages in queue but not yet preprocessed: 0

Let’s examine the queue with qmail-qread. Seeing a bunch of strange email addresses in the recipient list usually it’s meaning spam.

# /var/qmail/bin/qmail-qread

Please examine the email content of the emails in the queue using vi or cat  command. Firstly we should find message’s id using qmail-qread, then find the file holding the email in/var/qmail/queue with find command.

# find /var/qmail/queue/ -name (msg id)

Find the IP address from the mail header and remove spam from the queue using qmail-remove

Now, remove spams, they all will end up in the/var/qmail/queue/yanked directory :

# /etc/init.d/qmail stop

# qmail-remove -r -p ‘’

In a few minutes we do have more emails with the same patterns from the same ip address. That’s great, we do have opportunity to examine smtp traffic from the spammer’s ip address. Run tcpdumpand wait a few minutes.

# tcpdump -i eth0 -n src \or dst -w smtp.tcpdump -s 2048

Examining log file with vi we found that spammer is sending spam using LOGIN authentication:


ehlo User
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 go ahead


Then decode the user/pass to see which account is used:

# perl -MMIME::Base64 -e ‘print decode_base64(”dGVzdA==”)’ test

# perl -MMIME::Base64 -e ‘print decode_base64(”MTIzNDU=”)’ 12345

So, someone created a test account with a weak password and someone else guessed it and is sending spam through the server.

Let’s find the domain owning of the mailbox:

[root@ulise ~]# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

mysql> SELECT m.mail_name,, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = AND m.account_id = WHERE m.mail_name=’test’ AND a.password=’12345′;
| mail_name | name       | password |
| test      | | 12345    |
1 row in set (0.01 sec)

Next step is to delete test mailbox and send a warning to client.

To improve your server’s security you’ll need to enable:
Server -> Mail -> Check the passwords for mailboxes in the dictionary

Reference :

  1. Paul said:

    Thanks for this post. It helped me track down two weak accounts on my mail servers.

  2. Jon said:

    Thanks very much for this! I’ve been trying to find a way of examining emails in the queue to track spam for months!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: