Find Spammer on Plesk Server

Follow these steps to check if emails are being send from a compromised account. If there are too many emails send from specific email id its compromised:

zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
981476 [email protected]

Here test@cpanelpleskcom is compromised so change its password immediately and we can clear queue using the below command:

postsuper -d ALL

To view mail ids of email run following command:

postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'

To Find total no of emails in queue when using qmail run:

mailq | tail -n 1

Find total no of emails in queue when using Postfix:

postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'|wc -l

To list all message in queue for Postfix mail server

postqueue -p

If the email are sending from php script, you can get the script from its ID using the below command:

postcat -q 679E745AC97E

From that we can find the script.

X-PHP-Originating-Script: 33:spam.php

Here the script is spam.php we can verify it by accessing access log

/var/www/vhosts/domain.com/logs/access_log