Re: Finding Plesk Spammer, Qmail spam source, Anonymous spam

So you’ve done all the basics, looked through the maillogs and you’ve determined the spammer is sending from “anonymous” which means a vulnerable script somewhere on the server. But where? Great, so now let’s delve a little deeper to find the UID of the spammer.

1) Let’s take a look in the mail queue and read one of those spam email references:

# /var/qmail/bin/qmail-qread

remote ankush_krishna2137@yahoo.com
6 Jan 2012 09:14:53 GMT #34012584 2987 <anonymous@server.microlite8.com>

2) Now we have a message ID, let’s search for the actual message:

# find /var/qmail/queue/ -name 34012584

/var/qmail/queue/info/0/34012584
/var/qmail/queue/remote/0/34012584
/var/qmail/queue/mess/0/34012584

3) Great! Now let’s see what’s in the message to get out that all telling UID:

# cat /var/qmail/queue/mess/0/34012584

Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <20120106091450.9934.qmail@server.microliteX.com>
To: annette@recdom.wandoo.co.uk
Subject: Urgent Reply
From: Mrs.Farida Waziri <faridawaziri@hotmail.com>

4) Let’s map the UID to a domain name on the Plesk server:

# cat /etc/passwd | grep 10820

admin947932:x:10820:2523::/var/www/vhosts/thisisthespammer.com:/bin/false

5) Spammer caught

Please share this page on Facebook or Google+ if you found this article useful.

Re: Is my site infected with Malware, Is there malicious code in my site?

There is one sure fire way to check if your site is infected with Malware, ask Google!

Go to the following URL and insert your domain name at the end, here is a sample:

http://www.google.com/safebrowsing/diagnostic?site=uk-cheapest.co.uk

To check your PC for malware, use the following free software:

AdAware - http://www.lavasoft.com/
MBAM - http://www.malwarebytes.org/products/malwarebytes_free

This free software will remove all malware and malicious ads, spyware and cookies from your PC and should be run regularly to ensure an optimum browsing experience.

Re: Yandex IP range, Yandex subnets, Block Yandex Robots

Across our server range we are finding that Yandex continues to ignore robots.txt files and crawls some sites constantly, so how do you stop such an abuse of your network resources?

If you use IPTABLES or APF (you should!) then you can block all Yandex spiders using the following IP ranges:

77.88.0.0/18 # yandex.ru
77.88.22.0/23 # yandex.ru
77.88.24.0/21 # yandex.ru
77.88.24.0/22 # yandex.ru
77.88.28.0/22 # yandex.ru
77.88.36.0/23 # yandex.ru
77.88.42.0/23 # yandex.ru
77.88.44.0/24 # yandex.ru
77.88.50.0/23 # yandex.ru
87.250.224.0/19 # yandex.ru
87.250.230.0/23 # yandex.ru
87.250.252.0/22 # yandex.ru
93.158.128.0/18 # yandex.ru
93.158.137.0/24 # yandex.ru
93.158.144.0/21 # yandex.ru
93.158.144.0/23 # yandex.ru
93.158.146.0/23 # yandex.ru
93.158.148.0/22 # yandex.ru
95.108.128.0/17 # yandex.ru
95.108.128.0/24 # yandex.ru
95.108.152.0/22 # yandex.ru
95.108.216.0/23 # yandex.ru
95.108.240.0/21 # yandex.ru
95.108.248.0/23  # yandex.ru
178.154.128.0/17 # yandex.ru
178.154.160.0/22 # yandex.ru
178.154.164.0/23 # yandex.ru
199.36.240.0/22 # yandex.ru
213.180.192.0/19 # yandex.ru
213.180.204.0/24 # yandex.ru
213.180.206.0/23 # yandex.ru
213.180.209.0/24 # yandex.ru
213.180.218.0/23 # yandex.ru
213.180.220.0/23 # yandex.ru

Simply restart APF and Yandex will no longer be a problem (until they extend their network!).

Before connecting your domain to your Google Apps Email account you will need to determine if your domain name is parked or hosted. If your domain name is parked you will need to make the changes in your Domain Control panel - if your nameservers are NOT set to ns.microlite1.com and ns2.microlite1.com and you have hosting with us you will need to make the changes inside your Plesk control panel. If you have lost your Domain / Plesk control panel login details please go to Forgotten password to retrieve all of your login details by email.

To make DNS changes inside your Domain control panel select the domain and go to DNS Manager, please be sure to delete any existing MX records before adding the new ones. When adding the Google MX records please set the hostname for each MX record to @

To make DNS changes inside your Plesk control panel, select the domain and go to DNS Settings, please ensure that you delete any existing MX records before adding the Google MX records. When adding the records please leave the ‘mail domain’ field blank.

You are now ready to add the following MX records:

ASPMX.L.GOOGLE.COM. 1

ALT1.ASPMX.L.GOOGLE.COM. 5

ALT2.ASPMX.L.GOOGLE.COM. 5

ASPMX2.GOOGLEMAIL.COM. 10

ASPMX3.GOOGLEMAIL.COM. 10

The records are listed in priority order (smallest priority value 1 = highest priority), if you cannot add the priority values listed then you will need to add the records in the listed order.

If you experience any problems please submit a ticket to our Help Desk.

To import a MySQL database you can use phpMyAdmin which is available in your Plesk control panel.

1) Firstly, you will need  to create the database in Plesk that you would like to import the SQL file to.

- Video tutorial: How to create a database in Plesk

2) Open up phpMyAdmin inside Plesk

- Go to Databases

- Select the Database

- Go to Webadmin

3) Once you are in phpMyAdmin, Select the Database on the left hand bar.

4) Go to import

5) Click the ‘Choose’ button to browse the location of the text file

6) Click “Go” to import the SQL file

If you experience any problems, please log a ticket with our Help Desk.

Sending Emails using SMTP

Many of our hosting accounts are provided with your own shared SMTP server based on your domain name however many ISPs are now blocking 3rd party SMTP use in an effort to control SPAM on their networks.

If you use a third-party SMTP server server based on your domain name it may be classed as a spam risk. Sometimes, only emails sent through a dedicated ISP SMTP server have the best chance of delivery.

Use your ISP SMTP Server for best performance

Your ISP (or Broadband provider) already supplies you with an SMTP server, this is provided as part of the service you are paying for. It can be confusing, so here is a list of popular ISPs and their SMTP servers.

When to use mail.yourdomain.co.uk

Most of our tutorials show your email configuration using the SMTP server mail.yourdomain.co.uk, however, you should use your ISP SMTP server in its place for the best and most consistent results.

If your ISP does not provide you with an SMTP service, then try using mail.yourdomain.co.uk as your SMTP server, this will work for most email networks.

So you want to setup your email on your new Android device? Don’t worry, it’s easy – we’ll have you up and running in 5 minutes. Just follow these steps…

• Open your Android device email application
• If you already have an email account set up, Press Menu and tap Accounts. Press Menu again and tap Add Account.
• Type your email address and password then hit Next
• Select IMAP to use your mail direct on the server. (Use POP if you want to permenantly download emails to your actual device rather than viewing them from the server.)

Incoming Server settings:

Username: your email address
Password: your password
IMAP server: mail.yourdomainnamehere.com
Port: 143
Security type: None
IMAP path prefix: leave blank

Outgoing server settings:

Most ISP do not allow 3rd party SMTP servers, so you will need to use that provided by your ISP, see here for more details: Find your ISP SMTP Server Name

Re: Upgrade features on Plesk to latest offering

The range of features on offer today may be more than when you purchased your account. There is no need to lose out. This is not a new customers only offer.

We are now offering more hosted domains on all accounts to new cutomers however if you are an existing customer, don’t worry – you can upgrade to the latest offering for free!

Here is what you need to do:

• Look at the Hosting page for your plan current feature list
• The multiple domain allowances have increased for all accounts
• The database allowances have in some cases been reduced
• Log a ticket with the Helpdesk asking for a “feature update”
• Include your clientXXXXX Plesk login within the ticket for a fast upgrade
• Your existing data will not be affected and will remain intact

If you provide the correct clientXXXXX ID and your domain name from the outset in your ticket, your upgrade may be completed within an hour. The ticket will be updated once the upgrade is complete.

Re: Gmail email not arriving, email sent to gmail not arriving

If you are able to send email to some destinations but not to your Gmail.com and you do not get a bounce message email address then try the following:

• Ensure that the email is no going to your Gmail.com junk folder
• Ensure that you have an SPF record setup at the sending domain

If you are getting nothing arriving to your Gmail account and you are not getting a bounce and you have an SPF record set up then try this Google walkthrough: Google – Gmail emails not arriving

Re: What to do with your new web hosting account

1. Login to your Plesk Control Panel to gain access to all the features and resources provided with your account.
2. Set up your first email address and start using email services with your domain
3. Start collecting web visitor statistics and monitor visitors activity around your site
4. Launch more sites with multi domain hosting to get the most from your web presence
5. Install and Connect FileZilla FTP to upload files to your personal web space
6. Install a Web Application such as WordPress and get a professional site online straight away

You are now well on the way to making the most of your new hosting account. For further information and advise search the knowledgebase or contact the Helpdesk.

Re: Is PHP SOAP installed? Which version of PHP SOAP do I have?

For dedicated servers, you can tell if PHP SOAP is installed by the running the following command on the console:

# php -i phpinfo | grep soap

The following outpout will confirm you have PHP SOAP installed:

soap
soap.wsdl_cache => 1 => 1
soap.wsdl_cache_dir => /tmp => /tmp
soap.wsdl_cache_enabled => 1 => 1
soap.wsdl_cache_limit => 5 => 5
soap.wsdl_cache_ttl => 86400 => 86400

If you have a shared hosting account and need PHP SOAP, simply contact the Helpdesk to arrange a transfer of your account to a suitable server.

Re: How to enable visitors stats collection in Plesk hosting

Your Plesk Hosting account now comes with 2 options for viewing detailed visitor and traffic statistics concerning your website.

1) AWStats – Get advanced graphical web, ftp or mail statistics
2) Webalizer – statistics for user agents (browsers) and referrers

Visitor statistics collection is not enabled by default. You need to enable this feature as follows:

Simply login to your Plesk Control Panel, select your domain name and click “Web Hosting Settings”, scroll down and select which statistics package you wish to use for this domain.

To be able to view your statistics directly from your domain name (eg. www.yourdomain.com/plesk-stat/webstat) ensure you have a tick in the box that says “(accessible via password protected directory ‘/plesk-stat/webstat/’ )”, this will allow external direct URL access via your FTP password.

Once enabled, your visitor stats will be compiled everyday at 0400 so do not expect to see anything straight away. Simply check the next day and your visitor stats and charts will be available.

For professional high level statistics and analysis we highly recommend using Google Analytics in your website code, you can set up a free account here:

http://www.google.co.uk/analytics

Re: Where can I find the mail log in Plesk?

The mail logs in Plesk qmail are stored here:

/usr/local/psa/var/log/maillog

You can view the entire maillog like this:

# cat /usr/local/psa/var/log/maillog

Or you can look at the last 150 lines like this:

# tail -150 /usr/local/psa/var/log/maillog

You can watch the maillog devlop in real time like this:

# tail -f /usr/local/psa/var/log/maillog

You can search for specific entries like this:

# tail -500 /usr/local/psa/var/log/maillog | grep test@domain.co.uk

The Plesk maillog is your friend when it comes to finding spammers and email problems on your server.

Re: Finding spammers in Plesk, find source of spam on Plesk server

If you are hosting a Plesk server wilth multiple sites then eventually you will find that spam will appear from one of those sites and it will be difficult to determine where the spam is coming from. This will put your server IP at risk of being suspended by your server provider.

First things first, let’s check to see if the spam is being sent by a mailbox user, this would indicate deliberate spamming from a client or a compromised password on a mailbox account.

Out of the ordinary authentications

A large number of authentications to a particular mailbox, ie. thousands, can indicate massive email activity, you can check this quickly as follows:

# cat /usr/local/psa/var/log/maillog |grep -I "LOGIN"|awk {'print $12'}|sort|uniq -c|sort -n

If you cannot see anything out of the ordinary, the search continues.

The Maillog is your friend

Let’s take a look at the plesk qmail maillog:

# tail -500 /usr/local/psa/var/log/maillog

Entries like the following indicate the domain and mailbox that the email is being sent from:

Dec  7 10:51:01 server qmail-local-handlers[29265]: from=info@spammerdomain.com

This leaves you no further work to do, possibly suspend the account and contact the client in question. You might want to clear the mail queue in the Plesk panel also.

Difficult to locate spammers

A more difficult situation is where the email is being sent using the Apache user or as anonymous. This type of email spam cannot so easily be traced to a sender as it is not being sent from a mailbox.

These entries look something like this:

Dec  7 10:50:17 server qmail-queue-handlers[29080]: from=anonymous@server.hostname.com

Or like this:

Dec  7 10:50:17 server qmail: 1323255017.404624 info msg 47220220: bytes 501 from <anonymous@server.hostname.com> qp 29081 uid 48

It is not possible to determine the spammer from the maillog in this situation. These emails are being sent using a form processor or other PHP mailer / PERL mailer script.

Track, Trace and Remove

To solve this problem you need to

• Login to the Plesk Control Panel > Home > Mail Settings > Mail Queue
• Click on one of the many SPAM emails you will see listed

Look for this at the top of the mail header:

Received: (qmail 2583 invoked by uid 10211)

Once you have the UID (which in this case in 10211) you can now trace the client like this:

# grep 10211 /etc/passwd

Which will show something like this:

dom74628:x:10211:2523::/var/www/vhosts/thespammerdomain.com:/bin/false

You can now proceed suspend the spam account and remove all the mails from the mail queue.

You can use iptables pre-routing to route from one port to another.

For example, the following command will enable mail users to use port 26 or port 25 for SMTP request. All port 26 requests will be routed to port 25.

# iptables -t nat -A PREROUTING -p tcp -d 192.168.167.2 --dport 26 -j DNAT --to 192.168.167.2:25

Now your clients can use port 26 or port 25 without any problems.