How to find an anonymous spammer on a Plesk server

Re: Finding Plesk Spammer, Qmail spam source, Anonymous spam

So you’ve done all the basics, looked through the maillogs and you’ve determined the spammer is sending from “anonymous” which means a vulnerable script somewhere on the server. But where? Great, so now let’s delve a little deeper to find the UID of the spammer.

1) Let’s take a look in the mail queue and read one of those spam email references:

# /var/qmail/bin/qmail-qread

6 Jan 2012 09:14:53 GMT #34012584 2987 <>

2) Now we have a message ID, let’s search for the actual message:

# find /var/qmail/queue/ -name 34012584


3) Great! Now let’s see what’s in the message to get out that all telling UID:

# cat /var/qmail/queue/mess/0/34012584

Received: (qmail 9936 invoked by uid 10820); 6 Jan 2012 09:14:50 +0000
Date: 6 Jan 2012 09:14:50 +0000
Message-ID: <>
Subject: Urgent Reply
From: Mrs.Farida Waziri <>

4) Let’s map the UID to a domain name on the Plesk server:

# cat /etc/passwd | grep 10820


5) Spammer caught 😀

Please share this page on Facebook or Google+ if you found this article useful.

Was this helpful?
How to find an anonymous spammer on a Plesk server written by UKC average rating 5/5 - 2 user ratings