• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question grep Emails via phpmailer / sendmail

D

daanse

Regular Pleskian
Hi,

i noticed some brute Force attack against some Wordpress and the Outgoing Email Limit (Subscription) turned on at same time.

I want to ask if theres a similar command as following, to track down Emails (Email Header, or Sender/ Receipient) send via SENDMAIL or PHPMailer??

Code: 
# grep 'someone@domain.com' /usr/local/psa/var/log/maillog

Thank you for any help :)
 
Last edited:
They all would come through localhost.
I'm monitoring these localhost mails in the log

In zabbix it would look like this
Code: 
vfs.file.regcount[/usr/local/psa/var/log/maillog,": uid=[0-9]*"]

That's "grep 'uid=[0-9]*' /var/log/maillog".
But come to think of it... I haven't seen that message for a long time...
It has changed in Plesk Onyx
It doesn't work that way anymore as these are now sent by a user with an id in the 10000 range.

So I think this will be the expression in Plesk 17.5.3:
"egrep 'uid=10[0-9][0-9]' /var/log/maillog".

The "grep 'bellsouth.net' /var/log/maillog" is also an interesting one to detect spam.....
I have never seen a valid mail going to that domain and they almost always are spammed.

This is also an interesting command to execute...
zgrep uid=10[0-9][0-9] /etc/passwd /var/log/maillog* | grep -o 'from=.*' | sort | uniq -c | sort -n

It tells you which site is sending the most mail
 
Last edited:
Many spams won't reach their destination and stay in your mail queue for some while. When you look into your mail queue and examine the mail headers it is often possible to identify the sending website.
 
You must log in or register to reply here.

Similar threads

brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
2K
Maarten
M
X
Resolved Plesk Extension: Plesk Email Security (Very Slow Delivery)
Replies
8
Views
8K
Kaspar@Plesk
Kaspar@Plesk
M
Issue Can't open Port 25. Please help
Replies
2
Views
4K
mhogue
M
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
2K
Change Maker
C
stevland
Resolved I can't receive certain emails from Amazon
Replies
1
Views
1K
stevland
stevland
Back
Top