Track spammer in Qmail

Track down the spammer in Qmail mail server:

1. Make sure that all domains have the Mail to nonexistent user option set to Reject.This option is available since Parallels Plesk Panel 7.5.3 and can be changed for all the domains using group operations: select the domains, click Modify Selected, in the Preferences section select Switch on for the Mail to nonexistent user option and select the Reject value for it.

2. Make sure that there are no untrusted IP addresses or networks in the white list.To do this, go to Home > Mail Server Settings > White List tab. To remove untrusted IP addresses or networks, select them in the list and click Remove Selected.

Look at the qmail queue for the number of mails. If the mail count too high, then it means, some spammer is roaming over there.

# /var/qmail/bin/qmail-qstat
messages in queue: 111976
messages in queue but not yet preprocessed: 0

From the qmail-qstat results we can see a huge mails are there in the queue. Next step is to identify the domain from which the mail is generating.

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk ‘{print $9}’ |sort |uniq -c |sort -n

This will show the email from each domain. Sometimes, it may be showing small mail count. In that case, we can reach the conclusion that the spamming is done via the script. To verify it, try installing the qmHandle.

If there are too many messages in the queue, try to find out where the spam is coming from. If the mail is being sent by an authorized user, but not from a PHP script, you can find out which user sent most of the messages with the following command:

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk ‘{print $11}’ |sort |uniq -c |sort -n

Note: SMTP authorization option should be enabled on the server to see these records. The path to maillog may be different depending upon the operating system that you use. In a plesk server the path to maillog will be by default,


You can follow the given steps to install the qmHandle.

Download using the following command


Now you have qmhandle-1.2.0.tar.gz file you need to extract using the following command

#tar xzvf qmhandle-1.2.0.tar.gz

list message queues

#qmHandle -l

delete all messages that have/contain text as Subject

#qmHandle -l -S

You should be having qmhandle-1.2.0 folder go in to the folder and you need to edit the qmHandle file to configure the following settings

my ($queue) = ‘/var/qmail/queue/’;
my ($stopqmail) = ‘/etc/init.d/qmail stop’;
my ($startqmail) = “/etc/init.d/qmail start”;

my ($pidcmd) = ‘pidof qmail-send’;

2. We can use the qmail-qread utility to read the messages headers:

# /var/qmail/bin/qmail-qread

24 Aug 2010 05:08:09 GMT #20180455 6064 <> bouncing

done remote

done remote

done remote


The qmail-qread utility shows messages’ senders and recipients. If a message has too many recipients, then it is most probably spam.

3. Try to find the message in the queue by it’s ID (for example, the message ID is #20180455):#

find /var/qmail/queue/mess/ -name 20180455

Ex : # find /var/qmail/queue/mess/ -name 20180455

4. Look into the message and find the first from the end Received line. It is where the message was initially sent from.

Ex:   # more /var/qmail/queue/mess/2/20180455

Received: (qmail 14322 invoked by uid 48); 2 Sep 2010 04:14:35 -0400
Date: 2 Sep 2010 04:14:35 -0400
Subject: Urgent Banking Upgrade
From: bank <>
Message-Id: <>
MIME-Version: 1.0
Content-Type: text/html

a. If you are finding something like:

Received: (qmail 19514 invoked by uid 10252); 24 Aug 2010 05:08:06 +0500

It means that the mentioned message was sent via a CGI script by user with UID 10252. We can use this UID to find the corresponding domain:

# grep 10252 /etc/passwd

b. If you are finding lines like:

Received: (qmail 19514 invoked from network); 24 Aug 2010 05:08:06 +0500

Received: from (

It means that the message was accepted for delivery via SMTP and the sender is an authorized mail user.

c. If the Received line contains an UID of an apache user (for example invoked by uid 48), it means that the spam was sent via a PHP script. In this case you can try to find the spammer using information from the spam e-mails (from/to addresses, subjects, etc).

Ex: Received: (qmail 14322 invoked by uid 48); 2 Sep 2010 04:14:35 -0400

But usually to find the spam source is very hard in this case. If you are sure that some script is sending spam at the current moment (the queue grows very fast), you can use this little script to find out what PHP scripts are running in real-time:

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ { if(!str) { str=$1 } else {str=str”,”$1}}END{print str}’` | grep vhosts | grep php

In this case we need to try to find out from which folder the PHP script that sends mail was run,

First we need to create ‘/var/qmail/bin/sendmail-wrapper’ script with the following content:


(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail “$@”

Note, the paths can slightly differ depending on your OS and Parallels Plesk Panel version.

Create a log file /var/tmp/mail.send and grant it a+rw rights, make the wrapper executable, rename old sendmail and link it to the new wrapper:

# touch /var/tmp/mail.send

# chmod a+rw /var/tmp/mail.send

# chmod a+x /var/qmail/bin/sendmail-wrapper

# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail

# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

You can start monitoring the log file ‘/var/tmp/mail.send’ for an hour or so and revert sendmail binary back:

# rm -f /var/qmail/bin/sendmail

# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with ‘X-Additional-Header‘ pointing out to domain’s folder where the script that sends the mail is residing.

Ex :
X-Additional-Header: /var/log/httpd
X-Additional-Header: /var/www/vhosts/
Subject: Fraud Mail
From: Fraud Service <>
Message-Id: <>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit

Go to the spammer domain and block the script from further execution.

X-Additional-Header: /var/www/vhosts/
# cd /var/www/vhosts/
# chown root:root /var/www/vhosts/
# chmod 000 /var/www/vhosts/

Also it is recommended to suspend the domain from further access.

You can see all the folders where mail PHP scripts were run from with the following command:

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e ‘s/HTTPD_VHOSTS_D//’ `

8 thoughts on “Track spammer in Qmail

  1. hi there

    thanks for you step by step instruction i followed it and i did work out which php script was sending emails.

    it worked great.

    but some how my sendmail file is empty now. after i run the command
    # rm -f /var/qmail/bin/sendmail

    # ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

    and my websites cant send emails now it gives error.

    how can i recover my original sendmail file?

    i am using plesk 8.4 os_Debian 4.0
    Linux 2.6.18-6-686

    your help is greatly appreciated.

  2. when i cat send-qmail i get this message.

    cat: sendmail-qmail: Too many levels of symbolic links

    • Did you take a backup of the sendmail binary, before making the change? What is the content of ‘/var/qmail/bin/sendmail-qmail’. Hope it is not empty. You can replace the old sendmail binary using this backup file that you took during the initial step.

      • content of my sendmail-qmail is empty

        and my sendmail file is empty.

        When i try to cat the file i get this error.
        svr1:/var/qmail/bin# cat sendmail
        cat: sendmail: No such file or directory

        when i vim the sendmail its empy.
        svr1:/var/qmail/bin# vim sendmails

        how can i solve this problem?

          • i sent you an emial and looking forward to hear back from you.

  3. Could you please fix your command clippings to remove your “smart quotes” so that they can be copied and pasted directly into a terminal?

    • sure, I will remove those quotes 🙂 Let me know, if you need any assistance from my side.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.