How To : Stop Spam in Mail Queue Alert

  Email

Ticket Example : FEX-426-57035

Mail Queue Alert happened for many reason. Some are due to frozen mails and some due to spam in .php files. In the previous post, we show you how to remove/delete mail queue alert from frozen mails. Below are the steps on how to check if there is spam in the mail queue alert.

First, go to usage directory by typing


cat /etc/virtual/usage/

Once entering the usage directory, type the command line below to check the usage of each files

ls -al

It will prompt out the same as before but differs in the size format.


total 2.2M
drwx------ 52 root root 20K Sep 30 17:47 .
drwxr-xr-x 1396 mail mail 68K Sep 30 16:21 ..
-rw-rw---- 1 root mail 427 Sep 30 03:14 aboofamil.bytes
-rw-rw---- 1 root mail 612 Sep 30 15:51 akncommy.bytes
-rw-rw---- 1 root mail 626 Sep 30 16:57 alghazi0.bytes
-rw-rw---- 1 root mail 418 Sep 30 12:49 aplindnet.bytes
-rw-rw---- 1 root mail 1 Sep 30 14:06 azymsyner
-rw-rw---- 1 root mail 269 Sep 30 14:06 azymsyner.bytes
drwxrwx--- 3 root mail 4.0K Sep 30 14:06 azymsyner_ids
-rw-rw---- 1 root mail 3.0K Sep 30 16:20 yousenasia
-rw-rw---- 1 root mail 940K Sep 30 17:49 yousenasia.bytes
drwxrwx--- 3 root mail 4.0K Sep 30 02:51 yousenasia_ids

Once you find the higher usage which is suspicious, you can check maybe it is related to spam. For example, type


cat /etc/virtual/usage/yousenasia.bytes | grep outgoing

It will display the outgoing logs of “yousensia”


1460=type=email&email=yousenasia@NS72-A.small-dns.com&method=outgoing&id=1dyD0y-0009Fy-0D&authenticated_id=yousenasia&sender_host_address=&log_time=1506759648&message_size=1460&local_part=jorgitos41&domain=hotmail.com&path=/home/yousenasia/domains/bormas.my/public_html/wp-content/uploads/2012/02

From the info displayed, you will find that the injected script resides in /home/yousenasia/domains/bormas.my/public_html/wp-content/uploads/2012/02

So, you can go to the directory


cd /home/yousenasia/domains/bormas.my/public_html/wp-content/uploads/2012/02

and list all
ls -al

You will find each file inside like below


total 348
---------- 1 yousenasia yousenasia 86594 Jul 16 2015 fsuotvit.php
-rw-r--r-- 1 yousenasia yousenasia 6172 Jul 4 2012 pallet_folio-120x120.jpg
-rw-r--r-- 1 yousenasia yousenasia 8394 Jul 4 2012 pallet_folio-150x150.jpg
-rw-r--r-- 1 yousenasia yousenasia 2877 Jul 4 2012 pallet_folio-150x59.jpg
-rw-r--r-- 1 yousenasia yousenasia 6577 Jul 4 2012 pallet_folio-205x118.jpg
-rw-r--r-- 1 yousenasia yousenasia 10434 Jul 4 2012 pallet_folio-208x168.jpg

Note that some of the .php file name is not legit such as fsuotvit.php which indicates the injected file

Thus, you can change the permission by


chmod 000 fsuotvit.php

You may remove the current file but sometimes the file are a valid file. So, it is better just to change the permission rather than permanently deleting the file.

From above, we can see the php file been uploaded to wp-content/uploads folder, by right only images are stored in this directory.

For some reason, customer won’t update / patch their website, as they afraid the site will be broken.

We can restrict / block all php or html file to be executed

Add the .htaccess in uploads folder and add the following rules,



order allow,deny
deny from all