Our server is hosting multiples websites for different clients. The hosting provider has blocked the port 25 after detecting that our dedicated server is sending spams.
I have checked Qmail logs but found nothing suspicious. Spamassassin at first look seems not giving too much options for my problem.
How to track scripts that are sending SPAM?
Since your hosting provider has blocked you from sending mail you can inspect the mail logs and mail queue for clues:
Depending on your system setup scripts are running under a unique client ID that gets logged, which narrows down the hosting account.
Look at the mail queue, it depends on how and which scripts, many of the better ones include the script name in the headers and when that is not the case usually the Reply-to or From headers are set which allows you to narrow down the client account.
Correlate with the web access logs and usually it is pretty easy to find the offending script.
It might be that the mailqueue doesn't contain any spam and your mail server's logs don't indicate that you were sending spam either; then rather than an existing script/mail facility that is getting abused the spammer was able to upload a custom script/program that connects directly to remote mail servers, by-passing Qmail entirely. In that case: How do I deal with a compromised server?
Did you know, that Plesk provides as well a very detailed documentation? You might consider to read and follow:
Edit (as requested ): You might find usefull commands, as for example:
/var/qmail/bin/qmail-qstat
Check how many messages there are in the Qmail queue
/var/qmail/bin/qmail-qread
Read the messages headers, it will show senders and recipients. Two many recipients are mostly a sign for spam.
find /var/qmail/queue/mess/ -name 1234567
Find messages by it's ID and inspect the the headers. You could investigate, that a user sends quite a lot of mails via CGI - scripts for example, which is another indicator for spam.
More can be found on the above mentioned link. :-)
grep Received\: /var/log/maillog | grep --color invoked\ by\ uid
The uid(s) that comes out most should be the same as the compromised vhost(s). If uid 0 you're really in trouble.
You didn't provide enough details for me to be sure you're logging in /var/log/maillog. In plesk, for instance, maillog is elsewhere.
You might consider talking to your hosting provider to see what they can provide to help you - they presumably cut off your port 25 traffic based on something, and knowing what that was would be helpful.
Notably, I would check with them if this is an issue of volume, or of content - the fix in each case might be a bit different.
I would also check your /var/log/mail (or equivalent file) to try and identify the top sender(s) - notably, I would check entries showing nrcpt greater than 1, that use a domain you host.
I would suggest you ensure each one of your domains/websites runs as its own (local) user - that way, if you find the issue comes from a single domain, you can more easily block that local user from sending anything (if you run all sites under the same user, you are going to have to do domain matching, etc).
As you have SpamAssassin, I would also ensure you are scanning outbound emails (whether or not you block them based on spaminess is up to you, but I would ensure they are scored for spaminess). Review the stats for each domain (or sender if that becomes necessary), and see if that helps you gain some insight.
