• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved stop sending spam

Cordal

Basic Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
18.0.54 Actualización 4
Spam is being sent from my server, the limitation of outgoing emails per hour does not stop it, from what I understand that they are sending it without authenticating, the password of the account that sends it has been changed but it continues the same, it is not sent from any script either of php since I control the emails that come out from scripts, I put what the email log shows in one of those messages:

Passed CLEAN {AcceptedOpenRelay}, AM.PDP-SOCK [202.62.50.55] [202.62.50.55] <[email protected]> -> <[email protected]>,<[email protected]>, Queue-ID: B311E66B54, Message-ID: <[email protected]>, mail_id: jFf-M6nFIyCj, Hits: -0.169, size: 5915, 1459 ms

Where could they be sending it from?
Thanks in advance.
 
It could be sent from a stand-alone mailserver that works in addition to the regular mail server. Maybe you can find it when you go through the output of "ps aux".
 
Peter means that you can list the running processes on your server using the command line and check if there is another mail process running:
Code:
# ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.1  0.1 243292 10884 ?        Ss   Aug12  90:34 /usr/lib/systemd/systemd --switched-root --system --deserialize 18
root           2  0.0  0.0      0     0 ?        S    Aug12   0:03 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   Aug12   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   Aug12   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<   Aug12   0:00 [slub_flushwq]
...
 
This should get you further:
  • Check the contents of the vhosts for files changed in the last couple of days.

    For example, all files that have changed in the last five days:
    # find /var/www/vhosts/ -type f -mtime 5

    Look for patterns or strange-looking files.

  • Run the ImunifyAV extension.
  • Check the contents of /tmp and /var/tmp for hidden files/directories:
    # ls -la /tmp
    # ls -la /var/tmp

  • Check if a subscription sends the emails:
    Tools & Settings -> Outgoing Mail Control
 
In the process list, check all processes that are not owned by the system, meaning all processes that are owned by user accounts. Are you sure none of them expose suspicious activities? Sometimes standalone mailers are named by their real names like "exim", but sometimes they are hidden in names like "phpservice", so that they are not easy to find.
 
tcp 0 0 xxx.xxx.xxx.xxx:25 35.227.130.196:41585 ESTABLISHED

all of them from ip com China, Kazakhstan, etc.
 
That's the incoming direction. Those of interest are with :25 below "Foreign address".
 
Your Products sound interesting @Peter Debik I'm using Imunify360, currently not resolving Spam Mail although they have a product in development that I believe is out of Beta? How does your offering compare with theirs, excepting the fact that their Spam Mail product doesn't yet work on Plesk.
 
Back
Top