1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Email Accounts being compromised

Discussion in 'Plesk for Linux - 8.x and Older' started by hpprod, May 15, 2006.

  1. hpprod

    hpprod Guest

    0
     
    Hey Everyone -

    My situation is that I operate multiple Linux servers w/ Plesk control panel. All of my users complain that they get a lot of spam. Who doesn't? Problem is - most of my "transfer" customers - those who were with a previous host - always say that when they migrated their domain over to our servers, the amount of spam they receive increased SIGNIFCANTLY.

    We use the typical SpamArrest that is included on Plesk, and have the general settings on "5 hits required" and "delete spam".

    I suspect that somehow, someway, hackers or possibly, someone on staff - could be compromising these email accounts.

    You see - I've done a few tests - where I've created a new email account on a domain .. .like "myspamtest@thisdomain.com" .... and then NEVER, EVER used the mail account - never sent mail, received mail, etc .. .I'd simply setup a redirect on it to one of my other accounts.

    Inevitably, within a few weeks, I'll notice a spam in my email box addressed to that very email account ... "myspamtest@thisdomain.com"., etc.

    Granted, spammers generate lots of random email addresses at a domain - but nothing THAT SPECIFIC. Which makes me wonder how they are getting my customers' email addresses?

    How can this be happening? Are hackers somehow stripping the email addresses out of my server? Could my offshore tech support company be selling the addresses (they do NOT have shell access, but they DO have Plesk Administrator access).

    The only person other than myself with full, root/shell access is my contracted server admin - who is a Linux/Plesk genius, but I just can't find it in my heart to believe that he would be the culprit here.

    Is there ANY WAY I can track this or figure out how it's happening??

    Maybe I'm too suspicious - but I get the same complaint over and over - "we never got so much spam until we switched to your servers" ... that, combined with my several spam email tests where shortly after creating a new mailname, I start getting spam there ... makes me wonder.

    I'd appreciate any help or insights!
     
  2. michaellunsford

    michaellunsford Regular Pleskian

    25
    90%
    Joined:
    Jul 25, 2005
    Messages:
    131
    Likes Received:
    0
    the only way I'm familiar with is either using the unix command finger or whois

    try:
    finger @yourdomain.com
    or
    whois -hyourdomain.com yourusername

    if either come back with other than "Connection refused" then you might want to dig deeper.

    Also, I don't know how to do it, but I believe LDAP can also provide some information about email addresses.
     
  3. hpprod

    hpprod Guest

    0
     
    I got connection refused when doing the whois -h

    when doing "finger @mydomain.com" I get:
    THIS IS A PRIVATE COMPUTING SYSTEM. YOUR ACTIVITIES HAVE BEEN LOGGED AND WILL BE ACTED UPON TO THE FULLEST EXTENT OF THE LAW

    All i know is that it seems somebody, somehow, is farming out my email accounts to spammers. It's driving me NUTS.

    How do I track or catch this?
     
  4. Herby

    Herby Guest

    0
     
    *) Read your logs.
    *) Secure your server! (search here in forum and at http://webhostingtalk.com/ for some manuals)
    *) Check your firewall settings (plesk intern fw and your external box)

    This is what I did.
     
Loading...