• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue From past 3 days, getting a lot of Spam Traffic from US, How to Block?

apache123456

New Pleskian
Before I go ahead let me mention couple of things,

I'm having a dedicated server with CentOS 7, Plesk Onyx Web Pro Edition with Firewall, Fail2Ban & Modsecurity switched ON and nginx as my main webserver. (Not using Apache)

From past 3 days, all of a sudden there was a spike in traffic and it was showing from USA in Google Analytics. First I was happy but then I noticed there was no increase in server load, there was no increase in revenue and the bounce rate started going up. These were clear signs of an attack or a bot traffic.

I tried searching for a solution and each time I Google I always land up on sites mentioning about ghost spam which I think could be the reason here as the site is under no load and its just GA or maybe I am wrong. Anyway I followed the article and found that there are no spam hostnames at all and the most of traffic from my my own domain itslef as hostname and it's mostly shoing in direct traffic.

Then I installed Wordfence Security plugin but it worked for a day only. Then I setup cloudflare with I'm under attack mode and a firewall filter of known bots, its blocking IPs but there is no change in real time traffic.

I've used WordPress Toolkit security features but that didn't work either.

Tried a nginx bad bot block article and that didn't work either!

I'm really worried now and I'm not sure that I'll loose rankings or what but this is really harmful for the site.

Any help is really appreciated.
 
Start by inspecting your server's mail log, which is available at '/var/log/maillog'.

Inspect your current mail queue too, Tools & Settings -> Mail Server Settings -> Mail Queue tab.
 
>and the most of traffic from my my own domain itslef as hostname and it's mostly shoing in direct traffic.
This is a bit suspicious, it might be the issue that server in logs has its own IP instead of real customer's one, as a result, fail2ban and modsecurity might not just work properly. There are different causes thought:
1. This to be checked:
The client IP address is not shown in the global Apache logfile on CentOS
Apache server-wide access log shows server IP address instead of visitor's IP address on a Plesk server

2. Also you might have CloudFlare IPs in logs instead of real one:
How to install mod_cloudflare using plesk, not through the extension please through ssh

Also if you can post several entries from access_log for apache/nginx on how this traffic looks like it might help to understand on how to block it.
 
Back
Top