Question Hackers are sending tons of mails

[MrPleskLearner]

Server operating system version

Newest

Plesk version and microupdate number

Newest

Hello everyone,

i think hackers are abusing phpmailer script on my webpage.

I received over 5000 mails in couple of minutes like this:




In the not delivered mails i see this log:

Diagnostic information for administrators:
Generating server: DB4P251MB1022.EURP251.PROD.OUTLOOK.COM
[email protected]
Remote server returned '550 5.5.0 Requested action not taken: mailbox unavailable.'
Original message headers:
Received: from AM8P251CA0028.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:21b::33)
by DB4P251MB1022.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:386::14) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7962.24; Tue, 17 Sep
2024 09:24:21 +0000
Received: from AM3PEPF00009B9D.eurprd04.prod.outlook.com
(2603:10a6:20b:21b:cafe::7) by AM8P251CA0028.outlook.office365.com
(2603:10a6:20b:21b::33) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.30 via Frontend
Transport; Tue, 17 Sep 2024 09:24:21 +0000
Authentication-Results: spf=pass (sender IP is 85.214.149.226)
smtp.mailfrom=mywebpage.de; dkim=fail (signature did not verify)
header.d=mywebpage.de;dmarc=pass action=none
header.from=mywebpage.de;
Received-SPF: Pass (protection.outlook.com: domain of mywebpage.de
designates 85.214.149.226 as permitted sender)
receiver=protection.outlook.com; client-ip=85.214.149.226;
helo=mywebpage.de; pr=C
Received: from mywebpage.de (85.214.149.226) by
AM3PEPF00009B9D.mail.protection.outlook.com (10.167.16.22) with Microsoft
SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7918.13
via Frontend Transport; Tue, 17 Sep 2024 09:24:21 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:45F5DF20A86514666D4A4631AA7CB7452500E8DB97CD6F8DC201FBD2E9F82901;UpperCasedChecksum:B9407BC79A1E7E493E302D4F63C2E7543E0222F2900C2E5EC8D91CCBB308C13B;SizeAsReceived:1457;Count:12
Received: from mta.mailbitel.com.pe (unknown [147.45.116.49])
by h2802053.stratoserver.net (Postfix) with ESMTPSA id 9E738D08C8;
Tue, 17 Sep 2024 10:40:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mywebpage.de; s=default; t=1726562459;
bh=US6w/xAN7goPMaPM+1NgU2PVSGsQqf/Jm5xewxMqUs0=; h=From:Subject;
b=RjORDJHV/uCEzkAzsMwUeCvbmuk09ggbo/oD1BGxy8otzaykH62t+zHuhufXj5Jzr
aV2TeAl3IT8S7TD41jcOjbDsME1mr49zXgYKPHNnRG4yIzIfk+0Zv7z9irs9YNBE9Q
oyKwhZJzS+BsefHmsK/rrrzkEtjBfpVFPjr7Dvhg=
Message-ID: <fdgz9sj372mpmyl8-rt8b79h6-yc5e-ubsm-5aaz-koyggc3yenxc-[RandStr,1-1,0-9,L,Const:
contains wrong parameter(s) !][RandStr,1-1,0-9,L,Const: contains wrong
parameter(s) !][RandStr,1-1,0-9,L,Const: contains wrong parameter(s)
!][RandStr,1-1,0-9,L,Const: contains wrong parameter(s)
!][RandStr,1-1,0-9,L,Const: contains wrong parameter(s)
!][RandStr,1-1,0-9,L,Const: contains wrong parameter(s)
!]@89236ac135f1dd7655f613d82d8f12c51f>
X-Mailer: Exim 4.91
MIME-Version: 1.0
From: "Myla" <[email protected]>
Subject: =?utf-8?Q?S=C3=B6t_tjej_=C3=A4r_redo_att_tr=C3=A4ffa_en_intressant_man=2E?=
Content-Type: multipart/alternative;
boundary="a9034ae115d1fd5675d633f80daf3fbbba"
Date: Tue, 17 Sep 2024 01:40:51 -0700
Reply-To: "Myla" <[email protected]>
X-PPP-Message-ID: <172656245467.1698195.6543257117032523156@h2802053.stratoserver.net>
X-PPP-Vhost: mywebpage.de
X-IncomingHeaderCount: 12
To: Undisclosed recipients:;
Return-Path: [email protected]
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM3PEPF00009B9D:EE_|DB4P251MB1022:EE_
X-MS-Office365-Filtering-Correlation-Id: 176bba0f-1771-4299-20b2-08dcd6fa8349
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 85.214.149.226
X-SID-PRA: [email protected]
X-SID-Result: PASS
X-Microsoft-Antispam:
BCL:0;ARA:1444111002|45200799018|461199028|2500799015|51300799018|9400799024|32000799015|70000799015|69000799015|56899033|3412199025|4302099013|440099028|1360799030|1380799030|1370799030|1602099012|520299098;
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?L92BXF5TO8hm+N9mLj4gS5rQ6f0sv3b7pgqvUYWAvpnuuxJcPMxpETuogP4+?=
=?us-ascii?Q?u8GcatI/tA6SVgPsdWpHNLtg9Vc+d43XfRTCCiBL6YlYOaZe17q9Y2tuCJfX?=
=?us-ascii?Q?5gY7/+mv+y/0Bi1Dh1dIwEDDYrmrtk6JTbc+MNeHpcrQA6f0E4mNJW96q0zq?=
=?us-ascii?Q?bsSQE8fzg+4ykPJ7eY3dZhp01veiKK2aOvmvtXTJr7YlBlJuh0XwbDGp6CQT?=
=?us-ascii?Q?MHLVCAkJCfLf+qmFRHkdGzlrUAs7VyYYEg9IP46CM+VVl2F33285w4HgoL61?=
=?us-ascii?Q?xNMAuri0EjicbtXovJf2n55OMGsnU3Rqc2IFYyn5TzcuJB3JfurFJplszTLf?=
=?us-ascii?Q?BFSfpxnOwgGjRDBr4Tgi01aO40vuGvPwzkZr16BW7r6RcumEIoX/c/mIQE2k?=
=?us-ascii?Q?Rnnj6Mwrgv6gIatBlpGKdevuGMzKFj3YjD9b5o6F7F2gxQKOdMe+5BJv/gDf?=
=?us-ascii?Q?bzamEkUiNyqyb9X2TXWeQP5tEI8qRnHDc3VFq3mBPEyR251XZeNz6hVD53up?=
=?us-ascii?Q?eRUBTdY1HoBGHUA0BnrB6gHuPm+bu3VkYYP4yIYIPRin6JKATCWYjQDJL4/c?=
=?us-ascii?Q?5VTFArAerMWwq5uxxVghTOkJOgrpuI/1KIvMRZ98IjEoMxGrRWgaE3LIsuys?=
=?us-ascii?Q?+ztljsoxNlqDB5uc7i3BnqNS4Ff3f6VIFxHj9StFdaIqYS2PQkDeXNUfbqz3?=
=?us-ascii?Q?tSS1aiQiw7HlL19TyDtHuLim2c/xkV2isJbOyX4AlJ3fpqdsvLTNTy5h7e/J?=
=?us-ascii?Q?k63mdeY1FK0jXaiTZut1NTJm/CiM4xWLFoYQbZ3YvOkg18dIt+CfzgbFE5dN?=
=?us-ascii?Q?tfzADAWtz/DuUNEAYe3mja4OTa18LOvj0nQf1NxnDbcHdiG5vqhH5l97fE4R?=
=?us-ascii?Q?efHhODknb5CQpbdhoRrxDuqfMjjb/ftzhPvmlODK/TJrg0/zkCoCUbJL4RM/?=
=?us-ascii?Q?92fUMHCRxcA0G6eYqEk2bADJaV3so5OuC3Jrs8v+Damc13QVGMni6QhXdMw6?=
=?us-ascii?Q?nTd1yOm3kEcZGj1uXWGC8uJG5sXfSVwYvNToTJG/ZDQeoTdekA1C3zx6uSUK?=
=?us-ascii?Q?RNfIj5VA+ZTVR1UW6mSmTmzb9+ZjzyrZfjkWJJSsHofGnRPP2LM5q56pgaFu?=
=?us-ascii?Q?Fcgkva7M/ZsSepceHT/2OzMxL65aLXLYPYg73DXb+F6o3QD1kATwT6jXcJj+?=
=?us-ascii?Q?6gXwGzgk+AeaP+ySd+a39hnkEeQBR/pBZ/N3eRIaMjU2bs79GiUgtTQI2n5w?=
=?us-ascii?Q?JSPl1YR/orLwLNGDkgAy8VJSyeLbCJH7Yb5s+9Z+bfMxzlmcqZoQI+9QqutO?=
=?us-ascii?Q?GC0gxSqviSOnLyMWXBlz6i5QBULKMtdFM7GJoZcjsYxsHxmSd4WtTsQj3zpo?=
=?us-ascii?Q?7ToWRz+JAieagU7WIf+kOn0rN2siOfMSp4/HIY/YJ3/L6t5Y/L62vugegWv7?=
=?us-ascii?Q?rPvFDSubdc64Co/chgKbe+127zSg5UreZLyiJgooxWCpUPTRjjczHVJXkhaH?=
=?us-ascii?Q?ks5kxFCKb1fKjktTWcS5ZK5LOvEyFpp+LVplwpwR4jzDpFFzktM63SNxqlpJ?=
=?us-ascii?Q?VfqSX7fvqjG1fNGGr2lSbN/b5rKUFWQcsi4nEkSHCLWUkpIYAq9T+PpnflAx?=
=?us-ascii?Q?+Daw/5QF2FMkJCKAy/O5oye3/dz0JuAhwMr5xiNGqT7ba76jnMDK/2g0EDQ6?=
=?us-ascii?Q?VHvMY3q2oDfgcRHRLyD+wOGgzbcTzTrbTuiemjKPc20SANZmoLNdwjGZyrdj?=
=?us-ascii?Q?yGCugjmNTTDHUcUMoLL8QspEbxmwimY=3D?=

And in plesk i see there are 35k mails delayed but if i click it i don't see anything



Under Action Logs i see these but i didn't do the red marked actions. Looks like someone updated subdomain:



And looks like the mails are being sent by random names but with my domain. For example i don't have any mail adress created with name "burnice_candy250"




Any idea what's going on and how to cancel or stop all outgoing mails?

 

[Mikhail_S]

Hello @MrPleskLearner

I would suggest taking the following recommendations first:
What are spam outbound protection recommendations on Plesk for Linux
Under the Additional manual actions, there is also the article that contains instructions on how to check if any script sends emails from the server.

 

[AYamshanov]

Hm...

• Is server 147.45.116.49 ([...]..com.pe) a valid sender of emails for the domain my[...].de? If not, why the my[...].de receive these emails to delivery?
• It seems these two servers in blocklists now; it means configured blacklists could help to prevent receiving suspicious emails (e.g.: from first server in the chain to the second).

Email headers could be analyzed/visualized with services like Message Header Analyzer and Email Header Analyzer sometimes, this is really helpful.

 

[JVG]

Hi,

while you try to find out what happened you can temporarily limit the outgoing emails for the affected domain/subscription/mailbox: https://support.plesk.com/hc/en-us/...mitations-on-outgoing-email-messages-in-Plesk

 

[MrPleskLearner]

Thank you very much for help guys! I solved the issue. I just restored the server to earlier time and applied @Mikhail_S's post. Basically, removing old phpmailer on my webpage (this was for contact page to send email by visitors to me) and adding mail sending limitation per hour solved the issue. I removed all mail que as well.

But unluckily some spam databases marked ip of my server as spam... That's why i send them and one of them already removed my ip from their blacklist database. But looks like microsoft is still blocking my mails from my server even it is not spam:

<[email protected]>: host boels-nl.mail.protection.outlook.com[52.101.68.10] said: 451 4.7.500 Server busy. Please try again later from [MYSERVER'S IP ADRESS]. (S77719) [DB1PEPF000509E8.eurprd03.prod.outlook.com 2024-09-17T22:29:04.020Z 08DCD16C21803672] (in reply to end of DATA command)recipient=[email protected]=951dsn_orig_rcpt=rfc822;[email protected]=4.7.500action=delayeddiag_type=smtpdiag_text=451 4.7.500 Server busy. Please try again later from [MYSERVER'S IP ADRESS]. (S77719) [DB1PEPF000509E8.eurprd03.prod.outlook.com 2024-09-17T22:29:04.020Z 08DCD16C21803672]mta_type=dnsmta_mname=boels-nl.mail.protection.outlook.comreason=host boels-nl.mail.protection.outlook.com[52.101.68.10] said: 451 4.7.500 Server busy. Please try again later from [MYSERVER'S IP ADRESS]. (S77719) [DB1PEPF000509E8.eurprd03.prod.outlook.com 2024-09-17T22:29:04.020Z 08DCD16C21803672] (in reply to end of DATA command)