Resolved Hackers or spiders are messing with my domain mail server

[schemer]

Last month I get an email forwarded to my house from a domain I run for my wife's businesses. It happened at 12:00AM and simply said "This is a test". Problem is that the email address was not one assigned to the domain as if a hacker made up a new email with her domain and somehow used it to forward me a message. I called Ionis and they said to change my passwords which I did immediately. A month goes by and I get another same message at about the same time as last month. So I call again and hunt down the email log for the domain. I find some Apache errors and some ip addresses that when I look them up are known abuse or attack sites. One mentions 23.228.109.147 and another 46.101.99.15 and yet another 91.205.175.35. There are likely more but I believe that is where the problem is coming from. What is the best way to block these with Plesk Obsidian latest version? By individual ip address or a range. And how /where do I go the changes?
Thanks,
schemer

​

 

[mow]

Did you examine the email headers to see if that mail really originated from your server?

 

[schemer]

Yes. I had sent the message to the postmaster form that tech support had me do and the reply from tech support is as follows:

thank you for contacting us.

We've checked the data you've provided us.

According to the recieved lines of the mail this mail was generated on your server:

Received: by eager-pike.MYIPADDRESS.plesk.page (Postfix, from userid XXXXX) id xxxxxxxxxxx; Tue, 13 Jul 2021 00:00:17 -0500 (CDT)

Therefor you should check your server logs about that.

Sincerely,
IONOS Customer Service

 

[schemer]

I sorted through my log for yesterday for the domain with the issue and here are all the suspicious IP addresses I found:
23.154.177.4
104.248.166.43
198.144.120.234
157.230.210.133
199.195.254.254
157.230.210.133
198.144.121.93
185.180.143.74
91.205.175.35
46.101.99.15
157.230.210.133
49.7.20.152
49.7.20.152
167.99.172.253
35.164.155.147
199.195.251.84


???
147.182.191.232

Chinese crawler
49.7.20.154

Are they all to be blocked or just the one that is more suspicious namely:
These two:
91.205.175.35
and
46.101.99.15

Thanks

 

[weltonw]

Blocking IPs post incident does little. If you find suspicious countries or ASN, you could consider a full block, but even that doesn't do much. IPs are just too easy to rotate out and away.

Consider a WAF - either Cloud/Serverside

 

[schemer]

Blocking IPs post incident does little. If you find suspicious countries or ASN, you could consider a full block, but even that doesn't do much. IPs are just too easy to rotate out and away.

Consider a WAF - either Cloud/Serverside

Ok, thanks for the info. But I would still like to know how to block the IP's. In Plesk when I go to the blacklisting it wants a domain name. If I put in the IP address it gives an error. And can you point me in the right direction in setting up a WAF within Plesk? Or is that done through my hosting provider?
Thanks

 

[weltonw]

deny x.x.x.x in .htaccess for just one site. Can put that in a global config file for multiple.

You can also block off all connections with a firewall (ie, iptables)

Configure a WAF under Tools + Settings -> Web Application Firewall (Modsecurity)

 

[schemer]

deny x.x.x.x in .htaccess for just one site. Can put that in a global config file for multiple.

You can also block off all connections with a firewall (ie, iptables)

Configure a WAF under Tools + Settings -> Web Application Firewall (Modsecurity)

Thank you very much john0001. I appreciate the help.