Issue how to stop email being sent from my server?

[Ihtshama]

Hello, I am using Plesk Onyx Version 17.5.3 Update #32, on linux server.

Last week, I noticed that hundreds are emails are being sent from my server. Then i applied all possible things i read from Plesk store DMAC and other tools, spam assassin, also activated firewall on plesk. But still one specific domain on my server is being used (try ) to send thousands of email per day (though i have set 0 outgoing emails for that email/domain).

I am really fedup by this, is there no way that i can find the IP address of this spoof maker and just ban it? Please advise some tool how i can effectively use DMAC or spam assassin tool.

thanks

 

[trialotto]

@Ihtshama

You should be more specific.

Think about the following.

Is it your domain and did you write the code on that one troublesome domain? Or is it a customer's domain?

What kind of site is it? Is it a WordPress or similar standard application?

And what do the logs say? Do you have some relevant (mail related) logs?


All of those questions can be important, but one set of questions is of particular importance (note: question in chronological order of relevance):

1) did you already try to shutdown the mail service on the domain? And if yes, are mails still being sent?

2) did you already try to reset ALL passwords for ALL mail addresses on the mail? And if no, try to do so and check whether mails are still being sent.


In general, the following applies:

- if question 2 resolves your issue, then your server's mail accounts are very likely to be hacked: a full security audit would be worthwhile or even required, (or)
- if question 1 does NOT resolve your issue (read: shutting down mail service on the domain is not stopping mails), than some elaborate "mail relay related" issue exists.


In short, provide some additional information and do some preliminary tests, to allow Plesk forum members to be of some assistance.

Hope the above helps a bit!

Regards...........

 

[Ihtshama]

@Ihtshama

You should be more specific.

Think about the following.

Is it your domain and did you write the code on that one troublesome domain? Or is it a customer's domain?

What kind of site is it? Is it a WordPress or similar standard application?

And what do the logs say? Do you have some relevant (mail related) logs?


All of those questions can be important, but one set of questions is of particular importance (note: question in chronological order of relevance):

1) did you already try to shutdown the mail service on the domain? And if yes, are mails still being sent?

2) did you already try to reset ALL passwords for ALL mail addresses on the mail? And if no, try to do so and check whether mails are still being sent.


In general, the following applies:

- if question 2 resolves your issue, then your server's mail accounts are very likely to be hacked: a full security audit would be worthwhile or even required, (or)
- if question 1 does NOT resolve your issue (read: shutting down mail service on the domain is not stopping mails), than some elaborate "mail relay related" issue exists.


In short, provide some additional information and do some preliminary tests, to allow Plesk forum members to be of some assistance.

Hope the above helps a bit!

Regards...........

Dear Guru,
thank you for your help. My answers are below.:

Is it your domain and did you write the code on that one troublesome domain? Or is it a customer's domain?
This is a customer domain.

What kind of site is it? Is it a WordPress or similar standard application?
it is wordpress and i am using roundcube email.

And what do the logs say? Do you have some relevant (mail related) logs?
Sorry, as i have disabled the outgoing email by setting 0 email/day by this domain.

But let me try your 1, 2 options, if problem persists, i will get back.

 

[Ihtshama]

Dear Trialotto.

I deactivated the mail server on the said domain, and no email was sent from that email address. But after two days, when i turned the mail server back ON, sadly, spam emails started again. This time, i am lucky to copy one of the email, please check below. Please advise something to avoid this trouble.

These emails are being sent using one IP address, i have magicspam installed and saw there, this IP is the culprit
202.75.219.133, is there no way that i can block this IP address on my server/plesk settings?



Received: from host182.host182.korobowicz.pl (akl34.rev.netart.pl [85.128.142.34])
by vmi112640.contaboserver.net (Postfix) with ESMTPSA id D4EDBB61CEB
for <[email protected]>; Tue, 12 Dec 2017 20:02:32 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shriganesh.ch;
s=default; t=1513105352;
bh=prOsyskEmN2PZ5FdWdLdb5GmmDsPPr9X5lBUUEgCkZA=; l=914;
h=To:From:Subject;
b=NnpYOCeSUmgXl4RjDmeivQtJZmVHHMdXtshbTQ57TaNP+oTjHGIPtVAsZ4I3Pve0T
NFKuyqNrywFGUoYf5FJR6T5QF9LUrxIJwmFY1d14S62dCHD8Na3oLaSuxxeobS/ztW
NvVWXKHJnu3/8BPRxWejv//FGG+vfsEI6xUnTV18=
Authentication-Results: vmi112640.contaboserver.net;
spf=pass (sender IP is 85.128.142.34) [email protected] smtp.helo=host182.host182.korobowicz.pl
Received-SPF: pass (vmi112640.contaboserver.net: connection is authenticated)
Date: Tue, 12 Dec 2017 20:02:32 +0100
To: [email protected]
From: "Ethan N." <[email protected]>
Reply-To: "Ethan N." <[email protected]>
Subject: =?utf-8?Q?I=E2=80=99m_very_tasty_and_nasty?=
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.23 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_41f87f0ad5e5ef1065f65a0a0193b629"
Content-Transfer-Encoding: 8bit

 

[trialotto]

@Ihtshama

It is very likely to be the case that the domain in question contains PHPMailer and that PHPMailer is used for spamming.

There are some facts that you have to take into account:

- PHPMailer is known to be misused for spamming purposes: the library is not very secure
- your PHPMailer version is out-of-date: upgrade to PHPMailer 6.0.x (if you have a WordPress site on the domain: just update the plugin)
- using the latest PHPMailer release does not guarantee that your server is secure or free from spamming

Given the above, one can do one of the following and analyse what happens:

a) create a custom rule in Plesk Firewall, by doing:

- go to "Tools & Settings > Firewall (click) > Modify Plesk Firewall rules (click) > Add custom rule (click)"
- name the rule: Notorious (or similar)
- select "Match direction: incoming" and "Action: deny"
- do not enter a value under "Ports", but enter IPs (in your case: 202.75.219.133) under "Sources"
- click "OK"
- important: move the custom rule to the top, so that it is the first rule in the Plesk firewall
- click "Apply Changes" and "Activate" (to make your firewall and new custom rule active)

and note that you can always add some additional IPs to the same ruleset with the name "notorious": just follow the procedure above.

b) upgrade the PHPMailer library to the latest version: only do so via the application that uses the library as a plugin (!)

c) optional - remove PHPMailer and switch to SwiftMailer library


With the above options, you can now do some analysis:

1 - do the PHPMailer upgrade (option b) and check whether the spamming is still present: if no, continue with option a; if yes, proceed with step 2 below

2 - without activating the custom firewall rule (option a), deactivate PHPMailer for some period of time to allow yourself to investigate whether spam is indeed originating from PHPMailer: if yes, remove the (damned) plugin AND still continue with option a (you want to block all bad IPs!); if no, proceed with option c AND option a,

and if the above does not help, just let me know.

Regards........

 

[Ihtshama]

Dear, thank you.
I just blocked one IP which was most frequently sending emails. But i am surprised to see that there is not only one domain, but many others too which are being used for spam. and there are so many IPs, i cant reply block them by this firewall method. Please advise some server level method, by which i can control this spam.

I was confused about this PHPMailer. I checked the domain in question, and couldnt find any plugin apparently using this PHPmailer. there i was not able to do your b and c options.