• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue I think my server is sending spam

Alaa Mansour

Alaa Mansour

Basic Pleskian
Hello all

I'm trying to block all IPs that I don't recognize, although I'm using Fail2Ban, but I think that my server is compromised, I see this in the maillot file trying to reach inexistent users without IP:

Code: 
Dec 15 09:49:19 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:41956 to port 783, fd 6
Dec 15 09:49:19 plesk spamd[101537]: prefork: child states: II
Dec 15 09:49:19 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<GISsK7qZSIZ/AAAB>
Dec 15 09:49:19 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<vJmsK7qZNJh/AAAB>
Dec 15 09:49:19 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<Fd6sK7qZWKl/AAAB>
Dec 15 09:49:19 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<qPKsK7qZqJ9/AAAB>
Dec 15 09:51:45 plesk dovecot_authdb_plesk[127099]: No such user '[email protected]' in mail authorization database
Dec 15 09:51:48 plesk dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=112.26.80.46, lip=217.160.13.50, TLS, session=$
Dec 15 09:54:17 plesk dovecot_authdb_plesk[127284]: No such user '[email protected]' in mail authorization database
Dec 15 09:54:20 plesk dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=221.130.130.238, lip=217.160$
Dec 15 09:54:21 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:41996 to port 783, fd 6
Dec 15 09:54:21 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=</MqtPbqZboZ/AAAB>
Dec 15 09:54:21 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<GOKtPbqZWph/AAAB>
Dec 15 09:54:21 plesk spamd[101537]: prefork: child states: II
Dec 15 09:54:21 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<RC+uPbqZfql/AAAB>
Dec 15 09:54:21 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<zEauPbqZzp9/AAAB>

how I can resolve this problem?
 
[email protected] is my email address, and it forward to [email protected]

I don't know who is DavidGarcia

Code: 
Dec 15 11:08:27 plesk postfix/smtpd[33911]: warning: hostname static-BAFO-200-6-169-250.une.net.co does not resolve to address 200.6.169.250
Dec 15 11:08:27 plesk postfix/smtpd[33911]: connect from unknown[200.6.169.250]
Dec 15 11:08:28 plesk postfix/smtpd[33911]: C68905D3: client=unknown[200.6.169.250]
Dec 15 11:08:29 plesk postfix/cleanup[33917]: C68905D3: message-id=<[email protected]>
Dec 15 11:08:30 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:30 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:30 plesk check-quota[33922]: Starting the check-quota filter...
Dec 15 11:08:30 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:30 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:30 plesk spf[33923]: Starting the spf filter...
Dec 15 11:08:30 plesk spf[33923]: Error code: (2) Could not find a valid SPF record
Dec 15 11:08:30 plesk spf[33923]: Failed to query MAIL-FROM: Host 'spf.virtualtarget.com.br' not found.
Dec 15 11:08:31 plesk spf[33923]: SPF result: neutral
Dec 15 11:08:31 plesk spf[33923]: SPF status: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:31 plesk postfix/qmgr[56366]: C68905D3: from=<[email protected]>, size=3417, nrcpt=1 (queue active)
Dec 15 11:08:31 plesk postfix-local[33925]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Dec 15 11:08:31 plesk dk_check[33926]: Starting the dk_check filter...
Dec 15 11:08:31 plesk dk_check[33926]: DKIM verify result: DKIM Feed: No signature
Dec 15 11:08:31 plesk dmarc[33927]: Starting the dmarc filter...
Dec 15 11:08:31 plesk dmarc[33927]: DMARC: PASS message for [email protected]
Dec 15 11:08:31 plesk dovecot: service=lda, [email protected], ip=[]. msgid=<[email protected]>: saved mail to INBOX
Dec 15 11:08:31 plesk postfix/smtpd[33911]: disconnect from unknown[200.6.169.250] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Dec 15 11:08:31 plesk plesk sendmail[33938]: handlers_stderr: PASS
Dec 15 11:08:31 plesk plesk sendmail[33938]: PASS during call 'limit-out' handler
Dec 15 11:08:31 plesk check-quota[33941]: Starting the check-quota filter...
Dec 15 11:08:31 plesk plesk sendmail[33938]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk plesk sendmail[33938]: SKIP during call 'check-quota' handler
Dec 15 11:08:31 plesk postfix/pickup[127270]: AF22088A: uid=30 from=<[email protected]>
Dec 15 11:08:31 plesk postfix/cleanup[33917]: AF22088A: message-id=<[email protected]>
Dec 15 11:08:31 plesk postfix/pipe[33924]: C68905D3: to=<[email protected]>, relay=plesk_virtual, delay=3.4, delays=2.9/0.01/0/0.5, dsn=2.0.0, status=sent (d$
Dec 15 11:08:31 plesk postfix/qmgr[56366]: C68905D3: removed
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:31 plesk check-quota[33947]: Starting the check-quota filter...
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:31 plesk spf[33948]: Starting the spf filter...
Dec 15 11:08:31 plesk spf[33948]: SPF result: pass
Dec 15 11:08:31 plesk spf[33948]: SPF status: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:31 plesk dk_sign[33949]: Starting the dk_sign filter...
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'dd51-domainkeys' handler
Dec 15 11:08:31 plesk postfix/qmgr[56366]: AF22088A: from=<[email protected]>, size=4198, nrcpt=1 (queue active)
Dec 15 11:08:31 plesk postfix-local[33950]: postfix-local: [email protected], [email protected], dir$
Dec 15 11:08:31 plesk dk_check[33951]: Starting the dk_check filter...
Dec 15 11:08:31 plesk dk_check[33951]: DKIM verify result: Success
Dec 15 11:08:31 plesk dmarc[33952]: Starting the dmarc filter...
Dec 15 11:08:31 plesk dmarc[33952]: Store DKIM result for 'example.com' into DMARC library.
Dec 15 11:08:31 plesk dmarc[33952]: DMARC: PASS message for [email protected]
Dec 15 11:08:32 plesk plesk sendmail[33958]: handlers_stderr: PASS
Dec 15 11:08:32 plesk plesk sendmail[33958]: PASS during call 'limit-out' handler
Dec 15 11:08:32 plesk check-quota[33961]: Starting the check-quota filter...
Dec 15 11:08:32 plesk plesk sendmail[33958]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk plesk sendmail[33958]: SKIP during call 'check-quota' handler
Dec 15 11:08:32 plesk postfix/pickup[127270]: 2B842855: uid=30 from=<[email protected]>
Dec 15 11:08:32 plesk postfix/cleanup[33917]: 2B842855: message-id=<[email protected]>
Dec 15 11:08:32 plesk dovecot: service=lda, [email protected], ip=[]. sieve: msgid=<[email protected]>: redirect action: forwarded to$
Dec 15 11:08:32 plesk postfix/pipe[33924]: AF22088A: to=<[email protected]>, relay=plesk_virtual, delay=0.47, delays=0.22/0/0/0.25, dsn=2.0.0, status$
Dec 15 11:08:32 plesk postfix/qmgr[56366]: AF22088A: removed
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:32 plesk check-quota[33968]: Starting the check-quota filter...
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:32 plesk spf[33970]: Starting the spf filter...
Dec 15 11:08:32 plesk spf[33970]: SPF result: pass
Dec 15 11:08:32 plesk spf[33970]: SPF status: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:32 plesk dk_sign[33971]: Starting the dk_sign filter...
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: PASS during call 'dd51-domainkeys' handler
Dec 15 11:08:32 plesk postfix/qmgr[56366]: 2B842855: from=<[email protected]>, size=5127, nrcpt=1 (queue active)
Dec 15 11:08:33 plesk postfix/smtp[33972]: 2B842855: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25, delay=1.3, delays=0.24/0.01/0.31/$
Dec 15 11:08:33 plesk postfix/qmgr[56366]: 2B842855: removed
Dec 15 11:09:52 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:47022 to port 783, fd 6
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<kjvGS7uZEpp/AAAB>
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<wVDGS7uZ/qt/AAAB>
Dec 15 11:09:52 plesk spamd[101537]: prefork: child states: II
Dec 15 11:09:52 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<jZjGS7uZIr1/AAAB>
Dec 15 11:09:52 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<VanGS7uZcrN/AAAB>
 
It looks like that the user come from localhost (127.0.0.1.
Do you have any process that is called spamd?
 
Code: 
Dec 15 11:08:32 plesk postfix/qmgr[56366]: 2B842855: from=<[email protected]>, size=5127, nrcpt=1 (queue active)
when you see the "<SRS" starting the "from=" field content, this is normally either a message generated by an autoresponder entry or by a mail forwarding list. Normally, when spam comes in to a mailbox that has an autoresponder or forward activated, the spam will be answered or forwarded like this. It is normally nothing to worry about.

Code: 
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<kjvGS7uZEpp/AAAB>
is a login attempt from a user that has local access to the server but does not transmit a login name to the mail service. It could simply be a website that uses SMTP authentication to mail form input, however that is misconfigured (as the login name is missing). The first thing to do is to make sure that all the website forms that you are using are protected by a captcha, else bots will try to abuse them for spam. The second thing to check is where your forms that are using SMTP as a sending method are missing the login name.
 
Hi, I have the same localhost tries every 300s

Code: 
2022-06-11 18:09:08    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/pp/AAAB>
2022-06-11 18:04:06    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>

I Found that its WatchDog. it is normal?
 
Yes, it's normal.

Check your Watchdog settings: Extensions -> My Extensions -> Watchdog -> Preferences -> Polling interval (300 sec)
 
Last edited:
You must log in or register to reply here.

Similar threads

Dork
Question Watchdog problem
Replies
3
Views
379
mow
M
C
Resolved No Email receive
Replies
4
Views
882
Peter Debik
P
B
Issue ERROR MAIL error:0A000102:SSL
Replies
1
Views
2K
Peter Debik
P
D
Resolved MS Outlook IMAP cannot connect
Replies
1
Views
1K
Dominik_
D
L
Resolved IMAP not working with STARTTLS or SSL/TLS Mailserver Dovecot Problem
Replies
3
Views
2K
lberens
L
Back
Top