• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue I think my server is sending spam

Alaa Mansour

Alaa Mansour

Basic Pleskian
Hello all

I'm trying to block all IPs that I don't recognize, although I'm using Fail2Ban, but I think that my server is compromised, I see this in the maillot file trying to reach inexistent users without IP:

Code: 
Dec 15 09:49:19 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:41956 to port 783, fd 6
Dec 15 09:49:19 plesk spamd[101537]: prefork: child states: II
Dec 15 09:49:19 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<GISsK7qZSIZ/AAAB>
Dec 15 09:49:19 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<vJmsK7qZNJh/AAAB>
Dec 15 09:49:19 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<Fd6sK7qZWKl/AAAB>
Dec 15 09:49:19 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<qPKsK7qZqJ9/AAAB>
Dec 15 09:51:45 plesk dovecot_authdb_plesk[127099]: No such user '[email protected]' in mail authorization database
Dec 15 09:51:48 plesk dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=112.26.80.46, lip=217.160.13.50, TLS, session=$
Dec 15 09:54:17 plesk dovecot_authdb_plesk[127284]: No such user '[email protected]' in mail authorization database
Dec 15 09:54:20 plesk dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=221.130.130.238, lip=217.160$
Dec 15 09:54:21 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:41996 to port 783, fd 6
Dec 15 09:54:21 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=</MqtPbqZboZ/AAAB>
Dec 15 09:54:21 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<GOKtPbqZWph/AAAB>
Dec 15 09:54:21 plesk spamd[101537]: prefork: child states: II
Dec 15 09:54:21 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<RC+uPbqZfql/AAAB>
Dec 15 09:54:21 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<zEauPbqZzp9/AAAB>

how I can resolve this problem?
 
[email protected] is my email address, and it forward to [email protected]

I don't know who is DavidGarcia

Code: 
Dec 15 11:08:27 plesk postfix/smtpd[33911]: warning: hostname static-BAFO-200-6-169-250.une.net.co does not resolve to address 200.6.169.250
Dec 15 11:08:27 plesk postfix/smtpd[33911]: connect from unknown[200.6.169.250]
Dec 15 11:08:28 plesk postfix/smtpd[33911]: C68905D3: client=unknown[200.6.169.250]
Dec 15 11:08:29 plesk postfix/cleanup[33917]: C68905D3: message-id=<[email protected]>
Dec 15 11:08:30 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:30 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:30 plesk check-quota[33922]: Starting the check-quota filter...
Dec 15 11:08:30 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:30 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:30 plesk spf[33923]: Starting the spf filter...
Dec 15 11:08:30 plesk spf[33923]: Error code: (2) Could not find a valid SPF record
Dec 15 11:08:30 plesk spf[33923]: Failed to query MAIL-FROM: Host 'spf.virtualtarget.com.br' not found.
Dec 15 11:08:31 plesk spf[33923]: SPF result: neutral
Dec 15 11:08:31 plesk spf[33923]: SPF status: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:31 plesk postfix/qmgr[56366]: C68905D3: from=<[email protected]>, size=3417, nrcpt=1 (queue active)
Dec 15 11:08:31 plesk postfix-local[33925]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Dec 15 11:08:31 plesk dk_check[33926]: Starting the dk_check filter...
Dec 15 11:08:31 plesk dk_check[33926]: DKIM verify result: DKIM Feed: No signature
Dec 15 11:08:31 plesk dmarc[33927]: Starting the dmarc filter...
Dec 15 11:08:31 plesk dmarc[33927]: DMARC: PASS message for [email protected]
Dec 15 11:08:31 plesk dovecot: service=lda, [email protected], ip=[]. msgid=<[email protected]>: saved mail to INBOX
Dec 15 11:08:31 plesk postfix/smtpd[33911]: disconnect from unknown[200.6.169.250] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Dec 15 11:08:31 plesk plesk sendmail[33938]: handlers_stderr: PASS
Dec 15 11:08:31 plesk plesk sendmail[33938]: PASS during call 'limit-out' handler
Dec 15 11:08:31 plesk check-quota[33941]: Starting the check-quota filter...
Dec 15 11:08:31 plesk plesk sendmail[33938]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk plesk sendmail[33938]: SKIP during call 'check-quota' handler
Dec 15 11:08:31 plesk postfix/pickup[127270]: AF22088A: uid=30 from=<[email protected]>
Dec 15 11:08:31 plesk postfix/cleanup[33917]: AF22088A: message-id=<[email protected]>
Dec 15 11:08:31 plesk postfix/pipe[33924]: C68905D3: to=<[email protected]>, relay=plesk_virtual, delay=3.4, delays=2.9/0.01/0/0.5, dsn=2.0.0, status=sent (d$
Dec 15 11:08:31 plesk postfix/qmgr[56366]: C68905D3: removed
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:31 plesk check-quota[33947]: Starting the check-quota filter...
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:31 plesk spf[33948]: Starting the spf filter...
Dec 15 11:08:31 plesk spf[33948]: SPF result: pass
Dec 15 11:08:31 plesk spf[33948]: SPF status: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:31 plesk dk_sign[33949]: Starting the dk_sign filter...
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'dd51-domainkeys' handler
Dec 15 11:08:31 plesk postfix/qmgr[56366]: AF22088A: from=<[email protected]>, size=4198, nrcpt=1 (queue active)
Dec 15 11:08:31 plesk postfix-local[33950]: postfix-local: [email protected], [email protected], dir$
Dec 15 11:08:31 plesk dk_check[33951]: Starting the dk_check filter...
Dec 15 11:08:31 plesk dk_check[33951]: DKIM verify result: Success
Dec 15 11:08:31 plesk dmarc[33952]: Starting the dmarc filter...
Dec 15 11:08:31 plesk dmarc[33952]: Store DKIM result for 'example.com' into DMARC library.
Dec 15 11:08:31 plesk dmarc[33952]: DMARC: PASS message for [email protected]
Dec 15 11:08:32 plesk plesk sendmail[33958]: handlers_stderr: PASS
Dec 15 11:08:32 plesk plesk sendmail[33958]: PASS during call 'limit-out' handler
Dec 15 11:08:32 plesk check-quota[33961]: Starting the check-quota filter...
Dec 15 11:08:32 plesk plesk sendmail[33958]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk plesk sendmail[33958]: SKIP during call 'check-quota' handler
Dec 15 11:08:32 plesk postfix/pickup[127270]: 2B842855: uid=30 from=<[email protected]>
Dec 15 11:08:32 plesk postfix/cleanup[33917]: 2B842855: message-id=<[email protected]>
Dec 15 11:08:32 plesk dovecot: service=lda, [email protected], ip=[]. sieve: msgid=<[email protected]>: redirect action: forwarded to$
Dec 15 11:08:32 plesk postfix/pipe[33924]: AF22088A: to=<[email protected]>, relay=plesk_virtual, delay=0.47, delays=0.22/0/0/0.25, dsn=2.0.0, status$
Dec 15 11:08:32 plesk postfix/qmgr[56366]: AF22088A: removed
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:32 plesk check-quota[33968]: Starting the check-quota filter...
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:32 plesk spf[33970]: Starting the spf filter...
Dec 15 11:08:32 plesk spf[33970]: SPF result: pass
Dec 15 11:08:32 plesk spf[33970]: SPF status: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:32 plesk dk_sign[33971]: Starting the dk_sign filter...
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: PASS during call 'dd51-domainkeys' handler
Dec 15 11:08:32 plesk postfix/qmgr[56366]: 2B842855: from=<[email protected]>, size=5127, nrcpt=1 (queue active)
Dec 15 11:08:33 plesk postfix/smtp[33972]: 2B842855: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25, delay=1.3, delays=0.24/0.01/0.31/$
Dec 15 11:08:33 plesk postfix/qmgr[56366]: 2B842855: removed
Dec 15 11:09:52 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:47022 to port 783, fd 6
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<kjvGS7uZEpp/AAAB>
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<wVDGS7uZ/qt/AAAB>
Dec 15 11:09:52 plesk spamd[101537]: prefork: child states: II
Dec 15 11:09:52 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<jZjGS7uZIr1/AAAB>
Dec 15 11:09:52 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<VanGS7uZcrN/AAAB>
 
It looks like that the user come from localhost (127.0.0.1.
Do you have any process that is called spamd?
 
Code: 
Dec 15 11:08:32 plesk postfix/qmgr[56366]: 2B842855: from=<[email protected]>, size=5127, nrcpt=1 (queue active)
when you see the "<SRS" starting the "from=" field content, this is normally either a message generated by an autoresponder entry or by a mail forwarding list. Normally, when spam comes in to a mailbox that has an autoresponder or forward activated, the spam will be answered or forwarded like this. It is normally nothing to worry about.

Code: 
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<kjvGS7uZEpp/AAAB>
is a login attempt from a user that has local access to the server but does not transmit a login name to the mail service. It could simply be a website that uses SMTP authentication to mail form input, however that is misconfigured (as the login name is missing). The first thing to do is to make sure that all the website forms that you are using are protected by a captcha, else bots will try to abuse them for spam. The second thing to check is where your forms that are using SMTP as a sending method are missing the login name.
 
Hi, I have the same localhost tries every 300s

Code: 
2022-06-11 18:09:08    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/pp/AAAB>
2022-06-11 18:04:06    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>

I Found that its WatchDog. it is normal?
 
Yes, it's normal.

Check your Watchdog settings: Extensions -> My Extensions -> Watchdog -> Preferences -> Polling interval (300 sec)
 
Last edited:
You must log in or register to reply here.

Similar threads

Dork
Question Watchdog problem
Replies
3
Views
904
mow
M
C
Question Plesk Obsidian 18.0.65 Update 2 imap-login: Disconnected: Connection closed (auth failed
Replies
3
Views
790
Compy
C
Polli
Issue Mails only possible with a wildcard certificate
Replies
5
Views
599
Polli
Polli
wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
1K
mizar
mizar
S
Resolved How to obtain the IP of a webmail login
Replies
2
Views
1K
SalvadorS
S
Back
Top