• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue I think my server is sending spam

Alaa Mansour

Basic Pleskian
Hello all

I'm trying to block all IPs that I don't recognize, although I'm using Fail2Ban, but I think that my server is compromised, I see this in the maillot file trying to reach inexistent users without IP:

Code:
Dec 15 09:49:19 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:41956 to port 783, fd 6
Dec 15 09:49:19 plesk spamd[101537]: prefork: child states: II
Dec 15 09:49:19 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<GISsK7qZSIZ/AAAB>
Dec 15 09:49:19 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<vJmsK7qZNJh/AAAB>
Dec 15 09:49:19 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<Fd6sK7qZWKl/AAAB>
Dec 15 09:49:19 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<qPKsK7qZqJ9/AAAB>
Dec 15 09:51:45 plesk dovecot_authdb_plesk[127099]: No such user '[email protected]' in mail authorization database
Dec 15 09:51:48 plesk dovecot: imap-login: Disconnected (auth failed, 1 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=112.26.80.46, lip=217.160.13.50, TLS, session=$
Dec 15 09:54:17 plesk dovecot_authdb_plesk[127284]: No such user '[email protected]' in mail authorization database
Dec 15 09:54:20 plesk dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=221.130.130.238, lip=217.160$
Dec 15 09:54:21 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:41996 to port 783, fd 6
Dec 15 09:54:21 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=</MqtPbqZboZ/AAAB>
Dec 15 09:54:21 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<GOKtPbqZWph/AAAB>
Dec 15 09:54:21 plesk spamd[101537]: prefork: child states: II
Dec 15 09:54:21 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<RC+uPbqZfql/AAAB>
Dec 15 09:54:21 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<zEauPbqZzp9/AAAB>

how I can resolve this problem?
 
[email protected] is my email address, and it forward to [email protected]

I don't know who is DavidGarcia

Code:
Dec 15 11:08:27 plesk postfix/smtpd[33911]: warning: hostname static-BAFO-200-6-169-250.une.net.co does not resolve to address 200.6.169.250
Dec 15 11:08:27 plesk postfix/smtpd[33911]: connect from unknown[200.6.169.250]
Dec 15 11:08:28 plesk postfix/smtpd[33911]: C68905D3: client=unknown[200.6.169.250]
Dec 15 11:08:29 plesk postfix/cleanup[33917]: C68905D3: message-id=<[email protected]>
Dec 15 11:08:30 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:30 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:30 plesk check-quota[33922]: Starting the check-quota filter...
Dec 15 11:08:30 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:30 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:30 plesk spf[33923]: Starting the spf filter...
Dec 15 11:08:30 plesk spf[33923]: Error code: (2) Could not find a valid SPF record
Dec 15 11:08:30 plesk spf[33923]: Failed to query MAIL-FROM: Host 'spf.virtualtarget.com.br' not found.
Dec 15 11:08:31 plesk spf[33923]: SPF result: neutral
Dec 15 11:08:31 plesk spf[33923]: SPF status: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:31 plesk postfix/qmgr[56366]: C68905D3: from=<[email protected]>, size=3417, nrcpt=1 (queue active)
Dec 15 11:08:31 plesk postfix-local[33925]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Dec 15 11:08:31 plesk dk_check[33926]: Starting the dk_check filter...
Dec 15 11:08:31 plesk dk_check[33926]: DKIM verify result: DKIM Feed: No signature
Dec 15 11:08:31 plesk dmarc[33927]: Starting the dmarc filter...
Dec 15 11:08:31 plesk dmarc[33927]: DMARC: PASS message for [email protected]
Dec 15 11:08:31 plesk dovecot: service=lda, [email protected], ip=[]. msgid=<[email protected]>: saved mail to INBOX
Dec 15 11:08:31 plesk postfix/smtpd[33911]: disconnect from unknown[200.6.169.250] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Dec 15 11:08:31 plesk plesk sendmail[33938]: handlers_stderr: PASS
Dec 15 11:08:31 plesk plesk sendmail[33938]: PASS during call 'limit-out' handler
Dec 15 11:08:31 plesk check-quota[33941]: Starting the check-quota filter...
Dec 15 11:08:31 plesk plesk sendmail[33938]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk plesk sendmail[33938]: SKIP during call 'check-quota' handler
Dec 15 11:08:31 plesk postfix/pickup[127270]: AF22088A: uid=30 from=<[email protected]>
Dec 15 11:08:31 plesk postfix/cleanup[33917]: AF22088A: message-id=<[email protected]>
Dec 15 11:08:31 plesk postfix/pipe[33924]: C68905D3: to=<[email protected]>, relay=plesk_virtual, delay=3.4, delays=2.9/0.01/0/0.5, dsn=2.0.0, status=sent (d$
Dec 15 11:08:31 plesk postfix/qmgr[56366]: C68905D3: removed
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:31 plesk check-quota[33947]: Starting the check-quota filter...
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:31 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:31 plesk spf[33948]: Starting the spf filter...
Dec 15 11:08:31 plesk spf[33948]: SPF result: pass
Dec 15 11:08:31 plesk spf[33948]: SPF status: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:31 plesk dk_sign[33949]: Starting the dk_sign filter...
Dec 15 11:08:31 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:31 plesk psa-pc-remote[56315]: PASS during call 'dd51-domainkeys' handler
Dec 15 11:08:31 plesk postfix/qmgr[56366]: AF22088A: from=<[email protected]>, size=4198, nrcpt=1 (queue active)
Dec 15 11:08:31 plesk postfix-local[33950]: postfix-local: [email protected], [email protected], dir$
Dec 15 11:08:31 plesk dk_check[33951]: Starting the dk_check filter...
Dec 15 11:08:31 plesk dk_check[33951]: DKIM verify result: Success
Dec 15 11:08:31 plesk dmarc[33952]: Starting the dmarc filter...
Dec 15 11:08:31 plesk dmarc[33952]: Store DKIM result for 'example.com' into DMARC library.
Dec 15 11:08:31 plesk dmarc[33952]: DMARC: PASS message for [email protected]
Dec 15 11:08:32 plesk plesk sendmail[33958]: handlers_stderr: PASS
Dec 15 11:08:32 plesk plesk sendmail[33958]: PASS during call 'limit-out' handler
Dec 15 11:08:32 plesk check-quota[33961]: Starting the check-quota filter...
Dec 15 11:08:32 plesk plesk sendmail[33958]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk plesk sendmail[33958]: SKIP during call 'check-quota' handler
Dec 15 11:08:32 plesk postfix/pickup[127270]: 2B842855: uid=30 from=<[email protected]>
Dec 15 11:08:32 plesk postfix/cleanup[33917]: 2B842855: message-id=<[email protected]>
Dec 15 11:08:32 plesk dovecot: service=lda, [email protected], ip=[]. sieve: msgid=<[email protected]>: redirect action: forwarded to$
Dec 15 11:08:32 plesk postfix/pipe[33924]: AF22088A: to=<[email protected]>, relay=plesk_virtual, delay=0.47, delays=0.22/0/0/0.25, dsn=2.0.0, status$
Dec 15 11:08:32 plesk postfix/qmgr[56366]: AF22088A: removed
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk psa-pc-remote[56315]: SKIP during call 'limit-out' handler
Dec 15 11:08:32 plesk check-quota[33968]: Starting the check-quota filter...
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: SKIP
Dec 15 11:08:32 plesk psa-pc-remote[56315]: SKIP during call 'check-quota' handler
Dec 15 11:08:32 plesk spf[33970]: Starting the spf filter...
Dec 15 11:08:32 plesk spf[33970]: SPF result: pass
Dec 15 11:08:32 plesk spf[33970]: SPF status: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: PASS during call 'spf' handler
Dec 15 11:08:32 plesk dk_sign[33971]: Starting the dk_sign filter...
Dec 15 11:08:32 plesk psa-pc-remote[56315]: handlers_stderr: PASS
Dec 15 11:08:32 plesk psa-pc-remote[56315]: PASS during call 'dd51-domainkeys' handler
Dec 15 11:08:32 plesk postfix/qmgr[56366]: 2B842855: from=<[email protected]>, size=5127, nrcpt=1 (queue active)
Dec 15 11:08:33 plesk postfix/smtp[33972]: 2B842855: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25, delay=1.3, delays=0.24/0.01/0.31/$
Dec 15 11:08:33 plesk postfix/qmgr[56366]: 2B842855: removed
Dec 15 11:09:52 plesk spamd[101538]: spamd: connection from 127.0.0.1 [127.0.0.1]:47022 to port 783, fd 6
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<kjvGS7uZEpp/AAAB>
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<wVDGS7uZ/qt/AAAB>
Dec 15 11:09:52 plesk spamd[101537]: prefork: child states: II
Dec 15 11:09:52 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<jZjGS7uZIr1/AAAB>
Dec 15 11:09:52 plesk dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<VanGS7uZcrN/AAAB>
 
It looks like that the user come from localhost (127.0.0.1.
Do you have any process that is called spamd?
 
Code:
Dec 15 11:08:32 plesk postfix/qmgr[56366]: 2B842855: from=<[email protected]>, size=5127, nrcpt=1 (queue active)
when you see the "<SRS" starting the "from=" field content, this is normally either a message generated by an autoresponder entry or by a mail forwarding list. Normally, when spam comes in to a mailbox that has an autoresponder or forward activated, the spam will be answered or forwarded like this. It is normally nothing to worry about.

Code:
Dec 15 11:09:52 plesk dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<kjvGS7uZEpp/AAAB>
is a login attempt from a user that has local access to the server but does not transmit a login name to the mail service. It could simply be a website that uses SMTP authentication to mail form input, however that is misconfigured (as the login name is missing). The first thing to do is to make sure that all the website forms that you are using are protected by a captcha, else bots will try to abuse them for spam. The second thing to check is where your forms that are using SMTP as a sending method are missing the login name.
 
Hi, I have the same localhost tries every 300s

Code:
2022-06-11 18:09:08    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:09:08    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    imap-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>
2022-06-11 18:04:06    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<***/pp/AAAB>
2022-06-11 18:04:06    dovecot    pop3-login: Disconnected: Aborted login by logging out (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<***/AAAB>

I Found that its WatchDog. it is normal?
 
Yes, it's normal.

Check your Watchdog settings: Extensions -> My Extensions -> Watchdog -> Preferences -> Polling interval (300 sec)
 
Last edited:
Back
Top