• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Ip address spam emails sending suspicious

Tize

Tize

Basic Pleskian
Hello everyone, I added this command to the server and throws me an IP address listed as spam 80.82.64.102 Not my iP address.

Code: 
tail -f /usr/local/psa/var/log/maillog

I would like to know how I can delete the server address please.

Captura de pantalla 2016-10-27 a las 21.18.59.png
 
Excuse me, but I did not understand your problem, the ip that you reported in the log is connected via POP3, regular access, you can give me some more details?
 
Alberto Pizzarelli said:
Excuse me, but I did not understand your problem, the ip that you reported in the log is connected via POP3, regular access, you can give me some more details?
Click to expand...
Hello, some time ago my server was sending spam emails massively.
I solved and yesterday to put that code could see that it appeared that IP address to a particular domain.
Code: 
tail -f /usr/local/psa/var/log/maillog
But as I can not give you more details, if you tell me I'll gladly send you more information.
Thank you very much for your help.
 
but from the logs that you have shown, there is no evidence of massive mailings, the IP server connected to the courier, shows this ip disconnect after downloading the mail (I suppose), but there is no evidence or connection with the attack earlier received, doing a whois ip of this turns out to be:

80.82.64.102

organization: ORG-QNL3-RIPE
org-name: Almost Networks LTD.
org-type: OTHER
Address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
Address: Victoria, Mahe, Seychelles

as you have connected this ip with the previous attack?
 
Alberto Pizzarelli said:
but from the logs that you have shown, there is no evidence of massive mailings, the IP server connected to the courier, shows this ip disconnect after downloading the mail (I suppose), but there is no evidence or connection with the attack earlier received, doing a whois ip of this turns out to be:

80.82.64.102

organization: ORG-QNL3-RIPE
org-name: Almost Networks LTD.
org-type: OTHER
Address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
Address: Victoria, Mahe, Seychelles

as you have connected this ip with the previous attack?
Click to expand...


Hi, thanks for your message.
Maybe I did not explain well sorry for I speak Spanish and I can hardly express the same words in English.

Long ago my server sending spam and fixed it, for about a year and a half.

Now the problem is I looked and I find that IP address appears within my server and not know why.
Nor as I can erase it from there, it appears only when I enter that code I put above.

Thank you very much.
 
appears there because someone wants to connect to your server via pop3, you just have to figure out if the connection is allowed (that is, someone who is downloading mail), or unauthorized (some bots that try to make bruteforce), if your server must don't have connections because it is locked, then you can insert a rule in the firewall and make sure the ip reported, is blocked
 
Alberto Pizzarelli said:
appears there because someone wants to connect to your server via pop3, you just have to figure out if the connection is allowed (that is, someone who is downloading mail), or unauthorized (some bots that try to make bruteforce), if your server must don't have connections because it is locked, then you can insert a rule in the firewall and make sure the ip reported, is blocked
Click to expand...


Hello, yesterday added in the Firewall CSF entire range of those IP addresses.

I put a lock on the IP address and the country to full seychels.

Do you think that this is enough?

I was a little scared because he does not know the IP address of single Suddenly there.

Thank you very much.
 
ooo, we finally figured out the problem, then you have entered in the firewall ip but continues to connect right?

Try to give this command to the server, and then check the logs if it appears again:

Code: 
iptables -A INPUT -p tcp -m tcp --dport 110 -s 80.82.64.102 -j DROP

or

Code: 
iptables -A INPUT -p tcp -m tcp --dport 110 -s 80.82.64.0/24 -j DROP

you have already tried to give this command ??


This block only port 110 (pop3), for all port you can try whit:

Code: 
iptables -A INPUT  -s 80.82.64.0/24 -j DROP
 
Hi, thanks for your help.
I just realized this command and do nothing, is added and is already :p.
Maybe they're doing something behind without knowing it.

Captura de pantalla 2016-10-28 a las 11.34.29.png

I have CentOS release 6.5 (Final) :rolleyes::rolleyes:
 
Now I remember, I used the iptables start.
But I stopped using it to go to CSF because the latter can block countries.

Code: 
nano /etc/csf/csf.conf

Thank you very much.
 
A million thanks for your help.

Here you can see I did what you told me yesterday from CSF

I will give as accepted your help, thank you very much friend.

Captura de pantalla 2016-10-28 a las 11.53.15.png
 
You must log in or register to reply here.

Similar threads

C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
543
Change Maker
C
P
Resolved Suspicious IP address in the list
Replies
2
Views
924
Patashoow
P
Tim Clarke
Issue Problems with recidive jail
Replies
3
Views
637
La Linea
L
L
Question System Emails Marked as Spam
Replies
2
Views
819
Leighton Thompson
L
myra_john
Issue Issues with Email Deliverability on Plesk Server
Replies
1
Views
842
tpitserv
T
Back
Top