• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Ip address spam emails sending suspicious

Tize

Basic Pleskian
Hello everyone, I added this command to the server and throws me an IP address listed as spam 80.82.64.102 Not my iP address.

Code:
tail -f /usr/local/psa/var/log/maillog

I would like to know how I can delete the server address please.

Captura de pantalla 2016-10-27 a las 21.18.59.png
 
Excuse me, but I did not understand your problem, the ip that you reported in the log is connected via POP3, regular access, you can give me some more details?
 
Excuse me, but I did not understand your problem, the ip that you reported in the log is connected via POP3, regular access, you can give me some more details?
Hello, some time ago my server was sending spam emails massively.
I solved and yesterday to put that code could see that it appeared that IP address to a particular domain.
Code:
tail -f /usr/local/psa/var/log/maillog
But as I can not give you more details, if you tell me I'll gladly send you more information.
Thank you very much for your help.
 
but from the logs that you have shown, there is no evidence of massive mailings, the IP server connected to the courier, shows this ip disconnect after downloading the mail (I suppose), but there is no evidence or connection with the attack earlier received, doing a whois ip of this turns out to be:

80.82.64.102

organization: ORG-QNL3-RIPE
org-name: Almost Networks LTD.
org-type: OTHER
Address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
Address: Victoria, Mahe, Seychelles

as you have connected this ip with the previous attack?
 
but from the logs that you have shown, there is no evidence of massive mailings, the IP server connected to the courier, shows this ip disconnect after downloading the mail (I suppose), but there is no evidence or connection with the attack earlier received, doing a whois ip of this turns out to be:

80.82.64.102

organization: ORG-QNL3-RIPE
org-name: Almost Networks LTD.
org-type: OTHER
Address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
Address: Victoria, Mahe, Seychelles

as you have connected this ip with the previous attack?


Hi, thanks for your message.
Maybe I did not explain well sorry for I speak Spanish and I can hardly express the same words in English.

Long ago my server sending spam and fixed it, for about a year and a half.

Now the problem is I looked and I find that IP address appears within my server and not know why.
Nor as I can erase it from there, it appears only when I enter that code I put above.

Thank you very much.
 
appears there because someone wants to connect to your server via pop3, you just have to figure out if the connection is allowed (that is, someone who is downloading mail), or unauthorized (some bots that try to make bruteforce), if your server must don't have connections because it is locked, then you can insert a rule in the firewall and make sure the ip reported, is blocked
 
appears there because someone wants to connect to your server via pop3, you just have to figure out if the connection is allowed (that is, someone who is downloading mail), or unauthorized (some bots that try to make bruteforce), if your server must don't have connections because it is locked, then you can insert a rule in the firewall and make sure the ip reported, is blocked


Hello, yesterday added in the Firewall CSF entire range of those IP addresses.

I put a lock on the IP address and the country to full seychels.

Do you think that this is enough?

I was a little scared because he does not know the IP address of single Suddenly there.

Thank you very much.
 
ooo, we finally figured out the problem, then you have entered in the firewall ip but continues to connect right?

Try to give this command to the server, and then check the logs if it appears again:

Code:
iptables -A INPUT -p tcp -m tcp --dport 110 -s 80.82.64.102 -j DROP

or

Code:
iptables -A INPUT -p tcp -m tcp --dport 110 -s 80.82.64.0/24 -j DROP

you have already tried to give this command ??


This block only port 110 (pop3), for all port you can try whit:

Code:
iptables -A INPUT  -s 80.82.64.0/24 -j DROP
 
Hi, thanks for your help.
I just realized this command and do nothing, is added and is already :p.
Maybe they're doing something behind without knowing it.

Captura de pantalla 2016-10-28 a las 11.34.29.png

I have CentOS release 6.5 (Final) :rolleyes::rolleyes:
 
Now I remember, I used the iptables start.
But I stopped using it to go to CSF because the latter can block countries.

Code:
nano /etc/csf/csf.conf

Thank you very much.
 
A million thanks for your help.

Here you can see I did what you told me yesterday from CSF

I will give as accepted your help, thank you very much friend.

Captura de pantalla 2016-10-28 a las 11.53.15.png
 
Back
Top