Issue My server send spam... help

[Gorgo126]

Hello,

I have a Ubuntu 16.04 server with the last Plesk.

Under my maillog file I see this :

--------------------------------------------------------------------------------------
Aug 3 10:44:18 vps189894 postfix/smtpd[20387]: warning: unknown[181.214.206.7]: SASL LOGIN authentication failed: authentication failure
Aug 3 10:44:19 vps189894 postfix/smtpd[20387]: disconnect from unknown[181.214.206.7] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Aug 3 10:44:33 vps189894 postfix/smtpd[25144]: connect from unknown[181.214.206.132]
Aug 3 10:44:38 vps189894 plesk_saslauthd[27359]: No such user '[email protected]' in mail authorization database
Aug 3 10:44:38 vps189894 plesk_saslauthd[27359]: failed mail authentication attempt for user '[email protected]' (password len=4)
Aug 3 10:44:38 vps189894 postfix/smtpd[25144]: warning: unknown[181.214.206.132]: SASL LOGIN authentication failed: authentication failure
Aug 3 10:44:39 vps189894 postfix/smtpd[25144]: disconnect from unknown[181.214.206.132] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Aug 3 10:44:42 vps189894 postfix/smtpd[27301]: connect from unknown[181.214.206.7]
Aug 3 10:44:52 vps189894 plesk_saslauthd[27359]: No such user '[email protected]' in mail authorization database
Aug 3 10:44:52 vps189894 plesk_saslauthd[27359]: failed mail authentication attempt for user '[email protected]' (password len=7)
Aug 3 10:44:52 vps189894 postfix/smtpd[27301]: warning: unknown[181.214.206.7]: SASL LOGIN authentication failed: authentication failure
Aug 3 10:45:02 vps189894 postfix/smtpd[20387]: connect from unknown[181.214.206.132]
Aug 3 10:45:03 vps189894 postfix/smtpd[25144]: connect from unknown[185.36.81.46]
Aug 3 10:45:04 vps189894 plesk_saslauthd[27359]: failed mail authentication attempt for user 'webdesigner' (password len=10)
Aug 3 10:45:04 vps189894 postfix/smtpd[25144]: warning: unknown[185.36.81.46]: SASL LOGIN authentication failed: authentication failure
Aug 3 10:45:04 vps189894 postfix/smtpd[25144]: lost connection after AUTH from unknown[185.36.81.46]
Aug 3 10:45:04 vps189894 postfix/smtpd[25144]: disconnect from unknown[185.36.81.46] ehlo=1 auth=0/1 commands=1/2
Aug 3 10:45:06 vps189894 plesk_saslauthd[27359]: No such user '[email protected]' in mail authorization database
Aug 3 10:45:06 vps189894 plesk_saslauthd[27359]: failed mail authentication attempt for user '[email protected]' (password len=4)
Aug 3 10:45:06 vps189894 postfix/smtpd[20387]: warning: unknown[181.214.206.132]: SASL LOGIN authentication failed: authentication failure
Aug 3 10:45:07 vps189894 postfix/smtpd[20387]: disconnect from unknown[181.214.206.132] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Aug 3 10:45:30 vps189894 postfix/smtpd[25144]: connect from unknown[181.214.206.132]
Aug 3 10:45:36 vps189894 plesk_saslauthd[27359]: select timeout, exiting
Aug 3 10:45:42 vps189894 plesk_saslauthd[27411]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Aug 3 10:45:42 vps189894 plesk_saslauthd[27411]: privileges set to (113:118) (effective 113:118)
Aug 3 10:45:42 vps189894 plesk_saslauthd[27411]: No such user '[email protected]' in mail authorization database
Aug 3 10:45:42 vps189894 plesk_saslauthd[27411]: failed mail authentication attempt for user '[email protected]' (password len=4)
Aug 3 10:45:42 vps189894 postfix/smtpd[25144]: warning: unknown[181.214.206.132]: SASL LOGIN authentication failed: authentication failure
Aug 3 10:46:12 vps189894 plesk_saslauthd[27411]: select timeout, exiting
Aug 3 10:48:17 vps189894 postfix/smtpd[27501]: connect from unknown[185.36.81.46]
Aug 3 10:48:18 vps189894 plesk_saslauthd[27503]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Aug 3 10:48:18 vps189894 plesk_saslauthd[27503]: privileges set to (113:118) (effective 113:118)
Aug 3 10:48:18 vps189894 plesk_saslauthd[27503]: failed mail authentication attempt for user 'webmail' (password len=10)
Aug 3 10:48:18 vps189894 postfix/smtpd[27501]: warning: unknown[185.36.81.46]: SASL LOGIN authentication failed: authentication failure
Aug 3 10:48:19 vps189894 postfix/smtpd[27501]: lost connection after AUTH from unknown[185.36.81.46]
Aug 3 10:48:19 vps189894 postfix/smtpd[27501]: disconnect from unknown[185.36.81.46] ehlo=1 auth=0/1 commands=1/2
Aug 3 10:48:48 vps189894 plesk_saslauthd[27503]: select timeout, exiting
--------------------------------------------------------------------------------------


This begin 3 days ago and I dont know how to process to resolve this problem...
I just activate the postfix jail under Fail2Ban but the issue continue...


Someone can help me ?

Thanks a lot !

Oliver.

 

[Brujo]

well why do you belive your server send spam ?

from the log snipplet I can see "only" failed login attemps which fails and that is more or less a "normal" behavior on a mailserver

so you activated fail2ban which is good - but have you also checked that it works and the IP´s get blocked? there are several Topics about fail2ban and tweaks here in the forum

 

[Gorgo126]

Yes I know is strange because in the log we see only attempts... When I active Fail2Ban jail, he ban only 2 ip... (181.214.206.132 and 181.214.206.7)

and I'm blacklisted on different services like Spamhaus... I send mail to Spamhaus and he tell me this :

-----------------------------------------------
Hello,

A machine using that IP is infected and sending spam:

srcip: 139.99.198.6
from: [email protected]
Subject: Sara
date: 2018-07-20
bodyurl: http://space-love[.]space/loverss


Please disinfect and secure all devices at that address. For more
information see http://www.abuseat.org/lookup.cgi. CSS listings expire
automatically a few days after last spam detection.
---------------------------------------------------

 

[Brujo]

Take into consider to activate & configure Plesk Panel > Tools Settings > Outgoing Mail Control
and read Protection from Outbound Spam

If you use postfix read also: Many email messages are sent from PHP scripts on a Plesk server. How to find domains on which these scripts are running if Postfix is used?

 

[Gorgo126]

ok I check this... Thanks !

 

[trialotto]

@Gorgo126

Actually, this is quite common when you use OVH, which hosting provider does not really have a good reputation (in every way imaginable).

Considering to move your VPS to another hosting provider would be the first step, in my humble opinion.

Nevertheless, your domains are also associated with spam.........and that requires some work from your side to prevent this in the future.

Spamhaus associates the spam with the IP 139.99.198.6, which is a OVH IP address.

You can start with the Plesk Firewall extension and block both incoming and outgoing traffic by blocking this specific IP address.

Note: block (incoming and outgoing) traffic on ALL ports!

In addition, block the IP range 181.214.206.0/24 for incoming traffic (on all ports), this in order to stop (on the one hand) those annoying attempts to login and (on the other hand) Fail2Ban from working to hard (since Fail2Ban is very memory hungry and Fail2Ban can also make a firewall on the VPS not working properly!!).

Note: this IP range is bad anyway, so you would not miss a thing.

Finally, do a check on mxtoolbox.com and try to find out by which DNSBL you are blocked: contact them and explain that you are not responsible for the spam, so those DNSBL can get you of the lists (and let you gain some good mail reputation again).

After all, your VPS box is probably not affected by some hack, it is probably some other VPS within the OVH network that has been hacked and/or is used for spam.

Again, there you have the reason to consider another hosting provider: OVH is not very careful when it concerns (good or malicious) traffic within the network, which often causes a lot of problems for those customers running a server at OVH.

Hope the above helps a bit......

...... kind regards!