• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

need help stopping spam

M

mdafforn

New Pleskian
I think my server is being used as a relay, but I am not sure how, I did the normal checks:

mail from:[email protected]
rcpt to: [email protected]
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

but when I look at the qmail queue, it is sourcing from foreign addresses (names have been changed):

Received: (qmail 13487 invoked from network); 7 Mar 2013 12:04:49 -0600

Received: from 114-39-95-219.dynamic.hinet.net (HELO gooddomain.com) (114.xx.xx.xxx)

by hostname.server.net with ESMTPA; 7 Mar 2013 12:04:48 -0600

Message-ID:

Date: Thu, 07 Mar 2013 19:04:49 +0100

From: "[email protected]"

X-Accept-Language: en-us

MIME-Version: 1.0

To:

Cc: ,
 
mdafforn said:
I think my server is being used as a relay, but I am not sure how, I did the normal checks:

mail from:[email protected]
rcpt to: [email protected]
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Click to expand...

This is saying that someone is trying to relay, but is failing.
It is possible that you have multiple groups of bad guys all trying to use your server to send email. These ones are failing.

But others may be succeeding:

Received: (qmail 13487 invoked from network); 7 Mar 2013 12:04:49 -0600

Received: from 114-39-95-219.dynamic.hinet.net (HELO gooddomain.com) (114.xx.xx.xxx)

by hostname.server.net with ESMTPA; 7 Mar 2013 12:04:48 -0600

Message-ID:

Date: Thu, 07 Mar 2013 19:04:49 +0100

From: "[email protected]"

X-Accept-Language: en-us

MIME-Version: 1.0

To:

Cc: ,
Click to expand...


Is the To/CC to a domain NOT on your server?
Is the server then sending these out?

If it is, then what's likely to be happening is that the bad guys have guessed or otherwise obtained the username and password for a user on your system ([email protected] more likely) and are sending email via authenticated SMTP.
I cannot tell for sure based on what you have said though.

You should see entries in the mail log showing a connection from a bad IP, followed by login succeeded, and lots and lots of emails being sent out from [email protected]

1) change the password for this user
2) restart qmail
3) delete all the bad mail in your queue (e.g. use qmhandle.pl if using qmail)
4) Check the maillog. You should see lots of failed authentication attempts.

For additional logging information, you may also want to look here: http://kb.parallels.com/en/112316
Using DEBIG_LOGIN=1 in BOTH the files suggested may be helpful. You could even try DEBUG_LOGIN=2 but be aware that passwords will be written into the logs, and this is a potential security issue if, for any reason, the bad guys are able to read your logs at any point.
 
You must log in or register to reply here.

Similar threads

K
plesk 1.0.18 spam problem.
Replies
0
Views
770
karael
K
sebas
SPAM attack
Replies
13
Views
6K
iantresman
I
C
Dr.Web don't work - Help!
Replies
6
Views
3K
poke
P
Back
Top