1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Need smtp-auth logging

Discussion in 'Plesk for Linux - 8.x and Older' started by datux, May 23, 2008.

  1. datux

    datux Guest

    Hi Admins,
    a few days before somebody of my registered Users floaded the plesk server with spam mails and i wasnt able to see in the mail log from which user the mails come from.
    Here is one line from the maillog to show the problem:
    smtp_auth: smtp_auth: SMTP user : logged in from null)@mnch-4db15d82.pool.einsundeins.de [IP ADRESS]
    There is no username logged.
    My system is SuSE 10.1 and plesk is the latest version.

    Can anybody show me a way to get a log from the smtp-auth logins ?

    many thanks
  2. Alexiznn

    Alexiznn Guest

    have the same problem
  3. Alexiznn

    Alexiznn Guest

    What does it mean: NULL smtp user?
  4. dash

    dash Regular Pleskian Staff Member

    Sep 26, 2007
    Likes Received:
    It's a confirmed bug which will be fixed in Plesk 8.4.1 patch
    Thanks for report.
  5. mr_c

    mr_c Guest

    I am having this same problem on my Plesk servers. Where is the bug report where this is confirmed?
  6. mouse

    mouse Guest

    Null log ins used to create spam

    I have been plagued by several spammers / spam bots that have been injecting spam into qmail via a null user login

    # cat /usr/local/psa/var/log/maillog |grep null
    Jun 17 09:02:46 penguin4 smtp_auth: SMTP connect from (null)@ []
    Jun 17 09:02:46 penguin4 smtp_auth: smtp_auth: SMTP user : logged in from (null)@ []

    I have spent alot of time researching this over the last month and belive I may have an answer for those that want to stop this before the patch of 8.4.1.

    let me continue with a bit more information before I give conclusion

    Plesk Control Panel version
    psa v8.4.0_build84080514.18 os_FedoraCore 6
    Operating system
    GenuineIntel, Intel(R) Xeon(R)CPU 5130 @ 2.00GHz
    Linux 2.6.18-1.2798.fc6

    My first move was to add the domain 163data.com.cn to the blacklist.
    I have never seen anything but spam come from 163data anyway.
    So thought all was solved for the server until the next day when sure enough 100's more spam from 163data.com.cn.
    So next step was to add

    ALL: .163data.com.cn : DENY
    to /etc/hosts.allow
    this was sure to get these buggers

    Well come the next few days things seemed ok
    then bam! they where back again and they sure had me baffled
    so this had to be a user or internal was my thoughts
    at which point I looked at the smtp-auth, discovered the null logins
    and also noticed that they where using my reverse.DNS names as the senders name,
    I thought this curious and noted that this was a way to get thru the hosts.allow block
    I proceeded to recreate how they where getting thru and sure enough a simple

    telnet MYDOMAIN.com 25
    smtp_auth: AUTH XXX@reverse.DNSname.com
    smtp_auth: PASS (null)

    got me thru
    WOW how could this be?

    I tried removing the reverse DNS in the thoughts that relaylock would pick it up
    (NOPE didn't work)
    Was so frustrated that I decided to move all the server IPs in the hope of at least tracking why (really didn't want to do this)
    It was when I got to the point of actually moving the IP's did I notice one common denominator.
    The IP's that they where using for the names (reverseDNS names) had NO SITES ON THEM
    I had added a block of IP's in preparation for several sever migration moves and never needed all of them but just left them in-place for future additions.

    at this point I have removed unused ones and added a site to one they picked on the most
    - after 3 days I see their failed null attempts but the spam is gone
    hope this helps

    Jerry The Mouse
  7. orison316

    orison316 Guest

    Can you explain what you did exactly to the server to stop this. I deleted all of my excess ip addresses and have sites on the others but I am still plagued by this. I have even installed spamdyke, but I need some more direction on how to stop the madness.
  8. mb2000

    mb2000 Guest

  9. Paul D.

    Paul D. Guest

    Still not resolved?

    It was supposed to be resolved in version 8.4.1 but it still is an issue even though I'm on version 8.6. Any news on this?
  10. ptrost

    ptrost Guest

    This was indeed fixed in 8.6. After my upgrade to 8.6 I started seeing "smtp_auth: SMTP user <login here>" in my maillog. If you grep for smtp_auth on your maillog, what kinda entries are you seeing?
  11. Scott Mehaffey

    Scott Mehaffey Guest

    Bam! This was the fix me after 48 hours of headaches

    Nice work here.
  12. thanhc

    thanhc Guest

    SMTP Relay Server Unlimited, RDP,Unlimited Webmail, Mail Leads,credit card,hacking,email password, mail and pass login

    I would like to introduce service to our EMail Marketing.
    Services include:
    - STMP Relay Server Unlimited
    - Unlimited Webmail
    - Email Pass
    - Email and pass login
    - Credit Card: visa, master,amex,discover...(U.S,CA,UK...)
    - Acount: Paypal, Walmart, Ebay....
    - Fresh Email List
    - RDP ( VPS Window with IP U.S and ASIA)
    - Cheap license Software

    Thanks for reaing our email. Wish you good health and success!

    If you have any questions about our services.

    Website: http://emailstoreonline.com
    Email: admin@emailstoreonline.com
    Y!M: sale.emailstoreonline