• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Need smtp-auth logging

D

datux

Guest
Hi Admins,
a few days before somebody of my registered Users floaded the plesk server with spam mails and i wasnt able to see in the mail log from which user the mails come from.
Here is one line from the maillog to show the problem:
smtp_auth: smtp_auth: SMTP user : logged in from null)@mnch-4db15d82.pool.einsundeins.de [IP ADRESS]
There is no username logged.
My system is SuSE 10.1 and plesk is the latest version.

Can anybody show me a way to get a log from the smtp-auth logins ?

many thanks
andreas
 
have the same problem
May 23 14:39:49 servername smtp_auth: SMTP connect from (null)@(null) [124.207.44.98]
May 23 14:39:49 servername smtp_auth: smtp_auth: SMTP user : logged in from (null)@(null) [124.207.44.98]
Click to expand...
 
datux said:
Hi Admins,
a few days before somebody of my registered Users floaded the plesk server with spam mails and i wasnt able to see in the mail log from which user the mails come from.
Here is one line from the maillog to show the problem:
smtp_auth: smtp_auth: SMTP user : logged in from null)@mnch-4db15d82.pool.einsundeins.de [IP ADRESS]
There is no username logged.
My system is SuSE 10.1 and plesk is the latest version.

Can anybody show me a way to get a log from the smtp-auth logins ?

many thanks
andreas
Click to expand...

It's a confirmed bug which will be fixed in Plesk 8.4.1 patch
Thanks for report.
 
I am having this same problem on my Plesk servers. Where is the bug report where this is confirmed?
 
Null log ins used to create spam

I have been plagued by several spammers / spam bots that have been injecting spam into qmail via a null user login

# cat /usr/local/psa/var/log/maillog |grep null
Jun 17 09:02:46 penguin4 smtp_auth: SMTP connect from (null)@13.224.136.219.broad.gz.gd.dynamic.163data.com.cn [219.136.224.13]
Jun 17 09:02:46 penguin4 smtp_auth: smtp_auth: SMTP user : logged in from (null)@13.224.136.219.broad.gz.gd.dynamic.163data.com.cn [219.136.224.13]

I have spent alot of time researching this over the last month and belive I may have an answer for those that want to stop this before the patch of 8.4.1.

let me continue with a bit more information before I give conclusion

Plesk Control Panel version
psa v8.4.0_build84080514.18 os_FedoraCore 6
Operating system
GenuineIntel, Intel(R) Xeon(R)CPU 5130 @ 2.00GHz
Linux 2.6.18-1.2798.fc6

My first move was to add the domain 163data.com.cn to the blacklist.
I have never seen anything but spam come from 163data anyway.
So thought all was solved for the server until the next day when sure enough 100's more spam from 163data.com.cn.
So next step was to add

ALL: .163data.com.cn : DENY
to /etc/hosts.allow
this was sure to get these buggers

Well come the next few days things seemed ok
then bam! they where back again and they sure had me baffled
so this had to be a user or internal was my thoughts
at which point I looked at the smtp-auth, discovered the null logins
and also noticed that they where using my reverse.DNS names as the senders name,
I thought this curious and noted that this was a way to get thru the hosts.allow block
I proceeded to recreate how they where getting thru and sure enough a simple

telnet MYDOMAIN.com 25
smtp_auth: AUTH [email protected]
smtp_auth: PASS (null)

got me thru
WOW how could this be?

I tried removing the reverse DNS in the thoughts that relaylock would pick it up
(NOPE didn't work)
Was so frustrated that I decided to move all the server IPs in the hope of at least tracking why (really didn't want to do this)
It was when I got to the point of actually moving the IP's did I notice one common denominator.
The IP's that they where using for the names (reverseDNS names) had NO SITES ON THEM
I had added a block of IP's in preparation for several sever migration moves and never needed all of them but just left them in-place for future additions.

at this point I have removed unused ones and added a site to one they picked on the most
- after 3 days I see their failed null attempts but the spam is gone
hope this helps

Jerry The Mouse
 
Can you explain what you did exactly to the server to stop this. I deleted all of my excess ip addresses and have sites on the others but I am still plagued by this. I have even installed spamdyke, but I need some more direction on how to stop the madness.
 
Still not resolved?

It was supposed to be resolved in version 8.4.1 but it still is an issue even though I'm on version 8.6. Any news on this?
 
This was indeed fixed in 8.6. After my upgrade to 8.6 I started seeing "smtp_auth: SMTP user <login here>" in my maillog. If you grep for smtp_auth on your maillog, what kinda entries are you seeing?
 
SMTP Relay Server Unlimited, RDP,Unlimited Webmail, Mail Leads,credit card,hacking,email password, mail and pass login


I would like to introduce service to our EMail Marketing.
Services include:
- STMP Relay Server Unlimited
- Unlimited Webmail
- Email Pass
- Email and pass login
- Credit Card: visa, master,amex,discover...(U.S,CA,UK...)
- Acount: Paypal, Walmart, Ebay....
- Fresh Email List
- RDP ( VPS Window with IP U.S and ASIA)
- Cheap license Software
Thanks for reaing our email. Wish you good health and success!

If you have any questions about our services.

Contact:
Website: http://emailstoreonline.com
Email: [email protected]
Y!M: sale.emailstoreonline
 
You must log in or register to reply here.

Similar threads

M
Issue Can't open Port 25. Please help
Replies
2
Views
260
mhogue
M
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
1K
Tessxr
T
L
Resolved IMAP not working with STARTTLS or SSL/TLS Mailserver Dovecot Problem
Replies
3
Views
2K
lberens
L
D
Resolved Webmail 500 error after installing Plesk Premium Email
Replies
4
Views
2K
Peter Debik
P
M
Issue msmtp Error 550 - The from address does not match a verified Sender Identity
2
Replies
23
Views
7K
cloudhostpk
C
Back
Top