Issue Plesk Spam Mail

[PandoraT]

How can I prevent this from coming to my server constantly spam mail coming this way. What is the reason of this?

 

[Monty]

Looks like your server is being abused to send spam. You most likely have a compromised account on your server or you configured your server as an open relay.

Check your mail log files and find out how those mails were sent (smtp? generated by a PHP script? etc.) and close the source of the spam.

Also check:
How to secure a Plesk server
Many email messages are sent from PHP scripts on a Plesk server. How to find domains on which these scripts are running if Postfix is used?
How to verify that the server is not acting as an open relay on Plesk?
Server sending spam from non-existing mailboxes
How to remove emails from the queue in Plesk

 

[DC8888]

Hi. I know this is an old post, but I am experiencing the exact same thing. Can someone please help me sort this out. I have secured plesk, but I am having trouble figuring out how to locate where these spam messages are being triggered from.

 

[Riculum]

I had the problem some time ago as well. The cause was a gap in a Wordpress plugin which then sent e-mails via PHP. Here is a little reading:
Many email messages are sent from PHP scripts

 

[DC8888]

Thanks Riculum. Here is the odd part, I have disabled mail function for the domain that was causing the issue but spam emails are still being sent! Any ideas as to why this is so?

 

[GwenDragon]

Could be caused by:

• Hijacked mail user's accounts
• Broken/insecure form processed by PHP or other server-sided language
• Malware on server
• Infected PHP programs and/or PHP modules
• Insecure Wordpress or other CMS plugins

You should check in mail header which process id is shown as creator of such mail.

 

[GwenDragon]

Example of such header

Received: by srv31221.example.tld (Postfix, from userid 10003)
        id E2A1E810FD5; Sun, 27 Nov 2022 11:06:04 +0100 (CET)

 

[DC8888]

Thanks GwenDragon. There are no mailboxes for the domain. Emails hosted with gsuite. So no email account hacked. I’ve disabled the contact form and removed the plugin altogether. For the malware, insecure plugin or infected php scripts, what scanning service could i used to test any vulnerabilities?

I will post an extract from my email header next

 

[DC8888]

Below an extract of the email header. From what I have gathered, the sender 51.15.81.111 is using my server to send out spam. What I still can't figure out is how, given I have disabled mail function, ban his IP and mail is not running on plesk for this domain. Anyone?

Authentication-results spf=softfail (sender IP is xx.xx.xxx.xx) smtp.mailfrom=hotmail.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=getmedia78.jonathanbullock.com;compauth=fail reason=001
Received-spf
SoftFail (protection.outlook.com: domain of transitioning hotmail.com discourages use of xx.xx.xxx.xx as permitted sender)
softfail (myserver.com: transitioning domain of hotmail.com does not designate 51.15.81.111 as permitted sender) client-ip=51.15.81.111; envelope-from=[email protected]; helo=enterprise-ireland.com;

Authentication-results-original myserver.com; spf=softfail (sender IP is 51.15.81.111) smtp.mailfrom=[email protected] smtp.helo=enterprise-ireland.com
From Window Upgrade <[email protected]>
To [email protected]; [email protected]
Date Fri, 25 Nov 2022 14:42:22 +0000
Content-transfer-encoding quoted-printable
Content-type text/html; charset="UTF-8"
Message-id <1pdaiqo2q2fkzrz.RTjt65cji80ch9gnns3u0oZHLOVYTWMK@cx3o.wp-junkie.club>
X-incomingheadercount
8
13
62