1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Postfix botnet spam attack from my server?

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by slayer1ss, Jan 18, 2012.

  1. slayer1ss

    slayer1ss Basic Pleskian

    23
    57%
    Joined:
    Dec 15, 2008
    Messages:
    36
    Likes Received:
    0
    i have a centos 5.3 web server with plesk 10.4 everything on the system is fully updated and i am using postfix as a mail server, server is a corporate server with only 2 websites in it... My problem is that 2 days ago i started getting thousands of delivery failed messages and when i checked neither sender or reciever address matched domains in my server, thats when i noticed i was under a botnet attack and someone was trying to relay messages over my server... so i closed relaying, activated parallels premium antivirus, clicked Verify incoming mail at domain keys spam protection and switched on dns blackhole list from zen.spamhaus there are 2 ip address in white list one of them is 127.0.0.0 / 8 and second one is corporate headquarters ip address to allow smtp logging, because of these damn botters my ip address entered at spam list, when i checked from spamhaus they told me that my ip address was a part of botnet attack so i scanned server with root kit hunter and clamaw both returned nothing however i still seem to get thousands of delivery failed messages... i also read this post http://forum.parallels.com/showthread.php?t=209992 there wasnt smtpd.conf files at neither of those locations so i created them... my questions are:

    1- since some of our employees are at other locations and use different non-static ip addresses i cant add them to white list and they cant seem to login via smtp which is a must for us... what can i do for this?

    2- i am still getting those spam messages, am i missing something is there somethings else that i can do? or did i do everything i can and messages i am getting are just retrys of messages before i took these actions?

    3- is it possible for me to configure postfix so that it can only accept outgoing mails from a domain i select?
     
    Last edited: Jan 19, 2012
  2. slayer1ss

    slayer1ss Basic Pleskian

    23
    57%
    Joined:
    Dec 15, 2008
    Messages:
    36
    Likes Received:
    0
    btw i noticed a ton of

    Jan 19 04:06:35 userx postfix/qmgr[32192]: 62BDF358558: from=<apache@domainx.com>, size=53508, nrcpt=1 (queue active)

    message on maillog eventhough i am not using php's mail function in anywhere... i changed maillog directory on php.ini to track which script is using phpmail but i guess if i disable phpmail from disabled functions those lines would stop am i right? i also added apache@domainx.com to spam blacklist would this cause any problems?
     
Loading...