• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question postfix overload, attack from chinese IPs - what to do?

D4NY

Regular Pleskian
OS: CentOS 6.8
PLESK: 12.5

Today i received a call of a user that couldn't send mail using mail client on smtp. Checking at the services via Plesk i saw that postfix was stopped and no way to restart it from the panel. Via SSH running "service postfix restart" the service restarted correctly and the green button came back also in Plesk. But after few minutes again it was stopped. The same after rebooting the whole server. Looking at the process runnin it seems to be overloaded.

tail -f /usr/local/psa/var/log/maillog | grep sasl_username

to see who's trying to authenticate and send mails. Other times hacked mailbox sent tons of spam away but this time nothing strange... just normal users sending single mail

tail -f /usr/local/psa/var/log/maillog

to see what's happening in real time and i found hundreds of connection from different IPs to a mailbox that was full of thousands mail in chinese language. I deleted the mailbox and the postfix crash seems to be solved but on the maillog we have continue connection to that mailbox even if no more alive.

I set up fail2ban, totally deactivate the domain and blacklisted the qq.com domain but no way to stop connections all from different ips.

Please check the attached file, it's the result of the command:

tail -f /usr/local/psa/var/log/maillog | grep MYDELETEDMAILBOX

Can't understand relationships between postfix and incoming mail. What's happening?
 

Attachments

  • maillog.txt
    172.5 KB · Views: 5
I'm not sure that there are ways to prevent connections from different IP addresses. You can try to close the entire range of addresses if it is one. But in general, it looks like a typical DOS which is treated only by the performance of the system if you can not use the blacklist or somehow cut it off another way.
You can try GreyListing, by the way.
 
Very disappointing. Do you think that moving the website of the attacked mailbox can stop the ddos on that server? How can i activate GreyListing?
 
In the past I created scripts that were able to block many countries from South East Asia and optional other countries.
Because the script had to run on a small SoHo-router (DD-WRT) I couldn't just create thousands of rules.
It created a set of about 1500 rules.

I was able to do that by first creating several very big subnets (/5, /6, /7 and /8) and then punching some holes in them for countries like Australia.

With the iptables extension "ipset" this kind of stuff can be created more efficient and with cleaner code.

Maybe I can find some time to rewrite the code so it's easy to implement on a Plesk server.

You could Google: "dd-wrt asiablock"

I am relying on ASSP.
That's an "Anti Spam SMTP Proxy" written in Perl. It combines almost all known techniques. I'm using it for some 12+ years.
 
Last edited:
Back
Top