• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Postfix sending spam from my server PLEASE Help

M

meteadan

New Pleskian
I am having a major problem with spam. Postfix is continuously sending spam from my server.
the message header is showing a username and a domain name in all messages. I moved the mail service for this user to another server so I am not sure how the server continues the same username in the messages.

X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from uniquemarble.co.uk (unknown [181.31.81.73])
by meteadan.com (Postfix) with ESMTPA id 25F8526939094;
Tue, 2 Apr 2013 18:50:13 +0100 (BST)
Message-ID: <[email protected]>
Date: Tue, 02 Apr 2013 18:51:11 +0100
Reply-To: "[email protected]" <[email protected]>
From: "[email protected]" <[email protected]>
X-Accept-Language: en-us
MIME-Version: 1.0
To: <[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>
Subject: Score juicy la_sses w|th theese affordable pharmaceutical$. 100% privacy!
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

=======================================
user [email protected] no longer exists in my server. the ip address is an external ip address. Something to note the ip address was showing my server Ip until i moved this domain name and the user to another mail server.

My Ip address is already blacklisted.

Please help how to resolve this problem.
 
thank you for your quick response.
I installed and ran chkrootkit but it did not find anything.
rkhunter check gave me the following results.

[10:13:55] Running Rootkit Hunter version 1.4.0 on s15342963
[10:13:55]
[10:13:55] Info: Found O/S name: CentOS release 5.9 (Final)
[10:13:55] Info: Installation directory is '/usr/local'
[10:13:55] Info: Found the 'diff' command: /usr/bin/diff
[10:13:56] Info: Found the 'dirname' command: /usr/bin/dirname
[10:14:27] /sbin/ifdown [ Warning ]
[10:14:27] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:14:27] /sbin/ifup [ Warning ]
[10:14:27] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[10:15:09] /usr/bin/GET [ Warning ]
[10:15:09] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[10:15:09] /usr/bin/groups [ Warning ]
[10:15:09] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable

[10:15:12] /usr/bin/ldd [ Warning ]
[10:15:13] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[10:15:28] /usr/bin/whatis [ Warning ]
[10:15:28] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[10:16:21]
[10:16:21] Checking for IntoXonia-NG Rootkit...
[10:16:21] Checking for kernel symbol 'funces' [ Skipped ]
[10:16:21] Checking for kernel symbol 'ixinit' [ Skipped ]
[10:16:21] Checking for kernel symbol 'tricks' [ Skipped ]
[10:16:21] Checking for kernel symbol 'kernel_unlink' [ Skipped ]
[10:16:21] Checking for kernel symbol 'rootme' [ Skipped ]
[10:16:21] Checking for kernel symbol 'hide_module' [ Skipped ]
[10:16:21] Checking for kernel symbol 'find_sys_call_tbl' [ Skipped ]
[10:16:21] IntoXonia-NG Rootkit [ Not found ]
[10:16:22]
[10:16:22] Checking for Irix Rootkit...
[10:16:24] Checking for kernel symbol 'h4x_delete_module' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_getdents64' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_kill' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_open' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_read' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_rename' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_rmdir' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_tcp4_seq_show' [ Skipped ]
[10:16:25] Checking for kernel symbol 'h4x_write' [ Skipped ]
[10:18:46] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[10:18:46] Checking '/etc/xinetd.d/ntalk' for enabled services [ None found ]
[10:18:46] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[10:18:48] Checking for enabled xinetd services [ Warning ]
[10:18:48] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[10:18:48] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[10:18:48] Checking for Apache backdoor [ Not found ]
[10:18:48]
[10:18:48] Info: Starting test name 'os_specific'
[10:18:48] Performing Linux specific checks
[10:18:49] Checking loaded kernel modules [ Warning ]
[10:18:49] Warning: No output found from the lsmod command or the /proc/modules file:
[10:18:49] /proc/modules output:
[10:22:27] Info: Starting test name 'group_accounts'
[10:22:27] Performing group and account checks
[10:22:27] Checking for passwd file [ Found ]
[10:22:27] Info: Found password file: /etc/passwd
[10:22:29] Checking for SSH configuration file [ Found ]
[10:22:29] Info: Found SSH configuration file: /etc/ssh/sshd_config
[10:22:29] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[10:22:29] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[10:22:29] Checking if SSH root access is allowed [ Warning ]
[10:22:29] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[10:22:29] Checking if SSH protocol v1 is allowed [ Not allowed ]
[10:22:29] Checking for running syslog daemon [ Found ]
[10:22:29] Info: Found syslog configuration file: /etc/syslog.conf
[10:22:30] Checking for syslog configuration file [ Found ]
[10:22:30] Checking if syslog remote logging is allowed [ Not allowed ]
[10:22:30]
[10:22:30] Info: Starting test name 'filesystem'
[10:22:30] Performing filesystem checks
[10:22:30] Info: SCAN_MODE_DEV set to 'THOROUGH'
[10:22:30] Checking /dev for suspicious file types [ Warning ]
[10:22:30] Warning: Suspicious file types found in /dev:
[10:22:30] /dev/.udev/uevent_seqnum: ASCII text
[10:22:31] Checking for hidden files and directories [ Warning ]
[10:22:32] Warning: Hidden directory found: '/dev/.udev'
[10:22:32] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[10:22:32] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[10:22:32] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[10:22:32] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[10:22:49]
[10:22:49] Info: Starting test name 'apps'
[10:22:49] Checking application versions...
[10:22:52] Checking version of Exim MTA [ Warning ]
[10:22:53] Warning: Application 'exim', version '4.63', is out of date, and possibly a security risk.
[10:22:53] Checking version of GnuPG [ OK ]
[10:22:53] Info: Application 'gpg' version '1.4.5' found.
[10:22:53] Checking version of Apache [ Warning ]
[10:22:53] Warning: Application 'httpd', version '2.2.3', is out of date, and possibly a security risk.
[10:22:53] Checking version of Bind DNS [ OK ]
[10:22:53] Info: Application 'named' version '9.3.6-P1' found.
[10:22:53] Checking version of OpenSSL [ Warning ]
[10:22:54] Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
[10:22:54] Checking version of PHP [ OK ]
[10:22:54] Info: Application 'php' version '5.3.3' found.
[10:22:54] Checking version of Procmail MTA [ OK ]
[10:22:54] Info: Application 'procmail' version '3.22' found.
[10:22:54] Checking version of ProFTPD [ OK ]
[10:22:54] Info: Application 'proftpd' version '1.3.4a' found.
[10:22:55] Checking version of OpenSSH [ Warning ]
[10:22:55] Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.
[10:22:55] Info: Applications checked: 9 out of 9
[10:22:55]
[10:22:55] System checks summary
[10:22:55] =====================
[10:22:55]
[10:22:55] File properties checks...
[10:22:55] Files checked: 136
[10:22:55] Suspect files: 6
[10:22:55]
[10:22:55] Rootkit checks...
[10:22:55] Rootkits checked : 310
[10:22:55] Possible rootkits: 0
[10:22:55]
[10:22:55] Applications checks...
[10:22:56] Applications checked: 9
[10:22:56] Suspect applications: 4
[10:22:56]
[10:22:56] The system checks took: 8 minutes and 57 seconds
[10:22:56]
[10:22:56] Info: End date is Wed Apr 3 10:22:56 BST 2013

I need little bit help with following the instructions in article 1711

I am unfamiliar with making a file executable or specifically
2) Create a log file /var/tmp/mail.send and grant it "a+rw" rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:

Thanks for your help.

I am not sure how to deal with the warnings that rkhunter found.
 
I have followed the instructions in article 1711 and I got no response from the output telling me that no email was sent using phpmail function.
 
Please someone help. I have been searching those rkhunter warnings and found out that all of them are false positives. What am I missing? I shut down my smtp server to stop spamming problem. I cannot figure what or who is sending the spam.
I followed the instructions on the article http://kb.parallels.com/1711 but the log file gave me no result suggesting that any script on any of my host accounts is using phpmail function. So what am I missing?
 
You must log in or register to reply here.

Similar threads

E
Question Is multiple HELO registration possible?
Replies
2
Views
635
emrekoc
E
mapodec
Resolved Emails sent from Plesk accounts are not delivering only to Google Workspace
Replies
2
Views
715
mapodec
mapodec
Erwin Fiten
Question Spam sent from my server by other hosts ???
Replies
4
Views
586
Bitpalast
Bitpalast
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
1K
EnriqueR
EnriqueR
D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
2K
drdna
D
Back
Top