Issue Problem with SPAM send from my server

[G J K]

Hi

I have a Plesk 11.5 server running with Postfix. Somehow someone is managing to use my server to send spam. We have now been digging for day to see how we can stop this and how it is done.

The problem is that the headers of these mail do not reveal a lot of info.

X-No-Auth: unauthenticated sender
X-No-Relay: not in my network
Received: from localdomain.com (host.server.net [127.0.0.1])
   by host.server.net (Postfix) with ESMTP id E93FF78185D
    for <[email protected]>; Sat, 24 Sep 2016 07:32:03 +0200 (WAST)
Date: Sat, 24 Sep 2016 05:32:03 +0000 (UTC)
From: localdomain <[email protected]>
To: [email protected]
Message-ID: <[email protected]>
Subject: FW:  howre you?
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_6022060_1414746959.1474695123552"
X-mailer: Mailer v1.0

The email is sent without authentication, the server is set to do authentication.
We are unable to tie these message to any specific domain or user account.

Can someone please assist to stop this spam attack?

Thanks

 

[crobinson]

Looks like it could be a local PHP script that is being exploited. I would log all email requests coming from httpd or nginx.

 

[UFHH01]

Hi G J K,

pls. have a look at the corresponding KB - article:

Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used? ( KB - article 114845 )​