• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Server is sending spam

  • Thread starter Deleted member 209767
  • Start date
D

Deleted member 209767

Guest
My server just got flagged as spammer by OVH

Our Anti-Spam protection has detected an important sending of spam from one of your IP

In order to ensure the security of our network, the traffic leaving your server towards
ports 25 has been suspended.

So that you can carry out the checks here is a sample of blocked emails:

Destination IP: 184.94.240.112 - Message-ID: - Spam score: 512
Destination IP: 31.220.15.135 - Message-ID: - Spam score: 500
Destination IP: 198.58 .121.58 - Message-ID: - Spam score: 500
Destination IP: 103.224.212.34 - Message-ID: - Spam score: 300
Destination IP: 52.10.154.41 - Message-ID: - Spam score: 500
Click to expand...
I don't think I got hacked. I use up to date software and I host only my own websites.

I tried unblocking the IP but it immediately got blocked again for same reason

There are still thousands of spams in the mail queue:
7D826C23805C0 4674 Sat Nov 7 04:48:48 MAILER-DAEMON
(connect to mail.hope-mail.com[34.222.93.91]:25: Connection timed out)
[email protected]

717CDC3294739 4505 Sat Nov 7 04:57:40 MAILER-DAEMON
(connect to libro-s.com[193.203.119.136]:25: Connection timed out)
[email protected]

733ECC23963AC 4288 Wed Nov 4 09:29:53 MAILER-DAEMON
(connect to mx247.in-mx.net[204.6.193.5]:25: Connection timed out)
[email protected]

759EBC368ABA8 4905 Wed Nov 4 02:51:48 MAILER-DAEMON
(connect to rdspam.sz.hitrontech.com[222.92.60.181]:25: Connection timed out)
[email protected]

71CA6C35BFCDE 4358 Wed Nov 4 06:21:40 MAILER-DAEMON
(connect to partyspace.com.2.0001.arsmtp.com[8.31.233.93]:25: Connection timed out)
[email protected]

73C2BC8253475 4796 Wed Nov 4 08:15:40 MAILER-DAEMON
(connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out)
[email protected]

7F0D8C7E1733F 4217 Thu Nov 5 14:53:29 MAILER-DAEMON
(connect to mail.b-io.co[54.218.2.65]:25: Connection timed out)
[email protected]
Click to expand...

random excerpt from /var/log/maillog

Nov 9 03:35:24 ns3100169 postfix/smtpd[3602250]: warning: unknown[45.142.120.121]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:24 ns3100169 postfix/smtp[3601879]: connect to mx247.in-mx.net[204.6.193.5]:25: Connection timed out
Nov 9 03:35:24 ns3100169 plesk_saslauthd[1168904]: No such user '[email protected]' in mail authorization database
Nov 9 03:35:24 ns3100169 plesk_saslauthd[1168904]: failed mail authentication attempt for user '[email protected]' (password len=10)
Nov 9 03:35:24 ns3100169 postfix/smtpd[3602584]: warning: unknown[45.142.120.59]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:25 ns3100169 postfix/smtp[3594560]: connect to ics-limited.com.1.arsmtp.com[8.31.233.62]:25: Connection timed out
Nov 9 03:35:25 ns3100169 postfix/smtpd[3602250]: disconnect from unknown[45.142.120.121] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:25 ns3100169 postfix/smtpd[3602584]: disconnect from unknown[45.142.120.59] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:25 ns3100169 postfix/smtp[3601126]: connect to mx247.in-mx.com[204.6.193.5]:25: Connection timed out
Nov 9 03:35:25 ns3100169 postfix/smtp[3601126]: 0E435C334527D: to=<[email protected]>, relay=none, delay=408084, delays=397355/10609/120/0, dsn=4.4.1, status=deferred (conn$
Nov 9 03:35:25 ns3100169 postfix/qmgr[1168573]: ADB35C3301457: from=<>, size=4548, nrcpt=1 (queue active)
Nov 9 03:35:26 ns3100169 postfix/smtpd[3602585]: connect from unknown[45.142.120.209]
Nov 9 03:35:26 ns3100169 postfix/smtpd[3603944]: connect from unknown[45.142.120.93]
Nov 9 03:35:26 ns3100169 postfix/smtpd[3603942]: connect from unknown[45.142.120.62]

Nov 9 03:35:40 ns3100169 postfix/smtp[3599101]: connect to boyleburdett.com.1.0001.arsmtp.com[8.19.118.118]:25: Connection timed out
Nov 9 03:35:40 ns3100169 postfix/smtp[3602977]: connect to mx247.in-mx.com[204.6.193.5]:25: Connection timed out
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: No such user '[email protected]' in mail authorization database
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: failed mail authentication attempt for user '[email protected]' (password len=7)
Nov 9 03:35:40 ns3100169 postfix/smtpd[3603942]: warning: unknown[45.142.120.38]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: No such user '[email protected]' in mail authorization database
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: failed mail authentication attempt for user '[email protected]' (password len=8)
Nov 9 03:35:40 ns3100169 postfix/smtpd[3603944]: warning: unknown[45.142.120.60]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: No such user '[email protected]' in mail authorization database
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: failed mail authentication attempt for user '[email protected]' (password len=5)
Nov 9 03:35:40 ns3100169 postfix/smtpd[3602250]: warning: unknown[45.142.120.99]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:41 ns3100169 postfix/smtp[3593959]: connect to 9b75c235.21.ik2.com[64.38.239.83]:25: Connection timed out
Nov 9 03:35:41 ns3100169 postfix/smtp[3601996]: 077DBC363DA48: host mail.bbmail.com.hk[203.185.56.50] refused to talk to me: 421 4.4.2 mtai11n.zprv.incnets.com Error: tim$
Nov 9 03:35:41 ns3100169 postfix/smtp[3602622]: connect to publicms1.mail2world.com[216.163.176.38]:25: Connection timed out
Nov 9 03:35:41 ns3100169 postfix/smtpd[3603942]: disconnect from unknown[45.142.120.38] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:41 ns3100169 postfix/smtp[3595785]: connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out
Nov 9 03:35:41 ns3100169 postfix/smtpd[3603944]: disconnect from unknown[45.142.120.60] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:41 ns3100169 postfix/smtp[3594173]: connect to mx247.in-mx.net[204.6.193.5]:25: Connection timed out
Nov 9 03:35:41 ns3100169 postfix/smtpd[3602250]: disconnect from unknown[45.142.120.99] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:41 ns3100169 postfix/smtp[3592061]: 03FB2C80D1BBF: conversation with mx1.ovh.net[188.165.47.122] timed out while performing the EHLO handshake
Nov 9 03:35:42 ns3100169 postfix/smtp[3601118]: 09D8DCA86A01E: to=<[email protected]>, relay=mail.nutrihouse.com.br[192.185.131.83]:25, delay=154654, delays=14380$
Nov 9 03:35:42 ns3100169 postfix/qmgr[1168573]: AEA77C32C31FA: from=<>, size=4215, nrcpt=1 (queue active)
Nov 9 03:35:42 ns3100169 postfix/smtp[3596204]: connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out
Nov 9 03:35:42 ns3100169 postfix/smtp[3596204]: 08F29C36B27A2: to=<[email protected]>, relay=none, delay=403618, delays=392888/10609/120/0, dsn=4.4.1, status=deferred$
Nov 9 03:35:42 ns3100169 postfix/qmgr[1168573]: A1E81C33154E3: from=<>, size=4236, nrcpt=1 (queue active)
Nov 9 03:35:42 ns3100169 postfix/smtp[3592058]: 0BBC1C01469C2: conversation with mx1.mail.ovh.net[188.165.36.237] timed out while performing the EHLO handshake
Nov 9 03:35:42 ns3100169 postfix/smtp[3601745]: connect to mx247.in-mx.net[204.6.193.5]:25: Connection timed out
Nov 9 03:35:43 ns3100169 postfix/smtpd[3602584]: connect from unknown[45.142.120.15]
Nov 9 03:35:43 ns3100169 postfix/smtp[3599152]: connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out
Nov 9 03:35:43 ns3100169 postfix/smtp[3594297]: connect to mail.eseyoung.com[121.254.168.55]:25: Connection timed out
Nov 9 03:35:43 ns3100169 postfix/smtp[3599143]: connect to mx247.in-mx.com[198.133.158.5]:25: Connection timed out
Nov 9 03:35:43 ns3100169 postfix/smtpd[3602585]: connect from unknown[45.142.120.58]
Nov 9 03:35:43 ns3100169 postfix/smtp[3591649]: connect to mta-wue.franken.de[193.141.110.9]:25: Connection timed out
Nov 9 03:35:44 ns3100169 postfix/smtp[3591052]: connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out
Nov 9 03:35:44 ns3100169 postfix/smtp[3602578]: connect to mx247.in-mx.com[204.6.193.5]:25: Connection timed out
Nov 9 03:35:44 ns3100169 postfix/smtp[3599744]: connect to MX1.MEGAMAILSERVERS.com[209.235.142.11]:25: Connection timed out
Nov 9 03:37:09 ns3100169 postfix/qmgr[1168573]: A7B59D2422028: from=<bounce+ec0a683a+sparth=[email protected]>, size=10389, nrcpt=1 (queue active)
Nov 9 03:37:09 ns3100169 postfix/qmgr[1168573]: ABAC1D2422034: from=<bounce+46fda959+Pussy.Lady=[email protected]>, size=10411, nrcpt=1 (queue active)
Click to expand...

How can I figure out what's going on? Would appreciate some suggestion

Thanks
 
Thanks for the reply, however the command didn't return any result

[root@ns3100169 ~]$ zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
gzip: /usr/local/psa/var/log/maillog*.gz: No such file or directory
[root@ns3100169 ~]# zgrep 'sasl_method=LOGIN' /var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
Click to expand...
 
You can try this instead:
zgrep 'sasl_method=LOGIN' /var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
 
1) Please go to "Tools & Settings" > "Mail" > "Mail Server Settings" > "Mail Queue"

2) Click on any spam mail in the left column of the list to open the header source code. It looks something like this:
Code: 
Received: by server.provider.net (Postfix, from userid 30)
    id 90C442CA162C; Tue, 10 Nov 2020 07:47:30 +0100 (CET)
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from mail21-124.srv2.de (mail21-124.srv2.de [123.123.72.124])
by server.provider.net (Postfix) with ESMTPS id 7D24E2CA162A
for <[email protected]>; Tue, 10 Nov 2020 07:47:29 +0100 (CET)
Authentication-Results: neckar;
dmarc=pass (p=REJECT sp=NONE) smtp.from=somewhere.else.com
header.from=somewhere.else.com;
dkim=pass header.d=somewhere.else.com;
dkim=pass header.d=srv2.de;
spf=pass (sender IP is 123.123.72.124) [email protected]
smtp.helo=mail21-124.srv2.de
Received-SPF: pass (neckar: domain of somewhere.else.com designates
123.123.72.124 as permitted sender) client-ip=123.123.72.124;
[email protected]; helo=mail21-124.srv2.de;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=somewhere.else.com;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:
Content-Transfer-Encoding:X-ulpe:List-Id:X-CSA-Complaints:List-Unsubscribe:
List-Unsubscribe-Post:Feedback-ID; [email protected];
bh=6LJmwGZTI2PPa0XPGCMpqreviUprlFsNo27ItLTSxcs=;
b=Yugg/UvtQjSlDWR8BztvIq0O6W88kgfoG8xPgdq2jLij7zVFUCZjWtSNUtn629OdnUXy7FScUTfu
7lNbeT4+HKeYvsUaiP97vBPJ2JiK7G8X0Wu1Swv8QVgMeqQmMFZ70vWizvRYgRUpRsGamDOP6um5
nJ7DK5qoj3AibQIu1Uk=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=srv2.de;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:
Content-Transfer-Encoding:X-ulpe:List-Id:X-CSA-Complaints:List-Unsubscribe:
List-Unsubscribe-Post:Feedback-ID;
bh=6LJmwGZTI2PPa0XPGCMpqreviUprlFsNo27ItLTSxcs=;
b=GrLFMRzYHxnQm59Lo1g+PrEwXB2fE62Ew+EyaFIGhyY9zz+bKFqVFG5tXvFD/bxSy8e/i07FXE7E
ZLi1uQlppEKe4XCheHLddZUVu6DKbLS4EJYY94kcA8jisew4DhhM//TrXZQ370wz960TD/sJJwnZ
LkZitOmnEKnmjyDcDjE=
Date: Tue, 10 Nov 2020 07:47:29 +0100 (CET)
From: "janedoe.de" <[email protected]>
Reply-To: [email protected]
To: [email protected]
Message-ID: <re-pUgeSCCpSHMonulAbb79CwCxpLrngqM5Ofj-468OBA8F-45UM4LN5-1CA31DQ@somewhere.else.com>
Subject: =?UTF-8?Q?W=C3=A4re_das_nichts_f=C3=BCr_Sie=3F_F?=
=?UTF-8?Q?reue_mich_auf_Ihre_Antwort?=
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-ulpe: re-pUgeSCCpSHMonulAbb79CwCxpLrngqM5Ofj-468OBA8F-45UM4LN5-1CA31DQ@somewhere.else.com
List-Id: <1EOPC0LX-EGHV0K.somewhere.else.com>
X-Report-Spam: [email protected]
X-CSA-Complaints: [email protected]
List-Unsubscribe: <mailto:[email protected]?subject=unsubscribe>,
<https://somewhere.else.com/go/16/468OBA8F-45UM4LN5-1EOPC0LZ-JDFWPO-UL.html?banner=sam_326191719569&SYS=271&SCID=am9zZWYudm9sbG1lckB0c3ZrYW5kZWwuZGU%3D&utm_source=320288546187&utm_medium=email&utm_campaign=326191719569_2020-11-10T07%3A47_20201110+
-+SPC7782+-+VER&opt_mandator=110332856085&opt_affiliate=site_knl0359_initial&bmmailid=468OBA8F-45UM4LN5-RALA7K>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Feedback-ID: 1EOPC0LX:45UM4LN5:episerver
X-PPP-Message-ID: <[email protected]>
X-PPP-Vhost: somedomain.com#
It can look anywhere similar, this is only an example

3) In that source code look for the initial "From:" line, also an X-Sender, X-PPP-Vhost or "Script" lines or similar. These will, when carfully examined, normally reveal how or where the spam was created. There is no recipe for it, just closely examine the header before the first hop from the "From" location to another SMTP server. You will find hints in the code where the mails are coming from.
 
You must log in or register to reply here.

Similar threads

J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
870
josemanuuxd
J
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
1K
Peter Debik
P
M
Question Unable to send mail (postfix)
Replies
0
Views
1K
Manuxy
M
G
Issue [email protected] keeps sending e-mail notification even if i've edited panel.ini file.
Replies
2
Views
847
IT Ufficio Key-One
I
M
Question Hackers are sending tons of mails
Replies
4
Views
453
MrPleskLearner
M
Back
Top