Question Spam attack in postfix log file

[alexk345]

How can i fix this spam attack ? Please help

Dec 13 11:31:49 DOMAIN NAME postfix/smtpd[934]: connect from unknown[212.192.241.186]

Dec 13 11:31:49 DOMAIN NAME plesk_saslauthd[938]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1

Dec 13 11:31:49 DOMAIN NAME plesk_saslauthd[938]: privileges set to (89:89) (effective 89:89)

Dec 13 11:31:49 DOMAIN NAME plesk_saslauthd[938]: failed mail authentication attempt for user 'shot' (password len=9)

Dec 13 11:31:49 DOMAIN NAME postfix/smtpd[934]: warning: unknown[212.192.241.186]: SASL LOGIN authentication failed: authentication failure

Dec 13 11:31:49 DOMAIN NAME postfix/smtpd[934]: disconnect from unknown[212.192.241.186]

Dec 13 11:32:19 DOMAIN NAME plesk_saslauthd[938]: select timeout, exiting

Dec 13 11:32:51 DOMAIN NAME postfix/smtpd[934]: warning: hostname goodwoodune.earacheevince.com does not resolve to address 212.192.246.179

Dec 13 11:32:51 DOMAIN NAME postfix/smtpd[934]: connect from unknown[212.192.246.179]

Dec 13 11:32:51 DOMAIN NAME plesk_saslauthd[951]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1

Dec 13 11:32:51 DOMAIN NAME plesk_saslauthd[951]: privileges set to (89:89) (effective 89:89)

Dec 13 11:32:51 DOMAIN NAME plesk_saslauthd[951]: failed mail authentication attempt for user 'statement' (password len=5)

Dec 13 11:32:51 DOMAIN NAME postfix/smtpd[934]: warning: unknown[212.192.246.179]: SASL LOGIN authentication failed: authentication failure

 

[alexk345]

How can i fix this spam attack ? Please help

This is valid line in MAILLOG as i send email through system

Dec 13 11:45:12 DOMAIN NAME postfix/smtpd[1090]: connect from DOMAIN NAME.com[127.0.0.1]
Dec 13 11:45:12 DOMAIN NAME postfix/smtpd[1090]: DFB24873CB: client=DOMAIN NAME.com[127.0.0.1], sasl_method=LOGIN, sasl_username=admin@DOMAIN NAME.com

 

[Maarten.]

This should be picked up by the postfix-sasl fail2ban filter.

 

[alexk345]

Can someone tell me some one got access to the system? Mediatemple is not helping to resolve this issue. They were sending every 3min before . After i removed qmail replaced with postfix ...i still get this but not that frequent ...its still coming. How they get access?

 

[Maarten.]

They don't have access to your server, they are trying to sent email and fail to authenticate. It's annoying but harmless.
Just check your fail2ban service and activate the postfix-sasl filter

 

[alexk345]

But microsoft blocked our ip sending email to microsoft site. Also mxlookup also blocklisted

 

[alexk345]

I want to know my site stopped spamming.
Nov 26 spam attack happened and microsoft blocked our site. Dec 1st we found that disk is full.
Deleted mailqueue full (8GB). Thought its mailqueue.
But it seems to start spamming.
Changed all passwords now. Ftp Email and site password to 24char.

I want to know can someone tell me that they still have access or not?

Dec 13 11:51:47 Domain postfix/smtpd[1241]: warning: unknown[212.192.246.36]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:51:47 Domain postfix/smtpd[1241]: disconnect from unknown[212.192.246.36]
Dec 13 11:51:50 Domain postfix/anvil[937]: statistics: max connection rate 1/60s for (smtp:2.56.57.153) at Dec 13 11:44:13
Dec 13 11:51:50 Domain postfix/anvil[937]: statistics: max connection count 1 for (smtp:2.56.57.153) at Dec 13 11:44:13
Dec 13 11:51:50 Domain postfix/anvil[937]: statistics: max cache size 3 at Dec 13 11:44:59
Dec 13 11:51:52 Domain postfix/smtpd[1241]: warning: hostname leein.earacheevince.com does not resolve to address 212.192.246.120
Dec 13 11:51:52 Domain postfix/smtpd[1241]: connect from unknown[212.192.246.120]
Dec 13 11:51:52 Domain plesk_saslauthd[1265]: failed mail authentication attempt for user 'market' (password len=5)
Dec 13 11:51:52 Domain postfix/smtpd[1241]: warning: unknown[212.192.246.120]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:51:53 Domain postfix/smtpd[1241]: disconnect from unknown[212.192.246.120]
Dec 13 11:51:53 Domain postfix/smtpd[1241]: warning: hostname operatives.earacheevince.com does not resolve to address 212.192.246.133
Dec 13 11:51:53 Domain postfix/smtpd[1241]: connect from unknown[212.192.246.133]
Dec 13 11:51:53 Domain plesk_saslauthd[1265]: failed mail authentication attempt for user 'poster' (password len=5)
Dec 13 11:51:53 Domain postfix/smtpd[1241]: warning: unknown[212.192.246.133]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:51:53 Domain postfix/smtpd[1241]: disconnect from unknown[212.192.246.133]
Dec 13 11:51:56 Domain postfix/smtpd[1241]: warning: hostname jerseysection.earacheevince.com does not resolve to address 212.192.246.43
Dec 13 11:51:56 Domain postfix/smtpd[1241]: connect from unknown[212.192.246.43]
Dec 13 11:51:57 Domain plesk_saslauthd[1265]: failed mail authentication attempt for user 'jake' (password len=5)
Dec 13 11:51:57 Domain postfix/smtpd[1241]: warning: unknown[212.192.246.43]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:51:57 Domain postfix/smtpd[1241]: disconnect from unknown[212.192.246.43]
Dec 13 11:52:01 Domain postfix/smtpd[1241]: warning: hostname terminal.earacheevince.com does not resolve to address 212.192.246.145
Dec 13 11:52:01 Domain postfix/smtpd[1241]: connect from unknown[212.192.246.145]
Dec 13 11:52:01 Domain plesk_saslauthd[1265]: failed mail authentication attempt for user 'ram' (password len=5)
Dec 13 11:52:01 Domain postfix/smtpd[1241]: warning: unknown[212.192.246.145]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:52:01 Domain postfix/smtpd[1241]: disconnect from unknown[212.192.246.145]
Dec 13 11:52:31 Domain plesk_saslauthd[1265]: select timeout, exiting
Dec 13 11:53:16 Domain postfix/smtpd[1241]: connect from unknown[2.56.57.182]
Dec 13 11:53:17 Domain plesk_saslauthd[1279]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1
Dec 13 11:53:17 Domain plesk_saslauthd[1279]: privileges set to (89:89) (effective 89:89)
Dec 13 11:53:17 Domain plesk_saslauthd[1279]: failed mail authentication attempt for user 'sidney' (password len=5)
Dec 13 11:53:17 Domain postfix/smtpd[1241]: warning: unknown[2.56.57.182]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:53:17 Domain postfix/smtpd[1241]: disconnect from unknown[2.56.57.182]
Dec 13 11:53:47 Domain plesk_saslauthd[1279]: select timeout, exiting
Dec 13 11:54:45 Domain spamd[22648]: spamd: connection from Domain .com [127.0.0.1] at port 51680
Dec 13 11:54:45 Domain spamd[22647]: prefork: child states: I
Dec 13 11:56:14 Domain postfix/smtpd[1330]: connect from unknown[141.98.10.220]
Dec 13 11:56:14 Domain plesk_saslauthd[1332]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1
Dec 13 11:56:14 Domain plesk_saslauthd[1332]: privileges set to (89:89) (effective 89:89)
Dec 13 11:56:14 Domain plesk_saslauthd[1332]: failed mail authentication attempt for user 'guest' (password len=7)
Dec 13 11:56:14 Domain postfix/smtpd[1330]: warning: unknown[141.98.10.220]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:56:15 Domain postfix/smtpd[1330]: disconnect from unknown[141.98.10.220]
Dec 13 11:56:44 Domain plesk_saslauthd[1332]: select timeout, exiting
Dec 13 11:56:48 Domain postfix/smtpd[1330]: warning: hostname df.earacheevince.com does not resolve to address 212.192.246.64
Dec 13 11:56:48 Domain postfix/smtpd[1330]: connect from unknown[212.192.246.64]
Dec 13 11:56:49 Domain plesk_saslauthd[1338]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1
Dec 13 11:56:49 Domain plesk_saslauthd[1338]: privileges set to (89:89) (effective 89:89)
Dec 13 11:56:49 Domain plesk_saslauthd[1338]: failed mail authentication attempt for user 'fabela' (password len=5)
Dec 13 11:56:49 Domain postfix/smtpd[1330]: warning: unknown[212.192.246.64]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:56:49 Domain postfix/smtpd[1330]: disconnect from unknown[212.192.246.64]
Dec 13 11:57:19 Domain plesk_saslauthd[1338]: select timeout, exiting
Dec 13 11:58:09 Domain postfix/smtpd[1330]: warning: hostname sight.earacheevince.com does not resolve to address 212.192.246.17
Dec 13 11:58:09 Domain postfix/smtpd[1330]: connect from unknown[212.192.246.17]
Dec 13 11:58:10 Domain plesk_saslauthd[1376]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1
Dec 13 11:58:10 Domain plesk_saslauthd[1376]: privileges set to (89:89) (effective 89:89)
Dec 13 11:58:10 Domain plesk_saslauthd[1376]: failed mail authentication attempt for user 'trafico' (password len=5)
Dec 13 11:58:10 Domain postfix/smtpd[1330]: warning: unknown[212.192.246.17]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:58:10 Domain postfix/smtpd[1330]: disconnect from unknown[212.192.246.17]
Dec 13 11:58:40 Domain plesk_saslauthd[1376]: select timeout, exiting
Dec 13 11:59:01 Domain dovecot: pop3-login: Login: user=<mysite_admin@ Domain .com>, method=CRAM-MD5, rip=174.119.73.190, lip=70.32.110.249, mpid=1413, TLS, session=<OoxJ/QnT2fOud0m+>
Dec 13 11:59:01 Domain dovecot: service=pop3, user=mysite_admin@ Domain .com, ip=[174.119.73.190]. Disconnected: Logged out rcvd=24, sent=8855, top=0/0, retr=0/0, del=0/96, size=11801535
Dec 13 11:59:45 Domain spamd[22648]: spamd: connection from Domain .com [127.0.0.1] at port 44602
Dec 13 11:59:45 Domain spamd[22647]: prefork: child states: I
Dec 13 12:00:20 Domain postfix/smtpd[1457]: warning: hostname tension.earacheevince.com does not resolve to address 212.192.246.28
Dec 13 12:00:20 Domain postfix/smtpd[1457]: connect from unknown[212.192.246.28]
Dec 13 12:00:20 Domain plesk_saslauthd[1459]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1
Dec 13 12:00:20 Domain plesk_saslauthd[1459]: privileges set to (89:89) (effective 89:89)
Dec 13 12:00:20 Domain plesk_saslauthd[1459]: failed mail authentication attempt for user 'junior' (password len=5)
Dec 13 12:00:20 Domain postfix/smtpd[1457]: warning: unknown[212.192.246.28]: SASL LOGIN authentication failed: authentication failure
Dec 13 12:00:21 Domain postfix/smtpd[1457]: disconnect from unknown[212.192.246.28]
Dec 13 12:00:25 Domain postfix/smtpd[1457]: connect from unknown[37.0.10.29]
Dec 13 12:00:25 Domain plesk_saslauthd[1459]: failed mail authentication attempt for user 'joline' (password len=5)
Dec 13 12:00:25 Domain postfix/smtpd[1457]: warning: unknown[37.0.10.29]: SASL LOGIN authentication failed: authentication failure

 

[alexk345]

My fail2ban.conf shows this . NO SASL ban?

#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = DEBUG
#

[Definition]

# Option: loglevel
# Notes.: Set the log level output.
# CRITICAL
# ERROR
# WARNING
# NOTICE
# INFO
# DEBUG
# Values: [ LEVEL ] Default: ERROR
#
loglevel = INFO

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
#
logtarget = /var/log/fail2ban.log

# Option: syslogsocket
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
# auto uses platform.system() to determine predefined paths
# Values: [ auto | FILE ] Default: auto
syslogsocket = auto

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
# fail2ban server.
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid

# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
# A value of ":memory:" means database is only stored in memory
# and data is lost when fail2ban is stopped.
# A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 86400

 

[alexk345]

Also var/log/fail2ban.log shows this but no banned ip in plesk panel

2021-12-13 13:17:03,561 fail2ban.filter [3889]: INFO [plesk-postfix] Found 212.192.241.186
2021-12-13 13:20:26,750 fail2ban.filter [3889]: INFO [plesk-postfix] Found 141.98.10.220
2021-12-13 13:22:30,865 fail2ban.filter [3889]: INFO [plesk-postfix] Found 136.144.41.197
2021-12-13 13:22:34,872 fail2ban.filter [3889]: INFO [plesk-postfix] Found 31.210.20.54
2021-12-13 13:24:04,963 fail2ban.filter [3889]: INFO [plesk-postfix] Found 2.56.59.40
2021-12-13 13:26:01,074 fail2ban.filter [3889]: INFO [plesk-postfix] Found 141.98.10.220
2021-12-13 13:26:34,108 fail2ban.filter [3889]: INFO [plesk-postfix] Found 212.192.246.75
2021-12-13 13:27:58,187 fail2ban.filter [3889]: INFO [plesk-postfix] Found 2.56.57.170
2021-12-13 13:31:16,372 fail2ban.filter [3889]: INFO [plesk-postfix] Found 212.192.246.179
2021-12-13 13:31:34,393 fail2ban.filter [3889]: INFO [plesk-postfix] Found 141.98.10.220
2021-12-13 13:33:59,570 fail2ban.filter [3889]: INFO [plesk-postfix] Found 212.192.246.148
2021-12-13 13:35:01,630 fail2ban.filter [3889]: INFO [plesk-postfix] Found 2.56.57.153
2021-12-13 13:36:48,737 fail2ban.filter [3889]: INFO [plesk-postfix] Found 212.192.246.7
2021-12-13 13:37:07,756 fail2ban.filter [3889]: INFO [plesk-postfix] Found 141.98.10.220
2021-12-13 13:37:10,761 fail2ban.filter [3889]: INFO [plesk-postfix] Found 2.56.57.142
2021-12-13 13:40:18,945 fail2ban.filter [3889]: INFO [plesk-postfix] Found 2.56.57.161

 

[alexk345]

Added postfix_sasl in Plesk ippanning
This is the settings now. Can some one make one that working. i dont see any banned ipaddress

[POSTFIX_SASL]
enabled = true
filter = postfix-sasl
action = iptables-allports[iptables="iptables <lockingopt>", protocol="tcp", name="default", chain="INPUT", lockingopt="", returntype="RETURN", blocktype="REJECT --reject-with icmp-port-unreachable", port="ssh"]
logpath = /var/log/postfix_sasl.log
maxretry = 1

 

[alexk345]

oops my mistake. Instead of maillog i created new file.
once i changed to var/log/maillog
it got applied

 

[alexk345]

It picked only few.
it did not pick up this

Dec 13 11:33:10 postfix/smtpd[934]: connect from unknown[31.210.20.54]
Dec 13 11:33:10 plesk_saslauthd[951]: failed mail authentication attempt for user 'proyecto' (password len=5)
Dec 13 11:33:10 postfix/smtpd[934]: warning: unknown[31.210.20.54]: SASL LOGIN authentication failed: authentication failure
Dec 13 11:33:10 postfix/smtpd[934]: disconnect from unknown[31.210.20.54]
Dec 13 11:33:40 plesk_saslauthd[951]: select timeout, exiting

it did pick up this

Dec 13 11:33:47 postfix/smtpd[934]: connect from unknown[141.98.10.220]
Dec 13 11:33:48 plesk_saslauthd[959]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1
Dec 13 11:33:48 plesk_saslauthd[959]: privileges set to (89:89) (effective 89:89)
Dec 13 11:33:48 plesk_saslauthd[959]: failed mail authentication attempt for user 'fax' (password len=7)

 

[alexk345]

its banning and unbanning automatically without me unbanning. Whats going on?
there was 12 ip now 4ip in banned ips.

 

[mow]

its banning and unbanning automatically without me unbanning. Whats going on?
there was 12 ip now 4ip in banned ips.

See the last line in the conf you posted.

Reason: Most probes come from dynamic IPs. The spammer will get a new one every 24h. Which means you might block legitimate clients that get one of the blocked IPs later if you don't let the blocks expire. Also, systems that were hacked tend to get eventually fixed, so they could be allowed back too.
If you have identified rogue networks (by whois <ip>) that have no actual users you or your customers might be interested in and that don't adequately respond to abuse complaints, you can also block their whole net manually by e.g. this:
root# route add -net 212.192.244.0/22 lo
which will stay until the next reboot.