• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

SPAM attack

sebas

sebas

Basic Pleskian
We are getting tons of spam mail.

I know our server is configured so that relaying is closed and authorization is required to send mail. But they are using a sneaky trick to place the mail in the queue because as long as I can tell they are not using an account to authorize but they are using a domain that is hosted on our server.

Here is a bit from /var/log/messages:
Aug 17 12:03:12 canada7 xinetd[1429]: START: smtp pid=11924 from=::ffff:187.162.75.104
Aug 17 12:03:19 canada7 xinetd[1429]: START: smtp pid=13837 from=::ffff:171.99.143.254
Aug 17 12:03:22 canada7 xinetd[1429]: START: smtp pid=14423 from=::ffff:190.18.37.99
Aug 17 12:03:23 canada7 xinetd[1429]: EXIT: smtp status=0 pid=11924 duration=11(sec)
Aug 17 12:03:24 canada7 xinetd[1429]: START: submission pid=15369 from=::ffff:173.193.188.226
Aug 17 12:03:24 canada7 xinetd[1429]: EXIT: submission status=0 pid=15369 duration=0(sec)
Aug 17 12:03:25 canada7 xinetd[1429]: START: smtp pid=15513 from=::ffff:212.200.204.103

And here a bit from /usr/local/psa/var/log/maillog:
Aug 17 12:04:30 canada7 qmail-queue-handlers[21097]: Handlers Filter before-queue for qmail started ...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21029]: starter: submitter[21080] exited normally
Aug 17 12:04:30 canada7 qmail-queue-handlers[21038]: starter: submitter[21096] exited normally
Aug 17 12:04:30 canada7 qmail-queue-handlers[21041]: starter: submitter[21078] exited normally
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: SKIP during call 'check-quota' handler
Aug 17 12:04:30 canada7 spf filter[21103]: Starting spf filter...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: SKIP during call 'spf' handler
Aug 17 12:04:30 canada7 spf filter[21104]: Starting spf filter...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: SKIP during call 'spf' handler
Aug 17 12:04:30 canada7 spf filter[21105]: Starting spf filter...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: SKIP during call 'spf' handler
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: starter: submitter[21106] exited normally
Aug 17 12:04:30 canada7 qmail-queue-handlers[21108]: Handlers Filter before-queue for qmail started ...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21109]: Handlers Filter before-queue for qmail started ...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: [email protected]
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: SKIP during call 'check-quota' handler
Aug 17 12:04:30 canada7 spf filter[21118]: Starting spf filter...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: SKIP during call 'spf' handler

They are sending the mail from a lot of different machines.

I don't know how to stop it and I was wondering if you do.

Here are three samples.

Thanks for your help.

+++++++++++++++++++++++++++++++++++++++++++
Received: (qmail 14598 invoked from network); 17 Aug 2013 11:25:12 -0500
Received: from undef-pesochin-kh.maxnet.ua (HELO pjqwsp) (178.165.84.164)
by canada7.xxxxxxxxxx.com with ESMTPA; 17 Aug 2013 11:25:12 -0500
From: "Xwe Apife" <[email protected]>
To: <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>
Subject:
Date: Sat, 17 Aug 2013 17:16:18 -0700
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-7

zy w
xaruwoq qonoxes kigytoz vup dyd http://www.sogz.ru/movies.htm
poqoz vydu wipoxa

+++++++++++++++++++++++++++++++++++++++++++

Received: (qmail 14983 invoked from network); 17 Aug 2013 11:25:18 -0500
Received: from mm-55-57-120-178.dynamic.pppoe.mgts.by (HELO kabemrylxeb) (178.120.57.55)
by canada7.xxxxxxxxxx.com with ESMTPA; 17 Aug 2013 11:25:17 -0500
Date: Sat, 17 Aug 2013 17:16:23 -0700
From: "Fvuso Jw" <[email protected]>
To: <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>
Subject:
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-7"

p me http://www.francoiscavallier.com/video.htm?narybatot r
xes g

+++++++++++++++++++++++++++++++++++++++++++

Received: (qmail 16013 invoked from network); 17 Aug 2013 11:25:32 -0500
Received: from unknown (HELO eunnbyspirt) (109.229.174.161)
by canada7.xxxxxxxxxx.com with ESMTPA; 17 Aug 2013 11:25:31 -0500
Subject:
Date: Sat, 17 Aug 2013 17:16:37 -0700
To: <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>, <[email protected]>
From: "ko" <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"

fyl seqel
fadyni kuwydu wyfev http://www.echipamentelaborator.ro/movie.htm saqa v gaci b
nyhekun papaq

+++++++++++++++++++++++++++++++++++++++++++
 
I have qmail stopped since this problem started because we are getting something between 550 an 2000 spam mails a minute.

I disabled email service for the domain being used by the spammers, but the mail still gets in the queue.

This is what I did to disable it:
qmHandle -B'[video|movie]' && service qmail start && /usr/local/psa/bin/mail --off xxx.com.mx && service qmail stop && qmHandle -B'[video|movie]'

I'm using
qmHandle -B'[video|movie]'

to clean the queue.
 
Please see my reply to your post on the atomic forum.

Basically, once a spammer authenticates, they very often send as many messages as they can during that session. They do not repeatedly authenticate for each message they send.

Changing the password doesn't help immediately, because the change has no effect on an established connection.

Similarly, restarting qmail has no effect on an established connection. You have to manually kill all the established qmail processes, which you can see using netstat -avnp (or just restart the server)

I would normally also say that psmon (which you will have installed if you have asl) will automatically restart qmail if you stop it, but the last time it looked it didn't do so.
 
Also, I would add that the spammer's qmail smtp session can last a long time. I forget what the session timeout is in qmail, but it is way too long - hours, I think.
 
Hi Faris,

You were right. I went through the hole cycle and it worked.

Disable, kill all qmails, reset passwords, re enable.

Cheers,
 
I think my server has the same problem. Did you ever find out how access was gained? My host speculated that they brute-forced a password for an SMTP email account. I'm having problems identifying the email account that may be compromised, as the "account" name is not showing an existing smtp account username, but the server alias. Any suggestions?

It would be useful if Plesk could be more helpful in fixing issues like this. I'd like to see options to:

a. Throttle the number of emails that can be sent from an account, my mail queue was showing 640295 messages.
b. Disable accounts that attempt to send more than set number of emails per minute/hour
c. Identify how many emails come from each account (see you can identify spam/vulnerabilities more easily)
d. Cut qmail sessions
e. List email accounts with "weak" passwords.
 
We did not find how they got access to the account. But since the account was from a domain that has had problems with viruses in the past we assumed that that was the way they used to get the SMTP email account and password.

We had the same problem identifying the account what we did was a password reset on all the accounts on that domain.

I totally agree with you, it would be great to see those options you mention.
 
1. My host is now suggesting that my cause of this is malware. They are doing a scan. Is there another way to find if there is an offending script, without having to go through every website individually?

2. My mailog also shows connections from Russia and China which would seem to suggest random attempts at guessing vulnerable accounts. I'm sure others would also be aware of their IP addreses. Is there a way to auto-blacklist and firewall such problematic IP ranges?

3. Is it not possible to reduce brute-force attacks by requiring attempts at least 5 seconds apart? I can't see why you would let someone try several password attempts per second.
 
Last edited:
Looks interesting, thanks for that. I had a quick look to see whether Parallel recommends it, and perhaps offers it at a discount, but unfortunately not.
 
If there's a script that's causing this then identifying that script and stopping it would be top priority. There could have been a customer that had a very insecure password as well that allowed a bot to eventually gain access. I would suggest using something such as Fail2Ban in order to prevent these types of attacks in the future.

Even if access was gained through a malicious script it's always good to have other preventative measures in place. On our servers we auto-ban approximately 10 IP's a day, most of them coming from China and targeting postfix. Consider checking out the below links for more information on integrating Fail2Ban with Plesk.

Installing Fail2Ban on Centos with Plesk

Permanently Ban Repeat Offenders With Fail2Ban

We hope that helps!
 
Last edited:
I've voted on that months ago. Even if it does become integrated into Plesk there's no telling if it will have full integration with the Panel login vs the services on the server. The filters and jails change according to the flavor of OS and on installed options, logging locations etc.

Either way, we've come up with solutions for protecting all aspects of Plesk with Fail2Ban, even invalid webmail and control panel logins.
 
We just installed Fail2Ban, and it's stopping up to half a dozen attempts per day. I'm surprising it is not installed as standard.
 
You must log in or register to reply here.

Similar threads

bradz
Issue Pleask/Linux Server Goes Down & Restarts a Few Times Weekly on Sunday Morning
Replies
8
Views
2K
mow
M
K
Issue whitelisted sender still going to junk
Replies
2
Views
2K
Ksech
K
E
Issue Postfix stopped working for domains hosted on server after upgrading to 18.0.34
Replies
6
Views
2K
weltonw
W
T
Question No outgoing mails, without using mailboxes on plesk
Replies
3
Views
968
Bitpalast
Bitpalast
M
Issue mailling server
Replies
1
Views
834
IgorG
IgorG
Back
Top