• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question spam from local host 127.42.0.0

C

costaskal

Basic Pleskian
OS ‪Ubuntu 14.04.3 LTS‬
Plesk version 12.5.30 Update #74, last updated at Mar 7, 2018 02:54 AM

My server spam from local host 127.42.0.0. i can not find if is a script or a hacked account.

smtp headers
--------------------------------------------------------------------------------------------------------------------------
Received: from MYSERVERNAME(unknown [127.42.0.0])
by MYSERVERNAME(Postfix) with ESMTP id A4FB7FE1
for <[email protected]>; Thu, 8 Mar 2018 23:34:47 +0200 (EET)
Received-SPF: pass (MYSERVERNAME: localhost is always allowed.) client-ip=127.42.0.0; [email protected]; helo=MYSERVERNAME;
Date: Thu, 8 Mar 2018 23:34:47 +0000
From: Glenda Spencer Administration <[email protected]>
Tits-Predicted-Cornucopia: CD139A1B1C
Content-Type: text/html; charset="UTF-8"
To: "[email protected]" <[email protected]>
Content-Transfer-Encoding: 7bit
Tentacles-Evaluation-Outvotes: 1e849895e4
MIME-Version: 1.0
Subject: Update photos you love
Slipped-Ailments-Terming: 3E1D883E827F
Eccentricity-Crossing-Rent: 7F5EC233
Assigns-Marilyn: vanishingly
Message-ID: <[email protected]>
-------------------------------------------------------------------------------------------------------------
domain iae.nl is a foreign domain for my server
ANY SUGGESTIONS ?
 
In /var/log/maillog you will find entries that define who is submitting the mail to the SMTP server. In your case this will be one of the subscription accounts.
 
Im pasting the log to see that the log has no helpful info. For privacy removed sensitive data

Mar 8 23:34:47 XXXXXXXXXXXXXXX postfix/smtpd[18069]: A4FB7FE1: client=unknown[127.42.0.0]
Mar 8 23:34:47 XXXXXXXXXXXXXXX postfix/cleanup[18074]: A4FB7FE1: message-id=<[email protected]>
Mar 8 23:33:35 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: Message aborted.
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: SKIP
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: SKIP during call 'check-quota' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18078]: Starting spf filter...
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18078]: SPF result: pass
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18078]: SPF status: PASS
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: PASS
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: PASS during call 'spf' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: SKIP
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: SKIP during call 'check-quota' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX postfix/qmgr[18357]: 93A2BFDE: from=<[email protected]>, size=1985, nrcpt=1 (queue active)
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18080]: Starting spf filter...
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18080]: SPF result: pass
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18080]: SPF status: PASS
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: PASS
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: PASS during call 'spf' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: SKIP
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: SKIP during call 'check-quota' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX postfix/smtpd[18007]: disconnect from unknown[127.42.0.0]
 
Back to one of your questions: This is for sure a hacked account. If it was an SMTP login, you'd see a line with "postfix/pickup" or at least the "pickup" word in it. This is not the case, so here the mail is submitted by a script from localhost. It does not need to authenticate.

It is rare that neither the X-Mailer line is included in the header, nor the sender account mentioned in the log. In this case I suggest to lower the overall mail-out limit and see which of your subscriptions exceed the limit.
 
You must log in or register to reply here.
Back
Top