1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Spam in Queue - "invoked by network" unable to find source

Discussion in 'Plesk for Linux - 8.x and Older' started by mikcanavan, Oct 22, 2008.

  1. mikcanavan

    mikcanavan Basic Pleskian

    23
    23%
    Joined:
    Dec 20, 2006
    Messages:
    25
    Likes Received:
    0
    I have read though numerous posts regarding "invoked by UID XX" but cannot apply the same solutions to my issue.

    Example header :

    Example of maillog:

    All I can see is FAILED - no successful logins? And as far as I can understand it - this person must have authenticated somehow, as I have the server set to require SMTP authentication.

    Any ideas how I can track down how this person is logging in?
     
  2. faris

    faris Guest

    0
     
    Where is that header from?

    The log does seem to indicate that IP is trying but failing to authenticate, and therefore not able to send email.

    But if you have headers I presume there's email somewhere?

    Faris.
     
  3. 4drob

    4drob Guest

    0
     
    Did you ever figure this out? I'm seeing this on my server. Spam messages sent FROM one of my Plesk servers "invoked from network." According to http://kb.odin.com/en/766 this means a user is compromised, but I can't locate which. I found the IP, but /usr/local/psa/var/log/maillog is no help as it only shows:

    Dec 25 06:33:34 server relaylock: /var/qmail/bin/relaylock: mail from xx.xx.xx.xxx:14358
    Dec 25 06:33:34 server smtp_auth: SMTP connect from (null)@xx.xx.net [xx.xx.xx.xxx]
    Dec 25 06:33:34 server smtp_auth: smtp_auth: SMTP user ° /lib/plesk/mail/auth/passwd.db : logged in from (null)@xx.xx.net [xx.xx.xx.xxx]
    Dec 25 06:33:42 server relaylock: /var/qmail/bin/relaylock: mail from xx.xx.net [xx.xx.xx.xxx]
    Dec 25 06:33:42 server smtp_auth: SMTP connect from (null)@xx.xx.net [xx.xx.xx.xxx]
    Dec 25 06:33:42 server smtp_auth: smtp_auth: SMTP user /lib/plesk/mail/auth/passwd.db : logged in from (null)@xx.xx.net [xx.xx.xx.xxx]

    (replaced actual IP)
     
Loading...