1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

spam originating from the server

Discussion in 'Plesk for Linux - 8.x and Older' started by qualispace, Oct 13, 2007.

  1. qualispace

    qualispace Regular Pleskian

    26
    73%
    Joined:
    Mar 9, 2005
    Messages:
    102
    Likes Received:
    0
    Hello,

    I have Plesk 8.0 running on a Red Hat EL 3.0 box. I have kept the relay closed and it requires SMTP authentication to send emails from the server. However, lately I have noticed that there are spam emails originating from the server. I have scanned the entire server, but could not find any kind of rootkit, malware, trojan or malicious script running on the server. Can anybody help me in understanding how to troubleshoot the issue?
     
  2. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
  3. qualispace

    qualispace Regular Pleskian

    26
    73%
    Joined:
    Mar 9, 2005
    Messages:
    102
    Likes Received:
    0
    Hi,

    Thanks for the info. Your solution does not seem to help. All the emails show the following

    qmail #### invoked from network.

    When I do a grep network /etc/passwd, I get

    pantech:x:10314:10001::/home/httpd/vhosts/pantechnetworking.com:/bin/false

    This is a user in the server. However there is no malicious script or anything which may create a problem. Even in the good emails, I get the same output qmail #### invoked from network.

    Does this mean that there is some problem in the server itself. Is there any suggestion for this?
     
  4. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Can you paste the headers from one of the messages?
     
  5. qualispace

    qualispace Regular Pleskian

    26
    73%
    Joined:
    Mar 9, 2005
    Messages:
    102
    Likes Received:
    0
    Received: (qmail 14348 invoked from network); 14 Oct 2007 07:25:41 -0500
    Received: from ev1s-67-15-197-19.ev1servers.net (HELO aywe) (203.67.219.107)
    by ev1s-67-15-197-19.ev1servers.net with SMTP; 14 Oct 2007 07:25:41 -0500
    Message-ID: <004164757613$45520551$18763225@aywe>
    From: =?big5?B?pfi3fqVE?= <>
    To: <helenwu228@yahoo.com.tw>,
    <tjyang.groups@gmail.com>,
    <cc1000cc@pchome.com.tw>,
    <john82964@yahoo.com.tw>,
    <evo0911487587@yahoo.com.tw>,
    <wawooo543@yahoo.com.tw>,
    <b0313kiss@yahoo.com.tw>,
    <towered@mail2000.com.tw>,
    <nicolenicoletae@yahoo.com.tw>,
    <sa079602@yahoo.com.tw>,
    <bs3365@yahoo.com.tw>
    Subject: =?big5?B?plWsybXXrV6zrabxsXqmqKr4?=
    Date: Sun, 14 Oct 2007 20:56:32 +0800
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0420_01423031.16021CE0"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3198
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
     
  6. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    That means that the message is coming from the server: ev1s-67-15-197-19.ev1servers.net

    So you either have a whitelist for that host (via poplocking or otherwise), or a compromised SMTP account.
     
  7. qualispace

    qualispace Regular Pleskian

    26
    73%
    Joined:
    Mar 9, 2005
    Messages:
    102
    Likes Received:
    0
    Hello,

    This is our own server from which the spam is originating. Can you help me in understanding the mail log file to catch the culprit?
     
  8. qualispace

    qualispace Regular Pleskian

    26
    73%
    Joined:
    Mar 9, 2005
    Messages:
    102
    Likes Received:
    0
    I have noticed that all the spam generated is from the Taiwanese network. Is there a way where I can block port 25 for the entire Taiwanese network?
     
  9. jwdick

    jwdick Guest

    0
     
  10. qualispace

    qualispace Regular Pleskian

    26
    73%
    Joined:
    Mar 9, 2005
    Messages:
    102
    Likes Received:
    0
    Thanks a lot for your help. Can you tell me if the Plesk Firewall is different from the Iptables coz after editing the IPtables, I could not see the rules in the Plesk Firewall. If it is different from IPTables, then is there a command to add the rules in the Plesk Firewall?
     
  11. qualispace

    qualispace Regular Pleskian

    26
    73%
    Joined:
    Mar 9, 2005
    Messages:
    102
    Likes Received:
    0
    For all who are facing the similar problem of the spam generation from the server, there is a simple way to find out the culprit. I would like to put it here so that everybody can take advantage of this

    I ran the following command in the root

    tail -f /usr/local/psa/var/log/maillog | grep '<IP_Address>' where <IP_Address> denotes the IP from which the spam is being generated

    You will get all the lines containing the IP address. Here I found out from which user the spammer was authenticating. I disabled the user and voila!!! the spam got stopped.

    If anybody is facing the same problem, follow the steps above and you are likely to catch the culprit.
     
  12. musictus

    musictus Basic Pleskian

    24
    23%
    Joined:
    Jul 21, 2004
    Messages:
    58
    Likes Received:
    0
    I also have this trouble, but could not find a solution yet

    in /usr/local/psa/var/log/maillog.processed I have found

    Mar 11 11:44:42 aresca6 relaylock: /var/qmail/bin/relaylock: mail from 127.0.0.1:44292 (localhost)
    Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: Handlers Filter before-queue for qmail started ...
    Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: from=manojshimpi@cl.cam.ac.uk
    Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: to=thecamo@one.net.au
    Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: hook_dir = '/var/qmail//handlers/before-queue'
    Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: recipient[3] = 'thecamo@one.net.au'
    Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: handlers dir = '/var/qmail//handlers/before-queue/recipient/thecamo@one.net.au'
    Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: starter: submitter[31447] exited normally

    and in /var/log/messages

    Mar 11 11:44:42 aresca6 xinetd[2385]: START: smtp pid=31443 from=127.0.0.1
    Mar 11 11:44:42 aresca6 xinetd[2385]: EXIT: smtp status=0 pid=31443 duration=0(sec)

    Any help to understand where the spam is generated?
     
  13. qualispace

    qualispace Regular Pleskian

    26
    73%
    Joined:
    Mar 9, 2005
    Messages:
    102
    Likes Received:
    0
    Is manojshimpi@cl.cam.ac.uk running in the same server? If yes, then may be it has a simple password and somebody is misusing it for sending out spam. You need to check it.
     
  14. musictus

    musictus Basic Pleskian

    24
    23%
    Joined:
    Jul 21, 2004
    Messages:
    58
    Likes Received:
    0
    No, it is not a user of this server, and smtp_auth is not allowed.

    On http://kb.swsoft.com/article_22_766_en.html

    I read

    Received lines like:

    Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700
    Received: from external_domain.com (192.168.0.1)

    means that the message was accepted for delivery via SMTP and the sender is an authorized mail user.

    But if SMTP is closed, how can this happen?
     
Loading...