• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

spam originating from the server

Q

qualispace

Regular Pleskian
Hello,

I have Plesk 8.0 running on a Red Hat EL 3.0 box. I have kept the relay closed and it requires SMTP authentication to send emails from the server. However, lately I have noticed that there are spam emails originating from the server. I have scanned the entire server, but could not find any kind of rootkit, malware, trojan or malicious script running on the server. Can anybody help me in understanding how to troubleshoot the issue?
 
Hi,

Thanks for the info. Your solution does not seem to help. All the emails show the following

qmail #### invoked from network.

When I do a grep network /etc/passwd, I get

pantech:x:10314:10001::/home/httpd/vhosts/pantechnetworking.com:/bin/false

This is a user in the server. However there is no malicious script or anything which may create a problem. Even in the good emails, I get the same output qmail #### invoked from network.

Does this mean that there is some problem in the server itself. Is there any suggestion for this?
 
Received: (qmail 14348 invoked from network); 14 Oct 2007 07:25:41 -0500
Received: from ev1s-67-15-197-19.ev1servers.net (HELO aywe) (203.67.219.107)
by ev1s-67-15-197-19.ev1servers.net with SMTP; 14 Oct 2007 07:25:41 -0500
Message-ID: <004164757613$45520551$18763225@aywe>
From: =?big5?B?pfi3fqVE?= <>
To: <[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>,
<[email protected]>
Subject: =?big5?B?plWsybXXrV6zrabxsXqmqKr4?=
Date: Sun, 14 Oct 2007 20:56:32 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0420_01423031.16021CE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3198
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
 
That means that the message is coming from the server: ev1s-67-15-197-19.ev1servers.net

So you either have a whitelist for that host (via poplocking or otherwise), or a compromised SMTP account.
 
Hello,

This is our own server from which the spam is originating. Can you help me in understanding the mail log file to catch the culprit?
 
I have noticed that all the spam generated is from the Taiwanese network. Is there a way where I can block port 25 for the entire Taiwanese network?
 
Thanks a lot for your help. Can you tell me if the Plesk Firewall is different from the Iptables coz after editing the IPtables, I could not see the rules in the Plesk Firewall. If it is different from IPTables, then is there a command to add the rules in the Plesk Firewall?
 
For all who are facing the similar problem of the spam generation from the server, there is a simple way to find out the culprit. I would like to put it here so that everybody can take advantage of this

I ran the following command in the root

tail -f /usr/local/psa/var/log/maillog | grep '<IP_Address>' where <IP_Address> denotes the IP from which the spam is being generated

You will get all the lines containing the IP address. Here I found out from which user the spammer was authenticating. I disabled the user and voila!!! the spam got stopped.

If anybody is facing the same problem, follow the steps above and you are likely to catch the culprit.
 
I also have this trouble, but could not find a solution yet

in /usr/local/psa/var/log/maillog.processed I have found

Mar 11 11:44:42 aresca6 relaylock: /var/qmail/bin/relaylock: mail from 127.0.0.1:44292 (localhost)
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: Handlers Filter before-queue for qmail started ...
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: [email protected]
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: [email protected]
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: hook_dir = '/var/qmail//handlers/before-queue'
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: recipient[3] = '[email protected]'
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: handlers dir = '/var/qmail//handlers/before-queue/recipient/[email protected]'
Mar 11 11:44:42 aresca6 qmail-queue-handlers[31446]: starter: submitter[31447] exited normally

and in /var/log/messages

Mar 11 11:44:42 aresca6 xinetd[2385]: START: smtp pid=31443 from=127.0.0.1
Mar 11 11:44:42 aresca6 xinetd[2385]: EXIT: smtp status=0 pid=31443 duration=0(sec)

Any help to understand where the spam is generated?
 
No, it is not a user of this server, and smtp_auth is not allowed.

On http://kb.swsoft.com/article_22_766_en.html

I read

Received lines like:

Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700
Received: from external_domain.com (192.168.0.1)

means that the message was accepted for delivery via SMTP and the sender is an authorized mail user.

But if SMTP is closed, how can this happen?
 
You must log in or register to reply here.

Similar threads

X
Question Exclude email account from SPAM classification of Plesk Email Security Pro completely
Replies
0
Views
389
x28
X
G
Issue Database Malware or False Positive?
Replies
2
Views
361
Gene Steinberg
G
W
Question Backup task notification email from PMMCli-Daemon always in Junk folder
Replies
14
Views
2K
Wolfgang Reidlinger
W
Alex Presland
Issue Emails forwarded by Plesk fail DKIM checks with certain attachments
2
Replies
21
Views
2K
Alex Presland
Alex Presland
G
Question WP installs are quarantined daily.
Replies
4
Views
592
Bobbbb
B
Back
Top