• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Spam sent from limited mailbox

S

SalvadorS

Regular Pleskian
Hello,

Today in a plesk 12 with mail control (20 mails per hour per mailbox) a spammer stole a password of a mailbox and send nearly 1000 mails in two hours.

How can it is possible? Also in the stats I see 0 mails sent. In the logs (var/log/mail.log) I see the spam wast sent from a mailbox...

Is the anything wrong?
 
@SalvadorS,

Nothing is "wrong", in the sense that a mail account can be "taken over" (i.e. the spammer obtained the password, without hacking you. For instance, the customer can be the spammer or the customer could have been careless with the password) OR the mail account can be "hacked" (the spammer "brute-forced" the password).

In both cases, you should change the password immediately AND block the IP from the spammer in the firewall (make a rule with the options "deny, on all ports").

It is adviceable to prevent these kind of situations in the future, the installation of the Fail2Ban module in Plesk can help significantly.

With respect to the statistics: it can be the case that it takes some time for the spam mails to become visible.

In short,

- change password of the mail account,
- block IPs from the spammer in the firewall,
- install Fail2Ban (in order to prevent future brute-forcing of any kind)

and, in addition, it can be advised to check your servers reputation on senderbase.org and the DNSBL blacklist (for instance, those of spamhause.org).

Kind regards.....
 
Dear Trialotto,

Thanks for your extended and helpful reply. But the questions is not how it happened and why. The question is why plesk does not limited the send of the mails (is set to 20 per domain per hour) and allow to send hundreds...

Also I check the statistics on the server and in all the domains are 0 mails sent per hour which is not true so it seems that the outgoing mail control does´t work. How can I check this?

Also I checked this KB http://kb.odin.com/en/123095 but is not the problem
 
Last edited:
@SalvadorS,

In response to your post, let´s break down the text in your post:

SalvadorS said:
The question is why plesk does not limited the send of the mails (is set to 20 per domain per hour) and allow to send hundreds...
Click to expand...

The above is not strange and can be caused by a situation in which the domain (as hosted with Plesk) is not actually sending the mail, whereas the server (on which Plesk has been installed) does send mails, with either the server functioning as an (improper) mail relay or a script sending mails from the server.

For instance, a script (i.e. often a hack, resulting in a spam script) can use the php mail() function to send mails (directly) from the server.

SalvadorS said:
Also I check the statistics on the server and in all the domains are 0 mails sent per hour which is not true ...
Click to expand...

As stated before, it can be true that the domain does not actually send mails. Hence, it can be the case that statistics for the domain are correct and zero, even though the whole server sends many mails.

Note that the above also implies that the outgoing mail control actually works, but does not apply to mails sent via a spam script.

SalvadorS said:
How can I check this?
Click to expand...

In essence, many countermeasures have to be initiated and/or deployed to reduce spam to the absolute minimum, even though spam cannot be completely removed.

Some of these countermeasures have already been given in my earlier post.

In addition, one should implement "good practice" in the form of:

a) block specific IP addresses (permanently) in the firewall, given the fact that some spammers are making use of a very consistent IP Block range (note that, with the fail2ban module, you can keep track of bad IPs and it is very likely that you can deduce certain IP blocks, that can consequently be blocked permanently by a firewall rule),

b) disable the php mail() function, which is possible on a domain-per-domain basis and/or for the whole server (note that some basic additional comments can be found here: http://talk.plesk.com/threads/mail-...its-possible-to-send-spam.332604/#post-777973 ),

c) disable specific script functions on all domains (note that Plesk allows a lot of scripting languages by default and, in most cases, not all of these languages are used. Allowing all scripting languages increases the risk of having spam scripts sending huge amounts of mails),

d) make sure that Wordpress is always or, even better, automatically updated to the newest version (note that Wordpress and primarily Wordpress plugins are vulnerable to script injection, a possibility that has been used by many spammers. Latest versions of Wordpress reduce the risk of script injection and disallowing specific, unreliable plugins reduces the risk on spam even more),

e) investigate php files and certainly those of Wordpress, search for strange lines of code in the php files (these lines of strange code are often spam scripts or code),

f) always use spamfilters, to check for both incoming AND outgoing spam,

and so on.

In short, it may be a lot of work to reduce spam, but in the long run it becomes easier and less time-consuming, IF you have fail2ban and use the method from point a).

Hope the above gives you a general idea of how to "attack spam".

Kind regards....
 
Dear Trialotto,

Thanks again for your answer. Thanks a lot. But I think I don´t explain myself too good...

The spam was sent from a mailbox. Not a script, not php mail function... a mailbox. That mailbox is set to send 20 mails per hour (Plesk 12, outgoing mail control) but it sent more than 20 (more than 200)

Also if I check any stats of any mailbox of the server I see 0 mails sent in then last 24 hours. That is not true.

So outgoing mail control is not working. Can anybody tell me how can I reactivate (I never disable it, only install plesk 12 with outgoing mail control) this feature?

Thanks
 
@SalvadorS,

No worries, you are explaining it very well.

Let´s investigate the issue, to determine whether it is limited to your case or it is some general problem.

First of all, can you provide me with some (relevant) parts of the output of the maillog?

Second, some information about your OS would be nice, in order to be able to replicate your specific settings on a VM.

Third and last, restart your mailserver (Postfix or Qmail) from the command line (this potentially resolves the statistics issue).

Kind regards....
 
Hi SalvadorS,

Plesk comes with a bunch of CLI - commands, which are all documented at:



In your case, you could have a closer look at "Mail Server Settings: mailserver Utility" ( http://download1.parallels.com/Plesk/Doc/en-US/online/plesk-unix-cli/index.htm?fileName=37779.htm )
The settings ...
Code: 
    --enable-outgoing-antispam

    --disable-outgoing-antispam

    --set-outgoing-messages-mbox-limit <number>

    --set-outgoing-messages-domain-limit <number>

    --set-outgoing-messages-subscription-limit <number>

    --set-outgoing-messages-enable-sendmail <true|false>

    --set-outgoing-messages-report-period <P1D|P1W|P2W|P1M>

    --set-outgoing-messages-notification-period <PT15M|PT1H|PT6H|PT12H|P1D>

... might help you, if you wish to modify your global mailserver - settings over the command line.


Plesk has as well CLI command utilities for hosting plans and subscription settings:



Example commands could look like:

/usr/local/psa/bin/mailserver --enable-outgoing-antispam --set-outgoing-messages-mbox-limit 50

/usr/local/psa/bin/service_plan --update "Service-Plan-Name-with-Mailbox-limit-20-per-hour" -outgoing-messages-mbox-limit 20

/usr/local/psa/bin/subscription_settings --update example-domain.com -outgoing-messages-mbox-limit 20
 
SalvadorS said:
Is there any command to check if outgoing email control is activated?
Click to expand...

This command shows the global settings for the mailserver:
/usr/local/psa/bin/mailserver --info options

This command shows the settings for the service plan with the name "Service-Plan-Name":
/usr/local/psa/bin/service_plan --info SERVICE-PLAN-NAME

This command shows the settings for the subscription with the name "example-domain.com":
/usr/local/psa/bin/subscription_settings --info example-domain.com


... but please, SalvadorS, use the reference, if you would like to know commands and its usage... they are well explained and easy to use. You can use the command "--help" over the command line after each utility, to list all available commands for it.

Examples:
/usr/local/psa/bin/mailserver --help
/usr/local/psa/bin/service_plan --help
/usr/local/psa/bin/subscription_settings --help
 
You must log in or register to reply here.

Similar threads

D
Question get spam sent out
Replies
7
Views
935
Detlef D.
D
datea.services
Question Attempts to exceed outgoing limits: log of mails not sent
Replies
4
Views
1K
Peter Debik
P
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
B
Question Queue emails after outgoing limit has been reached
Replies
4
Views
974
BradGML
B
Cordal
Resolved stop sending spam
Replies
12
Views
2K
Change Maker
C
Back
Top