1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

spam spam spam

Discussion in 'Plesk for Linux - 8.x and Older' started by Guftak69, Jul 10, 2006.

  1. Guftak69

    Guftak69 Guest

    0
     
    hi, how i stop this qmail-remote msa.hinet.net qvaztabdbn@yahoo.com.sg sam.cu6177@msa.hinet.net
    my server seems be using for spaming, this is my mail configuration under plesk
    Relaying
    ----authorization is required
    ----- Pop 3 Lock time 20 Min
    Check the password for mailboxes in the dictionary
    Enable SPF spam protection
    Reject mails when SPF resolves to "softfail"
    include:spf.trusted-forwarder.org
    a/24 mx/24 ptr
    No user account
    Enabled MAPS spam protection
    sbl-xbl.spamhaus.org
    Only use of full POP3/IMAP mail accounts names is allowed checked
    a amount of rulz in my virtuozzo firewall , and others rulez in my black list, but the spam is alive, my process apache
    UID PID PPID C STIME TTY TIME CMD
    apache 11749 11641 0 13:26 ? 00:00:03 /usr/sbin/httpd
    apache 7258 11641 0 13:37 ? 00:00:04 /usr/sbin/httpd
    apache 9772 11641 0 13:39 ? 00:00:02 /usr/sbin/httpd
    PLease help me

    :(
     
  2. Guftak69

    Guftak69 Guest

    0
     
    this appear when i run ps fuxwa
    any help pleas
    RSS TTY STAT START TIME COMMAND
    root 1 0.0 0.0 1672 620 ? Ss 13:26 0:00 init
    root 10222 0.0 0.0 1544 620 ? Ss 13:26 0:00 syslogd -m 0
    named 11275 0.0 0.0 30528 3288 ? Ssl 13:26 0:00 /usr/sbin/named -u named -n1 -c /etc/named.conf -u named -t /var/named/run-root
    root 11291 0.0 0.0 4320 1744 ? Ss 13:26 0:00 /usr/sbin/sshd
    root 5492 0.0 0.0 8680 2668 ? Ss 14:26 0:00 \_ sshd: root@ttyp0
    root 5512 0.0 0.0 2372 1372 ttyp0 Ss+ 14:26 0:00 | \_ -bash
    root 12212 0.0 0.0 8680 2668 ? Ss 15:26 0:00 \_ sshd: root@ttyp1
    root 12241 0.0 0.0 2368 1340 ttyp1 Ss 15:26 0:00 \_ -bash
    root 22491 0.0 0.0 2376 1336 ttyp1 S 15:32 0:00 \_ /bin/bash
    root 25934 0.0 0.0 2328 796 ttyp1 R+ 15:34 0:00 \_ ps fuxwa
    root 11300 0.0 0.0 2104 956 ? Ss 13:26 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
    root 5991 0.0 0.0 3724 988 ? SNs 15:22 0:00 \_ bin/qmail-smtpd
    root 11378 0.0 0.0 2228 1128 ? S 13:26 0:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysqld/mysqld.pid
    mysql 11426 0.0 0.2 111800 21872 ? Sl 13:26 0:00 \_ /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --socket=/var/lib/mysql/mysql.sock
    qmails 11519 0.0 0.0 1524 492 ? S 13:26 0:01 qmail-send
    qmaill 11521 0.0 0.0 1472 452 ? S 13:26 0:00 \_ splogger qmail
    root 11524 0.0 0.0 1504 384 ? S 13:26 0:00 \_ qmail-lspawn ./Maildir/
    qmailr 11525 0.0 0.0 1632 528 ? S 13:26 0:00 \_ qmail-rspawn
    qmailr 22394 0.0 0.0 3708 1044 ? S 14:54 0:00 | \_ qmail-remote msa.hinet.net okyen07@yahoo.com.tw hrs.motors@msa.hinet.net
    qmailr 22149 0.0 0.0 3700 1036 ? S 15:12 0:00 | \_ qmail-remote msa.hinet.net okyen09@yahoo.com.tw iyjo@msa.hinet.net
    qmailr 23585 0.0 0.0 3704 1036 ? S 15:13 0:00 | \_ qmail-remote msa.hinet.net hqty@msa.hinet.net
    qmailr 3352 0.0 0.0 3704 1036 ? S 15:20 0:00 | \_ qmail-remote msa.hinet.net okyen06@yahoo.com.tw kobe.c2@msa.hinet.net
    qmailr 5667 0.0 0.0 3704 1036 ? S 15:22 0:00 | \_ qmail-remote msa.hinet.net jiang.andy@msa.hinet.net
    qmailr 6036 0.0 0.0 3704 1040 ? S 15:22 0:00 | \_ qmail-remote msa.hinet.net ydahpfyox@ms23.hinet.net andy.star@msa.hinet.net
    qmailr 7555 0.0 0.0 3700 1032 ? S 15:23 0:00 | \_ qmail-remote msa.hinet.net okyen08@yahoo.com.tw jr18.ut@msa.hinet.net
    qmailr 9836 0.0 0.0 3704 1040 ? S 15:24 0:00 | \_ qmail-remote msa.hinet.net okyen03@yahoo.com.tw jled@msa.hinet.net
    qmailr 10152 0.0 0.0 3704 1036 ? S 15:25 0:00 | \_ qmail-remote msa.hinet.net okyen05@yahoo.com.tw king.king520@msa.hinet.net
    qmailr 11898 0.0 0.0 3708 1040 ? S 15:26 0:00 | \_ qmail-remote allergist.com eric.hu168@jqlogistic.com andrash@allergist.com
    qmailr 12016 0.0 0.0 3704 1036 ? S 15:26 0:00 | \_ qmail-remote msa.hinet.net okyen06@yahoo.com.tw k6610089@msa.hinet.net
    qmailr 13430 0.0 0.0 3708 1040 ? S 15:26 0:00 | \_ qmail-remote msa.hinet.net jam.ssj@msa.hinet.net
    qmailr 14168 0.0 0.0 3704 1040 ? S 15:27 0:00 | \_ qmail-remote msa.hinet.net 893hnn@eyou.com sexy.kuang@msa.hinet.net
    qmailr 14219 0.0 0.0 3700 1032 ? S 15:27 0:00 | \_ qmail-remote msa.hinet.net 893hnn@eyou.com ruru.box@msa.hinet.net
    qmailr 15514 0.0 0.0 3704 1036 ? S 15:27 0:00 | \_ qmail-remote sinamail.com paggy168@ms29.hinet.net bogota@sinamail.com
    qmailr 15871 0.0 0.0 3708 1036 ? S 15:28 0:00 | \_ qmail-remote msa.hinet.net okyen10@yahoo.com.tw hcw.danny@msa.hinet.net
    qmailr 17880 0.0 0.0 3704 1036 ? S 15:29 0:00 | \_ qmail-remote msa.hinet.net nhk607ix@163.com nero.wu@msa.hinet.net
    qmailr 18073 0.0 0.0 3704 1036 ? S 15:29 0:00 | \_ qmail-remote msa.hinet.net okyen07@yahoo.com.tw j121780.im@msa.hinet.net
    qmailr 20192 0.0 0.0 3704 1036 ? S 15:30 0:00 | \_ qmail-remote msa.hinet.net okyen05@yahoo.com.tw irene.tiger@msa.hinet.net
    qmailr 24343 0.0 0.0 3704 1036 ? S 15:33 0:00 | \_ qmail-remote msa.hinet.net okyen08@yahoo.com.tw ken.rock@msa.hinet.net
    qmailq 11526 0.0 0.0 1468 348 ? S 13:26 0:00 \_ qmail-clean
    root 11641 0.0 0.1 32088 14372 ? Ss 13:26 0:00 /usr/sbin/httpd
    root 11676 0.0 0.0 18072 8192 ? S 13:26 0:00 \_ /usr/sbin/httpd
    apache 11749 0.0 0.2 42428 23160 ? S 13:26 0:04 \_ /usr/sbin/httpd
    apache 7258 0.1 0.2 43156 24016 ? S 13:37 0:08 \_ /usr/sbin/httpd
    apache 9772 0.0 0.2 42660 23396 ? S 13:39 0:03 \_ /usr/sbin/httpd
    apache 5168 0.0 0.2 41684 22216 ? S 15:02 0:00 \_ /usr/sbin/httpd
    apache 17549 0.0 0.1 32088 14520 ? S 15:28 0:00 \_ /usr/sbin/httpd
    root 11798 0.0 0.0 48016 5528 ? Ss 13:26 0:00 /usr/local/psa/admin/bin/httpsd
    psaadm 12072 0.0 0.2 54436 17096 ? S 14:30 0:00 \_ /usr/local/psa/admin/bin/httpsd
    psaadm 12097 0.0 0.1 51892 8892 ? S 14:30 0:00 \_ /usr/local/psa/admin/bin/httpsd
    psaadm 12117 0.0 0.0 48156 5676 ? S 14:30 0:00 \_ /usr/local/psa/admin/bin/httpsd
    root 11881 0.0 0.0 2496 1076 ? Ss 13:26 0:00 crond
    root 11889 0.0 0.0 4356 1252 ? Ss 13:26 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 1
     
  3. Guftak69

    Guftak69 Guest

    0
     
    i found this article in the knowledge base http://kb.swsoft.com/article_22_766_en.html

    so i found an email so this is the answer of my comand grep 0 etc/passwd

    [root@localhost 20]# grep 0 /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
    operator:x:11:0:eek:perator:/root:/sbin/nologin
    games:x:12:100:games:/usr/games:/sbin/nologin
    gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
    ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
    webadmin:x:500:500::/home/webadmin:/bin/bash
    popa3d:x:84:501::/dev/null:/dev/null
    alias:x:2021:2020:Qmail User:/var/qmail/alias:/bin/false
    qmaild:x:2020:2020:Qmail User:/var/qmail/:/bin/false
    qmaill:x:2022:2020:Qmail User:/var/qmail/:/bin/false
    qmailp:x:2023:2020:Qmail User:/var/qmail/:/bin/false
    qmailq:x:2520:2520:Qmail User:/var/qmail/:/bin/false
    qmailr:x:2521:2520:Qmail User:/var/qmail/:/bin/false
    qmails:x:2522:2520:Qmail User:/var/qmail/:/bin/false
    popuser:x:110:31:pOP3 service user:/:/bin/false
    agracoco:x:10001:10001::/var/www/vhosts/agraco.com:/bin/false
     
  4. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    963
    Likes Received:
    32
    Location:
    Romania
    maybe one of your application on server is vulnerable (like phpBB, etc) and is used to spam. Alos a lot of contat form is badly written and allow spam.

    We used an idea from
    http://www.securephpwiki.com/index.php/Email_Injection?seenIEPage=1
    in mod security rule,
    SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"

    This solved the problem ans spammers not use anymore our servers.
     
Loading...