• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Question Spammer in the server, how to find him

SalvadorS

Regular Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
18.0.55
Hello,

I have these lines in mail mail.info log:



Oct 17 09:46:35 dv7 postfix/smtpd[4021867]: connect from localhost[127.0.0.1]
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<xxx.server.com>
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: lost connection after RCPT from localhost[127.0.0.1]
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3

So I think localhost is webmail, but how can I find which mailbox is doing this? As from header is false....
 
Hi Peter,

Thanks for your reponse, always useful.

The problem here is that the mail queue is empty and I check all the POST headers in the logs and I don´t find anything.

So I don´t know if that log is telling that a mail is sent from the server, as I see rejected. What is your opinion?
 
If you are sure that no script is sending the mails through the regular mail server, you can check the process list of Linux whether you find a suspicious process. Especially on systems where /tmp has not been secured against script execution one attack vector is to place a stand-alone mailer like Exim there and run it. This will bypass all stats and the regular Postfix mailer. The mailer does not necessarily have to be named Exim, it can have any name, but it will need to use port 25, so there is your next step for a deeper analysis.
 
If you are sure that no script is sending the mails through the regular mail server, you can check the process list of Linux whether you find a suspicious process. Especially on systems where /tmp has not been secured against script execution one attack vector is to place a stand-alone mailer like Exim there and run it. This will bypass all stats and the regular Postfix mailer.
However in that case they wouldn't show up in the maillog.

The problem here is that the mail queue is empty and I check all the POST headers in the logs and I don´t find anything.
So I don´t know if that log is telling that a mail is sent from the server, as I see rejected. What is your opinion?
Something tries to send a mail but gets rightfully rejected. Thankfully they're stupid (if they used a local mail address for the From, it wouldn't get blocked as Relaying).
As it gets rejected right at the start of the SMTP dialog, even before the body data is sent, the mail doesn't even reach the queue, so it can't show up in `postqueue -p`.
 
Back
Top