• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Spammer in the server, how to find him

SalvadorS

Regular Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
18.0.55
Hello,

I have these lines in mail mail.info log:



Oct 17 09:46:35 dv7 postfix/smtpd[4021867]: connect from localhost[127.0.0.1]
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<xxx.server.com>
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: lost connection after RCPT from localhost[127.0.0.1]
Oct 17 09:46:35 dv7 postfix/smtpd[4021864]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 commands=2/3

So I think localhost is webmail, but how can I find which mailbox is doing this? As from header is false....
 
Hi Peter,

Thanks for your reponse, always useful.

The problem here is that the mail queue is empty and I check all the POST headers in the logs and I don´t find anything.

So I don´t know if that log is telling that a mail is sent from the server, as I see rejected. What is your opinion?
 
If you are sure that no script is sending the mails through the regular mail server, you can check the process list of Linux whether you find a suspicious process. Especially on systems where /tmp has not been secured against script execution one attack vector is to place a stand-alone mailer like Exim there and run it. This will bypass all stats and the regular Postfix mailer. The mailer does not necessarily have to be named Exim, it can have any name, but it will need to use port 25, so there is your next step for a deeper analysis.
 
If you are sure that no script is sending the mails through the regular mail server, you can check the process list of Linux whether you find a suspicious process. Especially on systems where /tmp has not been secured against script execution one attack vector is to place a stand-alone mailer like Exim there and run it. This will bypass all stats and the regular Postfix mailer.
However in that case they wouldn't show up in the maillog.

The problem here is that the mail queue is empty and I check all the POST headers in the logs and I don´t find anything.
So I don´t know if that log is telling that a mail is sent from the server, as I see rejected. What is your opinion?
Something tries to send a mail but gets rightfully rejected. Thankfully they're stupid (if they used a local mail address for the From, it wouldn't get blocked as Relaying).
As it gets rejected right at the start of the SMTP dialog, even before the body data is sent, the mail doesn't even reach the queue, so it can't show up in `postqueue -p`.
 
Back
Top