• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Spammer sending from root@domain - can't figure out how

F

flaxton

Basic Pleskian
I mean I see in the mail log connections from varying IPs, always different.

I think what they're doing is sending a "bounce" message and using it to spam others.

Maybe "bounce" messages are allowed through no matter what (no authentication?), because I've had trouble stopping it. I tried postfix smtpd_sender_restrictions, listing "root@domain" (domain hidden for this post) using a hash table. That didn't stop it.

Next I put root@domain into a blocklist in MagicSpam Pro.

That seems to have stopped it for the moment. But they could just pick another domain for the bounce message.

Any idea how this is happening?
 
First take a look at the number of SMTP connections;

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

If it's a compromised account, it should be obvious. Nothing obvious? It's going to be a script. You'll want to create a wrapper that will add additional information to the email header to assist with tracking it down. It's detailed here;

Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?
 
hey, that's nice! Thanks! Unfortunately, it only shows legit users - confirmed with their known IP addresses. I had also searched through all site access_log files for POST commands and didn't see anything suspect.

I will try the wrapper method. Very cool ;-)

Fred
 
Ouch, I've really done it now. I somehow accidentally deleted sendmail.postfix

Trying to recover it. Ouch ouch ouch.
 
We've all been there :) A simple reinstall of Postfix SHOULD clear that up....
 
OK uninstalled with yum, reinstalled postfix with yum. Plesk complained that I couldn't start dovecot because postfix wasn't installed. So I ran the plesk MTA installer again

/usr/local/psa/admin/sbin/autoinstaller --select-release-current --install-component postfix

I'm back up and running.

And Mark, thanks for making that file available. I ended up not needing it.

Calling it a night, I've done enough damage for one day lol!
 
We've all screwed up working late at some point and had to pull an all-nighter fixing it lol. Glad it's working!
 
You must log in or register to reply here.

Similar threads

D
Issue Server is sending spam
Replies
5
Views
4K
Bitpalast
Bitpalast
J
Issue PHPMailer - X-PPP-Vhost header is changed to subscription-domain and causes DMARC reject
Replies
1
Views
5K
japjay
J
drusixtynine
Resolved my emails from my domains are tagged as spam by gmail
Replies
11
Views
7K
IgorG
IgorG
E
Can SPF, DKIM and DMARC free you from junk emails?
Replies
0
Views
1K
Elvis Plesky
E
G
Issue Problem with SPAM send from my server
Replies
2
Views
2K
UFHH01
U
Back
Top