• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Spammer sending from root@domain - can't figure out how

flaxton

Basic Pleskian
I mean I see in the mail log connections from varying IPs, always different.

I think what they're doing is sending a "bounce" message and using it to spam others.

Maybe "bounce" messages are allowed through no matter what (no authentication?), because I've had trouble stopping it. I tried postfix smtpd_sender_restrictions, listing "root@domain" (domain hidden for this post) using a hash table. That didn't stop it.

Next I put root@domain into a blocklist in MagicSpam Pro.

That seems to have stopped it for the moment. But they could just pick another domain for the bounce message.

Any idea how this is happening?
 
First take a look at the number of SMTP connections;

# zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

If it's a compromised account, it should be obvious. Nothing obvious? It's going to be a script. You'll want to create a wrapper that will add additional information to the email header to assist with tracking it down. It's detailed here;

Many email messages are sent from PHP scripts on a server. How to find domains on which these scripts are running if Postfix is used?
 
hey, that's nice! Thanks! Unfortunately, it only shows legit users - confirmed with their known IP addresses. I had also searched through all site access_log files for POST commands and didn't see anything suspect.

I will try the wrapper method. Very cool ;-)

Fred
 
Ouch, I've really done it now. I somehow accidentally deleted sendmail.postfix

Trying to recover it. Ouch ouch ouch.
 
We've all been there :) A simple reinstall of Postfix SHOULD clear that up....
 
OK uninstalled with yum, reinstalled postfix with yum. Plesk complained that I couldn't start dovecot because postfix wasn't installed. So I ran the plesk MTA installer again

/usr/local/psa/admin/sbin/autoinstaller --select-release-current --install-component postfix

I'm back up and running.

And Mark, thanks for making that file available. I ended up not needing it.

Calling it a night, I've done enough damage for one day lol!
 
We've all screwed up working late at some point and had to pull an all-nighter fixing it lol. Glad it's working!
 
Back
Top