mnightingale
New Pleskian
Hello,
I run a small plesk server hosting 10 domains with simple wordpress sites on for hosting customers.
My host contacted me today to tell me that my IP was listed at UCEPROTECT for spam (IP 163.172.50.91). It's not the first time this has happened, because of different Wordpress sites being compromised etc. But this time I cannot find any trace in the logs on the server of any spam sent (before I did). UCEPROTECT provides the timestamp of the spamtrap (March 27th 14:06 CET). At that time in /var/log/mail.log I have the following:
Because of previous spam sending problems, I have also implemented logging of outgoing mail with sendmail following this procedure to create a wrapper for sendmail. These logs have nothing at all for the given time period, and in general don't contain any outgoing spam – they have some incoming spam in inboxes for one subscription which is being forwarded to a customer but that is all.
Since this problem occurred, I have activated the Outgoing Mail Limits in Plesk, but that page in the dashboard has no data in it at all – not sure if that means there is no outgoing mail or that it isn't working yet...
Does anyone have an idea of how to find what is causing the server to be listed (spamtrap) and what I can potentially do further to identify the problem and solve it? Is it something to do with this NOQUEUE reject RCPT line? How can I find which script is trying to send from localhost?
Thanks,
Mark
I run a small plesk server hosting 10 domains with simple wordpress sites on for hosting customers.
My host contacted me today to tell me that my IP was listed at UCEPROTECT for spam (IP 163.172.50.91). It's not the first time this has happened, because of different Wordpress sites being compromised etc. But this time I cannot find any trace in the logs on the server of any spam sent (before I did). UCEPROTECT provides the timestamp of the spamtrap (March 27th 14:06 CET). At that time in /var/log/mail.log I have the following:
Code:
Mar 27 14:06:14 janus plesk_saslauthd[23112]: select timeout, exiting
Mar 27 14:06:17 janus postfix/smtpd[22801]: connect from unknown[185.36.81.78]
Mar 27 14:06:18 janus plesk_saslauthd[23131]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Mar 27 14:06:18 janus plesk_saslauthd[23131]: privileges set to (106:114) (effective 106:114)
Mar 27 14:06:18 janus plesk_saslauthd[23131]: failed mail authentication attempt for user 'peaches' (password len=8)
Mar 27 14:06:18 janus postfix/smtpd[22801]: warning: unknown[185.36.81.78]: SASL LOGIN authentication failed: authentication failure
Mar 27 14:06:18 janus postfix/smtpd[22801]: disconnect from unknown[185.36.81.78]
Mar 27 14:06:48 janus plesk_saslauthd[23131]: select timeout, exiting
Mar 27 14:06:53 janus postfix/smtpd[23032]: connect from unknown[45.125.65.35]
Mar 27 14:06:54 janus plesk_saslauthd[23141]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Mar 27 14:06:54 janus plesk_saslauthd[23141]: privileges set to (106:114) (effective 106:114)
Mar 27 14:06:54 janus plesk_saslauthd[23141]: failed mail authentication attempt for user '07071982' (password len=9)
Mar 27 14:06:54 janus postfix/smtpd[23032]: warning: unknown[45.125.65.35]: SASL LOGIN authentication failed: authentication failure
Mar 27 14:06:54 janus postfix/smtpd[23032]: disconnect from unknown[45.125.65.35]
Mar 27 14:06:58 janus postfix/smtpd[22801]: connect from localhost.localdomain[127.0.0.1]
Mar 27 14:06:58 janus postfix/smtpd[22801]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<janus.marknightingale.net>
Mar 27 14:06:58 janus postfix/smtpd[22801]: lost connection after RCPT from localhost.localdomain[127.0.0.1]
Mar 27 14:06:58 janus postfix/smtpd[22801]: disconnect from localhost.localdomain[127.0.0.1]
Mar 27 14:06:58 janus /usr/lib/plesk-9.0/psa-pc-remote[23498]: Message aborted.
Mar 27 14:06:58 janus /usr/lib/plesk-9.0/psa-pc-remote[23498]: Message aborted.
Because of previous spam sending problems, I have also implemented logging of outgoing mail with sendmail following this procedure to create a wrapper for sendmail. These logs have nothing at all for the given time period, and in general don't contain any outgoing spam – they have some incoming spam in inboxes for one subscription which is being forwarded to a customer but that is all.
Since this problem occurred, I have activated the Outgoing Mail Limits in Plesk, but that page in the dashboard has no data in it at all – not sure if that means there is no outgoing mail or that it isn't working yet...
Does anyone have an idea of how to find what is causing the server to be listed (spamtrap) and what I can potentially do further to identify the problem and solve it? Is it something to do with this NOQUEUE reject RCPT line? How can I find which script is trying to send from localhost?
Thanks,
Mark