Resolved stop sending spam

[Cordal]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.54 Actualización 4

Spam is being sent from my server, the limitation of outgoing emails per hour does not stop it, from what I understand that they are sending it without authenticating, the password of the account that sends it has been changed but it continues the same, it is not sent from any script either of php since I control the emails that come out from scripts, I put what the email log shows in one of those messages:

Passed CLEAN {AcceptedOpenRelay}, AM.PDP-SOCK [202.62.50.55] [202.62.50.55] <[email protected]> -> <[email protected]>,<[email protected]>, Queue-ID: B311E66B54, Message-ID: <[email protected]>, mail_id: jFf-M6nFIyCj, Hits: -0.169, size: 5915, 1459 ms

Where could they be sending it from?
Thanks in advance.

 

[Peter Debik]

It could be sent from a stand-alone mailserver that works in addition to the regular mail server. Maybe you can find it when you go through the output of "ps aux".

 

[Cordal]

It could be sent from a stand-alone mailserver that works in addition to the regular mail server. Maybe you can find it when you go through the output of "ps aux".

I don't understand what you mean by the output of "ps aux".

 

[Maarten.]

Peter means that you can list the running processes on your server using the command line and check if there is another mail process running:

# ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.1  0.1 243292 10884 ?        Ss   Aug12  90:34 /usr/lib/systemd/systemd --switched-root --system --deserialize 18
root           2  0.0  0.0      0     0 ?        S    Aug12   0:03 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   Aug12   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   Aug12   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<   Aug12   0:00 [slub_flushwq]
...

 

[Cordal]

The truth is that I don't observe any other mail process.

 

[Maarten.]

This should get you further:

• Check the contents of the vhosts for files changed in the last couple of days.
  
  For example, all files that have changed in the last five days:
  # find /var/www/vhosts/ -type f -mtime 5
  
  Look for patterns or strange-looking files.
  
  
• Run the ImunifyAV extension.
• Check the contents of /tmp and /var/tmp for hidden files/directories:
  # ls -la /tmp
  # ls -la /var/tmp
  
  
• Check if a subscription sends the emails:
  Tools & Settings -> Outgoing Mail Control

 

[Peter Debik]

In the process list, check all processes that are not owned by the system, meaning all processes that are owned by user accounts. Are you sure none of them expose suspicious activities? Sometimes standalone mailers are named by their real names like "exim", but sometimes they are hidden in names like "phpservice", so that they are not easy to find.

 

[mow]

Also check netstat -tpn for any connections to foreign port 25 or 465 from programs other than postfix.

 

[Cordal]

tcp 0 0 xxx.xxx.xxx.xxx:25 35.227.130.196:41585 ESTABLISHED

all of them from ip com China, Kazakhstan, etc.

 

[Cordal]

that is an example of netstat output

 

[mow]

That's the incoming direction. Those of interest are with :25 below "Foreign address".

 

[danami]

@Peter Debik We were able to sort this for him so this thread can be marked as resolved.

 

[Robert Alexander]

Your Products sound interesting @Peter Debik I'm using Imunify360, currently not resolving Spam Mail although they have a product in development that I believe is out of Beta? How does your offering compare with theirs, excepting the fact that their Spam Mail product doesn't yet work on Plesk.