• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved stop sending spam

Cordal

Cordal

Basic Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
18.0.54 Actualización 4
Spam is being sent from my server, the limitation of outgoing emails per hour does not stop it, from what I understand that they are sending it without authenticating, the password of the account that sends it has been changed but it continues the same, it is not sent from any script either of php since I control the emails that come out from scripts, I put what the email log shows in one of those messages:

Passed CLEAN {AcceptedOpenRelay}, AM.PDP-SOCK [202.62.50.55] [202.62.50.55] <[email protected]> -> <[email protected]>,<[email protected]>, Queue-ID: B311E66B54, Message-ID: <[email protected]>, mail_id: jFf-M6nFIyCj, Hits: -0.169, size: 5915, 1459 ms

Where could they be sending it from?
Thanks in advance.
 
It could be sent from a stand-alone mailserver that works in addition to the regular mail server. Maybe you can find it when you go through the output of "ps aux".
 
Peter means that you can list the running processes on your server using the command line and check if there is another mail process running:
Code: 
# ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.1  0.1 243292 10884 ?        Ss   Aug12  90:34 /usr/lib/systemd/systemd --switched-root --system --deserialize 18
root           2  0.0  0.0      0     0 ?        S    Aug12   0:03 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   Aug12   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   Aug12   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<   Aug12   0:00 [slub_flushwq]
...
 
This should get you further:
  • Check the contents of the vhosts for files changed in the last couple of days.

    For example, all files that have changed in the last five days:
    # find /var/www/vhosts/ -type f -mtime 5

    Look for patterns or strange-looking files.

  • Run the ImunifyAV extension.
  • Check the contents of /tmp and /var/tmp for hidden files/directories:
    # ls -la /tmp
    # ls -la /var/tmp

  • Check if a subscription sends the emails:
    Tools & Settings -> Outgoing Mail Control
 
In the process list, check all processes that are not owned by the system, meaning all processes that are owned by user accounts. Are you sure none of them expose suspicious activities? Sometimes standalone mailers are named by their real names like "exim", but sometimes they are hidden in names like "phpservice", so that they are not easy to find.
 
tcp 0 0 xxx.xxx.xxx.xxx:25 35.227.130.196:41585 ESTABLISHED

all of them from ip com China, Kazakhstan, etc.
 
That's the incoming direction. Those of interest are with :25 below "Foreign address".
 
Your Products sound interesting @Peter Debik I'm using Imunify360, currently not resolving Spam Mail although they have a product in development that I believe is out of Beta? How does your offering compare with theirs, excepting the fact that their Spam Mail product doesn't yet work on Plesk.
 
You must log in or register to reply here.

Similar threads

W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
465
W4ru
W
E
Question Is multiple HELO registration possible?
Replies
2
Views
572
emrekoc
E
mapodec
Resolved Emails sent from Plesk accounts are not delivering only to Google Workspace
Replies
2
Views
637
mapodec
mapodec
HoracioS
Issue Plesk Forwarding & DKIM Authentication: How to Ensure Matching Signatures?
Replies
1
Views
766
Aslanj
A
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
898
EnriqueR
EnriqueR
Back
Top