• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Strange mail behavior

N

NightMan

Guest
I am testing a php script, which is sending a mail to my self, but when I tried today, it was sending a mail to me, but it was sending a bounce as well. The mail bounce was generated from a unknown mail ID. How this can happen?

I have checked the PSA data base and search for the mail ID in all tables, but found none.

which file in the server include alises or groupe mail options?

SERVER : LINUX RHE/PSA 7.5.x
 
For aliases, check:

/etc/aliases

/etc/mail/aliases

Not sure about group mail
 
Ok, check for these:

/var/qmail/alias
/var/qmail/alias/.qmail-mailer-daemon
/var/qmail/alias/.qmail-postmaster
/var/qmail/alias/.qmail-root

(or similar named)
 
****, I gotta stop doing simultaneous checking/posting to so many support boards (doing 4 sites right now). Hard to keep things straight on no sleep and so many forum posts.. sorry

Plesk also has the following:
mySQL database: psa, table: mail_aliases
 
:) thanks. but the bounced mail ID is not in any of these files, just wondering... any suggestions?
 
I cross posted, please see my post (above) regarding mySQL database

What is the bounced mail ID name?

And have you checked the contents of the php.ini file?
 
Hi. This is the qmail-send program at myserver.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
66.54.152.4 does not like recipient.
Remote host said: 550 passing these spams on just makes it worse
Giving up on 66.54.152.4.

--- Below this line is a copy of the message.

I already checked the PSA database, the mail id is not there in that table or any other table.

PHP.INI does not have the mail ID mentioned in any place
 
Just trying to get a better feel for things:

<[email protected]>:
66.54.152.4 does not like recipient.
Remote host said: 550 passing these spams on just makes it worse
Giving up on 66.54.152.4.
Click to expand...
Q1: Have you *ever* dealt with softhome.net on this server? Or is that your domain?? (I figure it's not yours)

Q2: Is that your IP? (I figure it's not yours)

Q3: If it's your domain or IP, what software do you have which might generate that 550 message? (probably not your box)

Q4: Have you run rootkit scans lately (with latest updates for RKHunter and Chkrootkit)

Q5: Have you checked /tmp and /var/tmp for any funny files (exploited script)?

I know these are standard questions, but it is possible you may have been breached coincidentally at the same time.
 
Q1: Have you *ever* dealt with softhome.net on this server? Or is that your domain?? (I figure it's not yours)
#No, never
Q2: Is that your IP? (I figure it's not yours)
#NOT mine
Q3: If it's your domain or IP, what software do you have which might generate that 550 message? (probably not your box)
#not from my box
Q4: Have you run rootkit scans lately (with latest updates for RKHunter and Chkrootkit)
#yes, no issues found..
Q5: Have you checked /tmp and /var/tmp for any funny files (exploited script)?
# I found a filed called bindz in /tmp folder and removed it, checked for any exploits, but not able to find any other tracks.
compiler was already disabled. the file been downloaded using a php include exploite..
 
The filename 'bindz' might indicate a Bind/named redirector of some sort (grasping at air).

After deleting the file, have you also checked the process list (ps -ax) and see if there are any funny processes running currently?
 
yes. I did find the bindz was running, So I killed that.
the mail also been received before I got it removed.
 
Just PM'd you this:

Other forums have reported same file found, script kiddie started out by exploiting exim systems.

http://www.webhostingtalk.com/archive/thread/407726-1.html
http://www.webhostingtalk.com/archive/thread/394689-1.html
http://lists.indymedia.org/pipermail/imc-tech/2005-May/0503-d1.html
http://forum.ev1servers.net/showthread.php?t=54849

One of these threads makes reference to additional files to check for. I just skimmed them (too tired to focus eyes), good luck in getting it cleaned up. (love your signature line)
 
Yes. got your pm. Thanks for the links, I already checked the google, but not able to find any useful info.
 
I found those by googling "bindz +script"

Sun come up, eyelids go down. Nighty night, Nightman....
 
You must log in or register to reply here.

Similar threads

M
Question Hackers are sending tons of mails
Replies
4
Views
475
MrPleskLearner
M
carlsson
Resolved Outgoing administrator mail not authorized [missing SPF record in sender domain]
Replies
11
Views
3K
rkbonatto
rkbonatto
X
Resolved Plesk Extension: Plesk Email Security (Very Slow Delivery)
Replies
8
Views
6K
Kaspar@Plesk
Kaspar@Plesk
M
Issue Plesk Update 18.0.34 to 18.0.57 Database 'psa' not found
Replies
10
Views
2K
musa.sc
M
A
Issue DKIM and DMARC issue, emails not sending
Replies
4
Views
2K
danami
danami
Back
Top