Issue Too many outgoing Emails

[vintzblack]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.57

Can someone explain the meaning the information. I suspect serious hacking

config: Warning: service anvil { client_limit=1000 } is lower than required under max. load (2251). Counted with: service managesieve-login { process_limit=100 } + service pop3-login { process_limit=1024 } + service imap-urlauth-login { process_limit=100 } + service imap-login { process_limit=1024 } + service auth { process_limit=1 }

 

[Maarten.]

It has nothing to do with hacking. Have a look at this article:

https://support.plesk.com/hc/en-us/articles/12377565572759--Warnings-in-var-log-maillog-on-Plesk-server-client-limit-is-lower-than-required-under-max-load

 

[Peter Debik]

@Maarten. I thought of that one, too, and did a test on a Debian 11 server, but could not verify it against what @vintzblack wrote "service anvil ...". His error message does not mention Dovecot. It will probably be somehow linked to insufficient limit parameter, but I could not find here where to change this specific setting.

 

[vintzblack]

Thank you for the observation. Below is an email snippet from my hosting company, apparently they think otherwise.

The level of SMTP traffic on port 25/tcp is unusually high and at this pace you will hit the limit soon and all connections on this port will be blocked until the next day.

So if indeed there is malware infestation or some kind a back door that has gained access to my server, how can identify that and possible remedies for a newbie can adopt.

Regards
Vintz

 

[Peter Debik]

As a first step, please read the KB article https://support.plesk.com/hc/en-us/...dentify-spam-source-on-Plesk-for-Linux-Server and apply its suggestions.

 

[vintzblack]

Thank you Peter, we are going through the article

 

[vintzblack]

I conducted an extensive investigation on the unusual traffic on my server and I noted a large volume of broadband usage of 27Gigs on one my domains. I checked the log and I saw a lot of IP addresses that were accessung the server. One of the IP address had that message below.

GET /HALLOWEEN%20%F0%9F%8E%83Marshmello%20Mask%20-%20WFdBUFRUWEFdFl5B/ HTTP/1.0

That could explain the high traffic usage. Obviously my wordpress installation had been compromised. So I replaced the wordpress files and folders, I did not touch the config file and wp content folder. After that my traffic dropped to zero. Problem solved. Bob is your ancle