Issue Unauthorized email sending

[Riculum]

Server operating system version

Debian 9.13

Plesk version and microupdate number

Plesk Obsidian

For a few days now, I have been recording unauthorized outgoing e-mails in the e-mail queue. One customer (for whom e-mailing is disabled in the subscription) sends hundreds of e-mails a day. Where can these emails come from?

 

[Bitpalast]

Do you have root access to the Linux console? In that case check the process list for processes that this customer owns. You will most likely find "sendmail" or "postfix" processes there, e.g. try

# ps aux | grep 'sendmail\|postfix'

Does the customer own any such processes?

 

[Riculum]

When I run the command, it lists some tasks, but none that can be assigned to the client.

I deleted the email queue at noon. Since then there are no more emails in the queue. However, like every day, this will probably be full again tomorrow.

 

[Riculum]

Some records from mail.err

Apr 25 13:05:30 redacted postfix/sendmail[25502]: fatal: [email protected](10026): No recipient addresses found in message header
Apr 25 13:05:30 redacted plesk-sendmail[25501]: S25496: sendmail unsuccessfully finished with exitcode 75
Apr 25 13:05:30 redacted postfix/sendmail[25511]: fatal: [email protected](10026): No recipient addresses found in message header
Apr 25 13:05:30 redacted plesk-sendmail[25510]: S25505: sendmail unsuccessfully finished with exitcode 75
Apr 25 13:21:03 redacted postfix/sendmail[26414]: fatal: [email protected](10026): No recipient addresses found in message header
Apr 25 13:21:03 redacted plesk-sendmail[26413]: S26404: sendmail unsuccessfully finished with exitcode 75
Apr 25 13:21:03 redacted postfix/sendmail[26423]: fatal: [email protected](10026): No recipient addresses found in message header
Apr 25 13:21:03 redacted plesk-sendmail[26422]: S26417: sendmail unsuccessfully finished with exitcode 75
Apr 25 13:21:03 redacted postfix/sendmail[26432]: fatal: [email protected](10026): No recipient addresses found in message header
Apr 25 13:21:03 redacted plesk-sendmail[26431]: S26426: sendmail unsuccessfully finished with exitcode 75
Apr 25 13:21:35 redacted postfix/sendmail[26486]: fatal: [email protected](10026): No recipient addresses found in message header
Apr 25 13:21:35 redacted plesk-sendmail[26485]: S26480: sendmail unsuccessfully finished with exitcode 75

 

[Bitpalast]

- Does the customer have root access? Or is his SSH access chrooted?
- Are the mails script generated/on-server generated or are they associated with smtp logins in /var/log/mail.log?
- Do you see "planned tasks" (cron jobs) in his account, that don't look familiar?
- In /var/log/mail.log for the outgoing spam mails, do you see x-header entries (e.g. "script set the sender to ...")?
- In the mail queue when you click on the mail entry you can view the header of the queued mail. Do you see an senderhost-line that is mentioning a specific PHP script that has sent the mail?

 

[Riculum]

• Customers do not have SSH access
• Only one crontab is currently active (for ntp)
• mail.log is completely empty
• Currently there are no e-mails in the queue, as soon as some are available again, I will check it

The client has a Wordpress website. Plesk states that not all plugins and themes, as well as Wordpress itself are up to date and there are security gaps. Is this also a possibility over which the e-mails could be sent?

 

[Bitpalast]

It is absolutely possible that this is simply a script sending the mails. In that case you will find a senderhost or x-sender entry in the mail header and log. However, when a Wordpress site is hacked, it is unlikely that you can easily identify a single script, because then normally many scripts and files are affected by hack. So probably you'll need to wait on the next "action" to find out more details on where the mails are originating.