• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

User email compromised

M

merkelt

Guest
I have over 1200 pending outgoing messages in my queue to various domains in Russia. I set each of the 10 domains I host to "reject nonexistant user", cleared the queue, and still messages seem to be queueing up!

I think I have found the IP(s) address the messages are comming from useing /var/log/secure. However, I have not able to see "who" is sending them as I have SMTP auth enabled as well. My guess is that one of my users username and password has been compromised.

Can anybody tell me how to disocver what username and password where used to send an email?

Thanks in advance for the help!
 
You should check for exploitable scripts (formmail, phpBB, etc) and for any strange files (or hidden dir's/files) in /tmp

More than likely it may not be an actual mail user account that has been compromised, but rather one of the above.

Install RKHunter and CHKRootkit, update them and run them. Post the results.

Install mod_security (gotroot.com) and their rulesets.

(This is just the beginning steps you should take)
 
You must log in or register to reply here.

Similar threads

K
Resolved How to control smtp.mailfrom in mails sent from Plesk?
Replies
3
Views
630
Kroptokin
K
J.Wick
Issue External Email Stopped Working after Upgrading to Plesk Obsidian 18.0.70 Update #2
Replies
1
Views
428
J.Wick
J.Wick
W
Issue postfix/smtpd: Sender address rejected: Domain not found - how to whitelist?
Replies
3
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
nisamudeen97
Question Unable to handle email bounce back of spoof email with sender and receiver the same
Replies
0
Views
383
nisamudeen97
nisamudeen97
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
2K
EnriqueR
EnriqueR
Back
Top