• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

need help stopping spam

M

mdafforn

New Pleskian
I think my server is being used as a relay, but I am not sure how, I did the normal checks:

mail from:goodsender@host.com
rcpt to: relayperson@badmail.com
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

but when I look at the qmail queue, it is sourcing from foreign addresses (names have been changed):

Received: (qmail 13487 invoked from network); 7 Mar 2013 12:04:49 -0600

Received: from 114-39-95-219.dynamic.hinet.net (HELO gooddomain.com) (114.xx.xx.xxx)

by hostname.server.net with ESMTPA; 7 Mar 2013 12:04:48 -0600

Message-ID:

Date: Thu, 07 Mar 2013 19:04:49 +0100

From: "good@gooddomain.com"

X-Accept-Language: en-us

MIME-Version: 1.0

To:

Cc: ,
 
mdafforn said:
I think my server is being used as a relay, but I am not sure how, I did the normal checks:

mail from:goodsender@host.com
rcpt to: relayperson@badmail.com
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Click to expand...

This is saying that someone is trying to relay, but is failing.
It is possible that you have multiple groups of bad guys all trying to use your server to send email. These ones are failing.

But others may be succeeding:

Received: (qmail 13487 invoked from network); 7 Mar 2013 12:04:49 -0600

Received: from 114-39-95-219.dynamic.hinet.net (HELO gooddomain.com) (114.xx.xx.xxx)

by hostname.server.net with ESMTPA; 7 Mar 2013 12:04:48 -0600

Message-ID:

Date: Thu, 07 Mar 2013 19:04:49 +0100

From: "good@gooddomain.com"

X-Accept-Language: en-us

MIME-Version: 1.0

To:

Cc: ,
Click to expand...


Is the To/CC to a domain NOT on your server?
Is the server then sending these out?

If it is, then what's likely to be happening is that the bad guys have guessed or otherwise obtained the username and password for a user on your system (good@gooddomain.com more likely) and are sending email via authenticated SMTP.
I cannot tell for sure based on what you have said though.

You should see entries in the mail log showing a connection from a bad IP, followed by login succeeded, and lots and lots of emails being sent out from good@gooddomain.com

1) change the password for this user
2) restart qmail
3) delete all the bad mail in your queue (e.g. use qmhandle.pl if using qmail)
4) Check the maillog. You should see lots of failed authentication attempts.

For additional logging information, you may also want to look here: http://kb.parallels.com/en/112316
Using DEBIG_LOGIN=1 in BOTH the files suggested may be helpful. You could even try DEBUG_LOGIN=2 but be aware that passwords will be written into the logs, and this is a potential security issue if, for any reason, the bad guys are able to read your logs at any point.
 
You must log in or register to reply here.

Similar threads

K
plesk 1.0.18 spam problem.
Replies
0
Views
921
karael
K
S
Qmail allowing spam to be sent
Replies
3
Views
2K
StewartJ
S
sebas
SPAM attack
Replies
13
Views
6K
iantresman
I
M
Need help stopping outgoing SPAM
Replies
5
Views
4K
64bithost.com
6
lvalics
Relay check on PLESK give Open Relay ...
Replies
1
Views
3K
faris
F
Back
Top