• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Our domain act as spammer

L

lvtruong

New Pleskian
Dear all,

Our domain now get relay messages for spammer like below

Mar 11 01:26:29 as qmail: 1236709589.526286 info msg 1616960: bytes 2046 from <dbxhehaxmp@ms1.hinet.net> qp 22332 uid 2020
Mar 11 01:26:29 as qmail: 1236709589.547282 starting delivery 118: msg 1616960 to remote homo@ms27.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.547322 status: local 0/1 remote 4/20
Mar 11 01:26:29 as qmail: 1236709589.547365 starting delivery 119: msg 1616960 to remote finixsun@ms27.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.547420 status: local 0/1 remote 5/20
Mar 11 01:26:29 as qmail: 1236709589.548750 starting delivery 120: msg 1616960 to remote facile@ms27.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.548819 status: local 0/1 remote 6/20
Mar 11 01:26:29 as qmail: 1236709589.548855 starting delivery 121: msg 1616960 to remote e3058@ms27.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.548887 status: local 0/1 remote 7/20
Mar 11 01:26:29 as qmail: 1236709589.552151 starting delivery 122: msg 1616960 to remote edor@ms27.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.552205 status: local 0/1 remote 8/20
Mar 11 01:26:29 as qmail: 1236709589.556701 starting delivery 123: msg 1616960 to remote jyhjiann@ms27.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.556756 status: local 0/1 remote 9/20
Mar 11 01:26:29 as qmail: 1236709589.558965 starting delivery 124: msg 1616960 to remote agln@ms27.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.559028 status: local 0/1 remote 10/20
Mar 11 01:26:29 as qmail: 1236709589.559765 starting delivery 125: msg 1616960 to remote gentec@ms49.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.559819 status: local 0/1 remote 11/20
Mar 11 01:26:29 as qmail: 1236709589.562483 starting delivery 126: msg 1616960 to remote elexan@ms49.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.562549 status: local 0/1 remote 12/20
Mar 11 01:26:29 as qmail: 1236709589.563519 starting delivery 127: msg 1616960 to remote f123209@ms32.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.563564 status: local 0/1 remote 13/20
Mar 11 01:26:29 as qmail: 1236709589.566350 starting delivery 128: msg 1616960 to remote bestow@ms32.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.566435 status: local 0/1 remote 14/20
Mar 11 01:26:29 as qmail: 1236709589.569803 starting delivery 129: msg 1616960 to remote fox12411@ms32.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.569884 status: local 0/1 remote 15/20
Mar 11 01:26:29 as qmail: 1236709589.571208 starting delivery 130: msg 1616960 to remote appleman@ms32.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.571266 status: local 0/1 remote 16/20
Mar 11 01:26:29 as qmail: 1236709589.574159 starting delivery 131: msg 1616960 to remote glottis@ms32.hinet.net
Mar 11 01:26:29 as qmail: 1236709589.574231 status: local 0/1 remote 17/20
Mar 11 01:26:34 as qmail: 1236709594.402449 new msg 1616962
Mar 11 01:29:08 as qmail: 1236709748.639373 info msg 1615370: bytes 2730 from <jxnxgsjiz@ms1.hinet.net> qp 25869 uid 2020
Mar 11 01:29:08 as qmail: 1236709748.664258 starting delivery 1: msg 1615370 to remote client@ms9.hinet.net
Mar 11 01:29:08 as qmail: 1236709748.664327 status: local 0/1 remote 1/20
Mar 11 01:29:08 as qmail: 1236709748.664364 starting delivery 2: msg 1615370 to remote chichin1@ms9.hinet.net
Mar 11 01:29:08 as qmail: 1236709748.664398 status: local 0/1 remote 2/20
Mar 11 01:29:08 as qmail: 1236709748.664437 starting delivery 3: msg 1615370 to remote dialing@ms9.hinet.net
Mar 11 01:29:08 as qmail: 1236709748.664481 status: local 0/1 remote 3/20
Mar 11 01:29:08 as qmail: 1236709748.664975 starting delivery 4: msg 1615370 to remote chihcheng@ms9.hinet.net
Mar 11 01:29:08 as qmail: 1236709748.665013 status: local 0/1 remote 4/20
Mar 11 01:29:08 as qmail: 1236709748.669978 starting delivery 5: msg 1615370 to remote chbin@ms9.hinet.net
Mar 11 01:29:08 as qmail: 1236709748.670044 status: local 0/1 remote 5/20
Mar 11 01:29:14 as qmail: 1236709754.458413 new msg 1615670

On the (dv) 2.0 plesk panel 7.5.4 based on rhel3 setting I using SMTP Authentication is required and using full POP3/IMAP mail account, but it still get relay to our domain.

I'm appreciation for all of you to help me to resolve the problem.

Thank's in advance all your helping

Le Van Truong
 
Hi atomicturtle,

Thank's for you your information. I already have the "qmHandle-1.3.2" and when I try to using this I get the result below

MESSAGE NUMBER 33555482
--------------
Received: (qmail 15648 invoked from network); 11 Mar 2009 07:37:30 +0700
Received: from unknown (HELO mydomain.com) (58.211.229.206)
by vietnammedicalpractice.com with SMTP; 11 Mar 2009 07:37:30 +0700
Received: from 134.222.61.152 by 148.64.152.52; Tue, 10 Mar 2009 18:36:33 -0600
Received: from 102.41.70.41 by 95.88.220.101; Wed, 11 Mar 2009 02:35:33 +0200
Received: from 3.24.14.208 by 86.176.211.77; Tue, 10 Mar 2009 19:36:33 -0500
Received: from 130.160.206.109 by 135.171.133.200; Tue, 10 Mar 2009 19:36:33 -0500
Message-ID: <UMSUVKNWBZSUUOYANTKP@ms1.hinet.net>
From: "<A6><AC><C1><CA>MitchelEvangelinehuang" <tgwrctpkabui@ms1.hinet.net>
Reply-To: "<A6><AC><C1><CA>MitchelEvangelinehuang" <tgwrctpkabui@ms1.hinet.net>
To: evangelinehuang@ms54.hinet.net
Subject: <B9>q<A4>l<B9>s<A5><F3><A4><CE><B9>q<B8><A3><B0>t<A5><F3>-<A6><AC><C1><CA>adoption
Date: Wed, 11 Mar 2009 03:33:33 +0300
X-Mailer: Internet Mail Service (5.5.2650.21)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--720097262378363370"
X-Priority: 1
X-MSMail-Priority: High

----720097262378363370
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dbig5">
<title>=B9q=A4l=B9q=B8=A3=B9q=BE=B9=A7b=BCo=AE=C6=B4=AB=B2{=AA=F7</title>
<base target=3D"_blank">
</head>

<body>

Could you have any idea to help me, I appreciate for your help.

Le Van Truong
 
This means that the message is coming from the network, using either poplocking or smtp_auth:

Received: (qmail 15648 invoked from network); 11 Mar 2009 07:37:30 +0700
Received: from unknown (HELO mydomain.com) (58.211.229.206)

THIS part is fake, they just entered their own headers:
Received: from 134.222.61.152 by 148.64.152.52; Tue, 10 Mar 2009 18:36:33 -0600
Received: from 102.41.70.41 by 95.88.220.101; Wed, 11 Mar 2009 02:35:33 +0200
Received: from 3.24.14.208 by 86.176.211.77; Tue, 10 Mar 2009 19:36:33 -0500
Received: from 130.160.206.109 by 135.171.133.200; Tue, 10 Mar 2009 19:36:33 -050


So what you do now is look through your logs in /usr/local/psa/var/log/maillog* for the IP 58.211.229.206 and see what username they are coming from if its smtp_auth. I suspect you will find that its an account with a weak password (like test/test, or web/1234)
 
Hi atomicturtle,

Thank you so much for your help.

I try to run the command "cat /usr/local/psa/var/log/maillog | grep -i '58.211.229.206'" not thing result. But when I run the command "cat /var/log/secure | grep -i '58.211.229.206'" it show up a lot of lines I just copy some for you to see below:

Mar 12 07:02:56 as xinetd[5775]: START: smtp pid=9728 from=58.211.229.206
Mar 12 08:20:58 as xinetd[5775]: START: smtp pid=24318 from=58.211.229.206
Mar 12 08:22:52 as xinetd[5775]: START: smtp pid=25751 from=58.211.229.206
Mar 12 08:34:23 as xinetd[5775]: START: smtp pid=3465 from=58.211.229.206

So I try to find the smtp_auth log but I didn't found. Could you show me how to find or looking for the log of smtp_auth.

Please help me to find out and let me try to fix our problem.

Best regards,

Le Van Truong
 
Hi atomicturtle,

At the plesk panel I only see the "pop lock time & check the passwords for mailboxes in dictionary" and not thing for poplocking.

How can I enable poplocking ? or where can I find the info how to do please let me know.

Thank for your help.

best regards,

Le Van Truong
 
You must log in or register to reply here.

Similar threads

ilogus
Resolved Incoming email DKIM issue
Replies
4
Views
567
ilogus
ilogus
R
Issue need help error mariadb
Replies
17
Views
2K
ramater
R
K
Issue not starting the following service:maldet.service,php-fpm.service,seafile@8000.service
Replies
0
Views
2K
kalombo
K
M
Question Plesk E-Mail Security | Failed to start clamd scanner (amavisd) daemon
Replies
7
Views
2K
Raul A.
R
W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
499
W4ru
W
Back
Top