Issue Plesk 11.5.30 Qmail mailer deamon bounce "failure notice"

[GiulianoP]

Hi all,
I use Plesk 11.5.30 with CentOS 6.9 (final version). I have a problem with QMail because I have in the queue there are a lot of mail with subject "failure notice". When I open this mail is impossible to understand who is the sender:

Received: (qmail 23300 invoked for bounce); 19 Jul 2019 18:40:56 +0200
Date: 19 Jul 2019 18:40:56 +0200
From: MAILER-DAEMON@mail.my-company.it
To: user1@clientdomain1.com
Subject: failure notice

I have found the mail in /var/qmail/queue/mess/0 but doesn't show any information about the sender and the authentication process seems ok (/usr/local/psa/admin/bin/mail_auth_view), so I think that a pc of my customer has infected.

Any idea for to fix this situation?

Thanking in advance and sorry for my english.

Giuliano

 

[Ales]

Check /var/log/maillog to see what's going on.

There are several possibilities here, a SMTP account breach, a rogue script (due to a broken in hosting or a vunerable web page) or an actual spammer with a valid account.

The cause needs to be discovered immediately or your server's IP will get blacklisted. This is something you'll need to check when this is over in any case.

 

[GiulianoP]

I have found a strange number of smtp authentication.

cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $8}' | sort | uniq -c | sort -n

3 user1@clientuserdomain1.com
4 user1@clientuserdomain2.com
....
250 info@clientuserdomain100.com

I changed the password of the last mail but the next monday will be necessary to check the pc of this customer....

 

[Ales]

Yea, probably an account that was broken into, either via a vulnerable client device, a weak or stolen password, ... who knows.

The Outgoing Mail Control feature in Plesk is very good at catching these kind of issues before they cause greater harm. I can only recommend upgrading to a Plesk version that has this feature, if you can.