Issue Server is sending spam

[Deleted member 209767]

My server just got flagged as spammer by OVH

Our Anti-Spam protection has detected an important sending of spam from one of your IP

In order to ensure the security of our network, the traffic leaving your server towards
ports 25 has been suspended.

So that you can carry out the checks here is a sample of blocked emails:

Destination IP: 184.94.240.112 - Message-ID: - Spam score: 512
Destination IP: 31.220.15.135 - Message-ID: - Spam score: 500
Destination IP: 198.58 .121.58 - Message-ID: - Spam score: 500
Destination IP: 103.224.212.34 - Message-ID: - Spam score: 300
Destination IP: 52.10.154.41 - Message-ID: - Spam score: 500

I don't think I got hacked. I use up to date software and I host only my own websites.

I tried unblocking the IP but it immediately got blocked again for same reason

There are still thousands of spams in the mail queue:

7D826C23805C0 4674 Sat Nov 7 04:48:48 MAILER-DAEMON
(connect to mail.hope-mail.com[34.222.93.91]:25: Connection timed out)
designer@designerfinds.ws

717CDC3294739 4505 Sat Nov 7 04:57:40 MAILER-DAEMON
(connect to libro-s.com[193.203.119.136]:25: Connection timed out)
franciscom@libro-s.com

733ECC23963AC 4288 Wed Nov 4 09:29:53 MAILER-DAEMON
(connect to mx247.in-mx.net[204.6.193.5]:25: Connection timed out)
mailer-daemon@innme.com

759EBC368ABA8 4905 Wed Nov 4 02:51:48 MAILER-DAEMON
(connect to rdspam.sz.hitrontech.com[222.92.60.181]:25: Connection timed out)
huqin@sz.hitrontech.com

71CA6C35BFCDE 4358 Wed Nov 4 06:21:40 MAILER-DAEMON
(connect to partyspace.com.2.0001.arsmtp.com[8.31.233.93]:25: Connection timed out)
ruth@partyspace.com

73C2BC8253475 4796 Wed Nov 4 08:15:40 MAILER-DAEMON
(connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out)
george.gittinger@twdi.com

7F0D8C7E1733F 4217 Thu Nov 5 14:53:29 MAILER-DAEMON
(connect to mail.b-io.co[54.218.2.65]:25: Connection timed out)
markuslewi@freenail.hu

random excerpt from /var/log/maillog

Nov 9 03:35:24 ns3100169 postfix/smtpd[3602250]: warning: unknown[45.142.120.121]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:24 ns3100169 postfix/smtp[3601879]: connect to mx247.in-mx.net[204.6.193.5]:25: Connection timed out
Nov 9 03:35:24 ns3100169 plesk_saslauthd[1168904]: No such user 'samsonov@ip-37-59-8.eu' in mail authorization database
Nov 9 03:35:24 ns3100169 plesk_saslauthd[1168904]: failed mail authentication attempt for user 'samsonov@ip-37-59-8.eu' (password len=10)
Nov 9 03:35:24 ns3100169 postfix/smtpd[3602584]: warning: unknown[45.142.120.59]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:25 ns3100169 postfix/smtp[3594560]: connect to ics-limited.com.1.arsmtp.com[8.31.233.62]:25: Connection timed out
Nov 9 03:35:25 ns3100169 postfix/smtpd[3602250]: disconnect from unknown[45.142.120.121] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:25 ns3100169 postfix/smtpd[3602584]: disconnect from unknown[45.142.120.59] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:25 ns3100169 postfix/smtp[3601126]: connect to mx247.in-mx.com[204.6.193.5]:25: Connection timed out
Nov 9 03:35:25 ns3100169 postfix/smtp[3601126]: 0E435C334527D: to=<ias@califco.com>, relay=none, delay=408084, delays=397355/10609/120/0, dsn=4.4.1, status=deferred (conn$
Nov 9 03:35:25 ns3100169 postfix/qmgr[1168573]: ADB35C3301457: from=<>, size=4548, nrcpt=1 (queue active)
Nov 9 03:35:26 ns3100169 postfix/smtpd[3602585]: connect from unknown[45.142.120.209]
Nov 9 03:35:26 ns3100169 postfix/smtpd[3603944]: connect from unknown[45.142.120.93]
Nov 9 03:35:26 ns3100169 postfix/smtpd[3603942]: connect from unknown[45.142.120.62]

Nov 9 03:35:40 ns3100169 postfix/smtp[3599101]: connect to boyleburdett.com.1.0001.arsmtp.com[8.19.118.118]:25: Connection timed out
Nov 9 03:35:40 ns3100169 postfix/smtp[3602977]: connect to mx247.in-mx.com[204.6.193.5]:25: Connection timed out
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: No such user 'beast@ip-37-59-8.eu' in mail authorization database
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: failed mail authentication attempt for user 'beast@ip-37-59-8.eu' (password len=7)
Nov 9 03:35:40 ns3100169 postfix/smtpd[3603942]: warning: unknown[45.142.120.38]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: No such user 'shadow@ip-37-59-8.eu' in mail authorization database
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: failed mail authentication attempt for user 'shadow@ip-37-59-8.eu' (password len=8)
Nov 9 03:35:40 ns3100169 postfix/smtpd[3603944]: warning: unknown[45.142.120.60]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: No such user 'rebeka@ip-37-59-8.eu' in mail authorization database
Nov 9 03:35:40 ns3100169 plesk_saslauthd[1168904]: failed mail authentication attempt for user 'rebeka@ip-37-59-8.eu' (password len=5)
Nov 9 03:35:40 ns3100169 postfix/smtpd[3602250]: warning: unknown[45.142.120.99]: SASL LOGIN authentication failed: authentication failure
Nov 9 03:35:41 ns3100169 postfix/smtp[3593959]: connect to 9b75c235.21.ik2.com[64.38.239.83]:25: Connection timed out
Nov 9 03:35:41 ns3100169 postfix/smtp[3601996]: 077DBC363DA48: host mail.bbmail.com.hk[203.185.56.50] refused to talk to me: 421 4.4.2 mtai11n.zprv.incnets.com Error: tim$
Nov 9 03:35:41 ns3100169 postfix/smtp[3602622]: connect to publicms1.mail2world.com[216.163.176.38]:25: Connection timed out
Nov 9 03:35:41 ns3100169 postfix/smtpd[3603942]: disconnect from unknown[45.142.120.38] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:41 ns3100169 postfix/smtp[3595785]: connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out
Nov 9 03:35:41 ns3100169 postfix/smtpd[3603944]: disconnect from unknown[45.142.120.60] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:41 ns3100169 postfix/smtp[3594173]: connect to mx247.in-mx.net[204.6.193.5]:25: Connection timed out
Nov 9 03:35:41 ns3100169 postfix/smtpd[3602250]: disconnect from unknown[45.142.120.99] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Nov 9 03:35:41 ns3100169 postfix/smtp[3592061]: 03FB2C80D1BBF: conversation with mx1.ovh.net[188.165.47.122] timed out while performing the EHLO handshake
Nov 9 03:35:42 ns3100169 postfix/smtp[3601118]: 09D8DCA86A01E: to=<central@nutrihouse.com.br>, relay=mail.nutrihouse.com.br[192.185.131.83]:25, delay=154654, delays=14380$
Nov 9 03:35:42 ns3100169 postfix/qmgr[1168573]: AEA77C32C31FA: from=<>, size=4215, nrcpt=1 (queue active)
Nov 9 03:35:42 ns3100169 postfix/smtp[3596204]: connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out
Nov 9 03:35:42 ns3100169 postfix/smtp[3596204]: 08F29C36B27A2: to=<admin@chestmaster.com>, relay=none, delay=403618, delays=392888/10609/120/0, dsn=4.4.1, status=deferred$
Nov 9 03:35:42 ns3100169 postfix/qmgr[1168573]: A1E81C33154E3: from=<>, size=4236, nrcpt=1 (queue active)
Nov 9 03:35:42 ns3100169 postfix/smtp[3592058]: 0BBC1C01469C2: conversation with mx1.mail.ovh.net[188.165.36.237] timed out while performing the EHLO handshake
Nov 9 03:35:42 ns3100169 postfix/smtp[3601745]: connect to mx247.in-mx.net[204.6.193.5]:25: Connection timed out
Nov 9 03:35:43 ns3100169 postfix/smtpd[3602584]: connect from unknown[45.142.120.15]
Nov 9 03:35:43 ns3100169 postfix/smtp[3599152]: connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out
Nov 9 03:35:43 ns3100169 postfix/smtp[3594297]: connect to mail.eseyoung.com[121.254.168.55]:25: Connection timed out
Nov 9 03:35:43 ns3100169 postfix/smtp[3599143]: connect to mx247.in-mx.com[198.133.158.5]:25: Connection timed out
Nov 9 03:35:43 ns3100169 postfix/smtpd[3602585]: connect from unknown[45.142.120.58]
Nov 9 03:35:43 ns3100169 postfix/smtp[3591649]: connect to mta-wue.franken.de[193.141.110.9]:25: Connection timed out
Nov 9 03:35:44 ns3100169 postfix/smtp[3591052]: connect to mx247.in-mx.net[198.133.158.5]:25: Connection timed out
Nov 9 03:35:44 ns3100169 postfix/smtp[3602578]: connect to mx247.in-mx.com[204.6.193.5]:25: Connection timed out
Nov 9 03:35:44 ns3100169 postfix/smtp[3599744]: connect to MX1.MEGAMAILSERVERS.com[209.235.142.11]:25: Connection timed out
Nov 9 03:37:09 ns3100169 postfix/qmgr[1168573]: A7B59D2422028: from=<bounce+ec0a683a+sparth=hotmail.fr@pirate-punk.net>, size=10389, nrcpt=1 (queue active)
Nov 9 03:37:09 ns3100169 postfix/qmgr[1168573]: ABAC1D2422034: from=<bounce+46fda959+Pussy.Lady=live.fr@pirate-punk.net>, size=10411, nrcpt=1 (queue active)

How can I figure out what's going on? Would appreciate some suggestion

Thanks

 

[iServersupport]

Try this solution

Find Spammer on Plesk Server

If the Spam is from a compromise Account you can easily find it using the command

zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

 

[Deleted member 209767]

Thanks for the reply, however the command didn't return any result

[root@ns3100169 ~]$ zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
gzip: /usr/local/psa/var/log/maillog*.gz: No such file or directory
[root@ns3100169 ~]# zgrep 'sasl_method=LOGIN' /var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

 

[Bitpalast]

You can try this instead:
zgrep 'sasl_method=LOGIN' /var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head

 

[Deleted member 209767]

Also getting an empty result

 

[Bitpalast]

1) Please go to "Tools & Settings" > "Mail" > "Mail Server Settings" > "Mail Queue"

2) Click on any spam mail in the left column of the list to open the header source code. It looks something like this:

Received: by server.provider.net (Postfix, from userid 30)
    id 90C442CA162C; Tue, 10 Nov 2020 07:47:30 +0100 (CET)
X-Original-To: john.doe@somedomain.com
Delivered-To: john.doe@somedomain.com
Received: from mail21-124.srv2.de (mail21-124.srv2.de [123.123.72.124])
by server.provider.net (Postfix) with ESMTPS id 7D24E2CA162A
for <john.doe@somedomain.com>; Tue, 10 Nov 2020 07:47:29 +0100 (CET)
Authentication-Results: neckar;
dmarc=pass (p=REJECT sp=NONE) smtp.from=somewhere.else.com
header.from=somewhere.else.com;
dkim=pass header.d=somewhere.else.com;
dkim=pass header.d=srv2.de;
spf=pass (sender IP is 123.123.72.124) smtp.mailfrom=return@somewhere.else.com
smtp.helo=mail21-124.srv2.de
Received-SPF: pass (neckar: domain of somewhere.else.com designates
123.123.72.124 as permitted sender) client-ip=123.123.72.124;
envelope-from=return@somewhere.else.com; helo=mail21-124.srv2.de;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=somewhere.else.com;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:
Content-Transfer-Encoding:X-ulpe:List-Id:X-CSA-Complaints:List-Unsubscribe:
List-Unsubscribe-Post:Feedback-ID; i=redaktion@somewhere.else.com;
bh=6LJmwGZTI2PPa0XPGCMpqreviUprlFsNo27ItLTSxcs=;
b=Yugg/UvtQjSlDWR8BztvIq0O6W88kgfoG8xPgdq2jLij7zVFUCZjWtSNUtn629OdnUXy7FScUTfu
7lNbeT4+HKeYvsUaiP97vBPJ2JiK7G8X0Wu1Swv8QVgMeqQmMFZ70vWizvRYgRUpRsGamDOP6um5
nJ7DK5qoj3AibQIu1Uk=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=mailing; d=srv2.de;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:
Content-Transfer-Encoding:X-ulpe:List-Id:X-CSA-Complaints:List-Unsubscribe:
List-Unsubscribe-Post:Feedback-ID;
bh=6LJmwGZTI2PPa0XPGCMpqreviUprlFsNo27ItLTSxcs=;
b=GrLFMRzYHxnQm59Lo1g+PrEwXB2fE62Ew+EyaFIGhyY9zz+bKFqVFG5tXvFD/bxSy8e/i07FXE7E
ZLi1uQlppEKe4XCheHLddZUVu6DKbLS4EJYY94kcA8jisew4DhhM//TrXZQ370wz960TD/sJJwnZ
LkZitOmnEKnmjyDcDjE=
Date: Tue, 10 Nov 2020 07:47:29 +0100 (CET)
From: "janedoe.de" <redaktion@somewhere.else.com>
Reply-To: re-468OBA8F-45UM4LN5-RALA7K@somewhere.else.com
To: john.doe@somedomain.com
Message-ID: <re-pUgeSCCpSHMonulAbb79CwCxpLrngqM5Ofj-468OBA8F-45UM4LN5-1CA31DQ@somewhere.else.com>
Subject: =?UTF-8?Q?W=C3=A4re_das_nichts_f=C3=BCr_Sie=3F_F?=
=?UTF-8?Q?reue_mich_auf_Ihre_Antwort?=
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-ulpe: re-pUgeSCCpSHMonulAbb79CwCxpLrngqM5Ofj-468OBA8F-45UM4LN5-1CA31DQ@somewhere.else.com
List-Id: <1EOPC0LX-EGHV0K.somewhere.else.com>
X-Report-Spam: complaints@complaintsserver.com
X-CSA-Complaints: csa-complaints@eco.de
List-Unsubscribe: <mailto:listoff-468OBA8F-45UM4LN5-RALA7K@somewhere.else.com?subject=unsubscribe>,
<https://somewhere.else.com/go/16/468OBA8F-45UM4LN5-1EOPC0LZ-JDFWPO-UL.html?banner=sam_326191719569&SYS=271&SCID=am9zZWYudm9sbG1lckB0c3ZrYW5kZWwuZGU%3D&utm_source=320288546187&utm_medium=email&utm_campaign=326191719569_2020-11-10T07%3A47_20201110+
-+SPC7782+-+VER&opt_mandator=110332856085&opt_affiliate=site_knl0359_initial&bmmailid=468OBA8F-45UM4LN5-RALA7K>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Feedback-ID: 1EOPC0LX:45UM4LN5:episerver
X-PPP-Message-ID: <20201110064730.17775.50467@server.provider.net>
X-PPP-Vhost: somedomain.com#

It can look anywhere similar, this is only an example

3) In that source code look for the initial "From:" line, also an X-Sender, X-PPP-Vhost or "Script" lines or similar. These will, when carfully examined, normally reveal how or where the spam was created. There is no recipe for it, just closely examine the header before the first hop from the "From" location to another SMTP server. You will find hints in the code where the mails are coming from.