• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question spam from local host 127.42.0.0

C

costaskal

Basic Pleskian
OS ‪Ubuntu 14.04.3 LTS‬
Plesk version 12.5.30 Update #74, last updated at Mar 7, 2018 02:54 AM

My server spam from local host 127.42.0.0. i can not find if is a script or a hacked account.

smtp headers
--------------------------------------------------------------------------------------------------------------------------
Received: from MYSERVERNAME(unknown [127.42.0.0])
by MYSERVERNAME(Postfix) with ESMTP id A4FB7FE1
for <wpclp@charter.net>; Thu, 8 Mar 2018 23:34:47 +0200 (EET)
Received-SPF: pass (MYSERVERNAME: localhost is always allowed.) client-ip=127.42.0.0; envelope-from=dsnowdend@iae.nl; helo=MYSERVERNAME;
Date: Thu, 8 Mar 2018 23:34:47 +0000
From: Glenda Spencer Administration <dsnowdend@iae.nl>
Tits-Predicted-Cornucopia: CD139A1B1C
Content-Type: text/html; charset="UTF-8"
To: "wpclp@charter.net" <wpclp@charter.net>
Content-Transfer-Encoding: 7bit
Tentacles-Evaluation-Outvotes: 1e849895e4
MIME-Version: 1.0
Subject: Update photos you love
Slipped-Ailments-Terming: 3E1D883E827F
Eccentricity-Crossing-Rent: 7F5EC233
Assigns-Marilyn: vanishingly
Message-ID: <b7a9-a1daf.54ab27@iae.nl>
-------------------------------------------------------------------------------------------------------------
domain iae.nl is a foreign domain for my server
ANY SUGGESTIONS ?
 
In /var/log/maillog you will find entries that define who is submitting the mail to the SMTP server. In your case this will be one of the subscription accounts.
 
Im pasting the log to see that the log has no helpful info. For privacy removed sensitive data

Mar 8 23:34:47 XXXXXXXXXXXXXXX postfix/smtpd[18069]: A4FB7FE1: client=unknown[127.42.0.0]
Mar 8 23:34:47 XXXXXXXXXXXXXXX postfix/cleanup[18074]: A4FB7FE1: message-id=<b7a9-a1daf.54ab27@iae.nl>
Mar 8 23:33:35 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: Message aborted.
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: SKIP
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: SKIP during call 'check-quota' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18078]: Starting spf filter...
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18078]: SPF result: pass
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18078]: SPF status: PASS
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: PASS
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: PASS during call 'spf' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: SKIP
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: SKIP during call 'check-quota' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX postfix/qmgr[18357]: 93A2BFDE: from=<beckerm4@freenet.de>, size=1985, nrcpt=1 (queue active)
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18080]: Starting spf filter...
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18080]: SPF result: pass
Mar 8 23:34:47 XXXXXXXXXXXXXXX spf filter[18080]: SPF status: PASS
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: PASS
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: PASS during call 'spf' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: handlers_stderr: SKIP
Mar 8 23:34:47 XXXXXXXXXXXXXXX /usr/lib/plesk-9.0/psa-pc-remote[1232]: SKIP during call 'check-quota' handler
Mar 8 23:34:47 XXXXXXXXXXXXXXX postfix/smtpd[18007]: disconnect from unknown[127.42.0.0]
 
Back to one of your questions: This is for sure a hacked account. If it was an SMTP login, you'd see a line with "postfix/pickup" or at least the "pickup" word in it. This is not the case, so here the mail is submitted by a script from localhost. It does not need to authenticate.

It is rare that neither the X-Mailer line is included in the header, nor the sender account mentioned in the log. In this case I suggest to lower the overall mail-out limit and see which of your subscriptions exceed the limit.
 
You must log in or register to reply here.
Back
Top