OVH Community, your new community space.

mailing spam issue


avizeke
07-12-2012, 02:35
Found the problem. and might i say what a joke ! I have found that its through the plesk primary admin account email address that it spams using that email account.

i changed email accounts to test this and its now doing spam in the new changed account. might i add at the time there is no other files on the system other than plesk.

So from default OVH formats for centos 6 and 10.4 plesk install. I believe there is a bug.

Going to add a dummy email account in now instead. but this issue i believe has blocked my emails being seen from hotmail only.

avizeke
07-12-2012, 02:18
i zipped up all the files and deleted the current ones, all web related as thats all thats on there, rebooted the server, and the server was still booting out spam emails from just one account. only thing that was on there was the plesk

avizeke
07-12-2012, 01:48
i do have the time, i did properly check ! thats the results that came up.

There is a CMS based website on there. there isa few more apps like whmcs and ipb which is forum based but they are upto date, however joomla... the template is ran off a old cms. so i am gonna change the email account to test

LawsHosting
06-12-2012, 09:09
Any CMS's out of date? A rogue php file that abuses the mail() function?

Myatu
06-12-2012, 04:07
That log doesn't do us much good, and it's old as well. If you don't have time to look into this, maybe ask around to see if someone can dig through your server to find and resolve the cause. As it is now, you're not exactly doing anyone a favour by allowing the spam to continue...

avizeke
06-12-2012, 02:58
nope its standard default qmail under plesk 10.4.

spam is still taking place at a big rate, just abouts got time now to continue trying to get into this. I think i am pinpointing the problem to one of the websites being ran off the system that is forcing the emails out, and then errors are coming back to the account.

so no one has hacked the server
only one email account is being used.


[root@ks log]# tail -n100 maillog-20121202
[root@ksog]# tail -n100 maillog-20121125
Nov 24 11:41:45 stock postfix/postfix-script[2543]: starting the Postfix mail system
Nov 24 11:41:45 stock postfix/master[2544]: daemon started -- version 2.6.6, configuration /etc/postfix

Myatu
28-11-2012, 16:49
The log doesn't show enough details (use "-n100" after "tail", so it shows more). However, it shows Postfix. Did you replace Qmail?

avizeke
28-11-2012, 15:13
myatu

[root@ks log]# ls
atmail dmesg.old maillog-20121125 sa-update.log tallylog
audit drwebupdate.log mailman secure wtmp
boot.log hspc messages secure-20121125 yum.log
btmp httpd messages-20121125 spooler
cron install_rtm.log mysqld.log spooler-20121125
cron-20121125 lastlog ntpstats sso
dmesg maillog psa-horde sw-cp-server
[root@ks log]# ^C
[root@ks1 log]# tail maillog
[root@ks log]# ^C
[root@ks log]# tail maillog-20121125
Nov 24 11:41:45 stock postfix/postfix-script[2543]: starting the Postfix mail sy stem
Nov 24 11:41:45 stock postfix/master[2544]: daemon started -- version 2.6.6, con figuration /etc/postfix
[root@ks log]# tail maillog-20121125 -n100
Nov 24 11:41:45 stock postfix/postfix-script[2543]: starting the Postfix mail system
Nov 24 11:41:45 stock postfix/master[2544]: daemon started -- version 2.6.6, configuration /etc/postfix
[root@ log]#

avizeke
28-11-2012, 15:10
Hello all again.

ok after changing passwords of the mail server and the system, overnight there was still some coming through... but alot less. like a few hundred rather than over 10,000 overnight.

its still done through the same email account even though there is two. so its absolute that its internal, probably linking to just one email account. surely there should be something on plesk to apprihend this.

current version is 10.4

Neil
28-11-2012, 13:02
Quote Originally Posted by LawsHosting
How come you're still using qmail? Doesn't Plesk use a more up-to-date MTA now?
It uses both, http://kb.parallels.com/en/5801

So if you upgrade through the Plesk versions I assume it would stay on Qmail.

LawsHosting
28-11-2012, 09:19
How come you're still using qmail? Doesn't Plesk use a more up-to-date MTA now?

avizeke
27-11-2012, 19:41
ok changed the password of the server root and the email account and that has stopped... am gonna leave it overnight and see what happens.

Myatu
27-11-2012, 18:30
Firstly go into Plesk > Settings > Mail and turn off the mail server - or risk that OVH will turn off your server instead. Check the mail.log with:

Code:
tail /var/log/mail.log -n100
This retrieves that last 100 lines (-n100), so it should give you an idea of what's going on. Post it here, so we can have a look. Does look like either you've got a password-less account (used to relay) or have been compromised.

aozm48
27-11-2012, 16:44
http://lmgtfy.com/?q=how+to+secure+a+centos+server

avizeke
27-11-2012, 16:38
ok internally it is then, how would one go about restricting, identifying the location and fixing this issue.

centos 6.3
plesk 10.4

aozm48
27-11-2012, 15:58
well if emails are going out from your server, yet it's not an open relay, that would tend to point to something on your server itself doing the mailing.....

avizeke
27-11-2012, 15:08
i dont believe that to be the case seen as though the password is quite lengthy and i am the only person who knows it.

i could change the passwords of the email server and the root command... ?

its possible that when i transfered my web files over from one server to another that it could be a virus thats activated... maybe...

aozm48
27-11-2012, 13:44
if it's not an open relay, then it sounds like someone has access to your server, and has installed something onto it that is sending out the spam. I would strongly recommend checking what running processes are on your server, and stopping the ones that shouldn't be on there

avizeke
27-11-2012, 13:29
http://www.mailradar.com/openrelay/

Passed this test "All tested completed! No relays accepted by remote host!" so its no a relay. so the server isnt configured properly ?

this is now starting to make sense to me, trial and error.

aozm48
27-11-2012, 13:26
As Daz said, take steps to secure your server properly, you either have someone remoting into your server and running a daemon program that is sending out the spam, or you are configured as an open relay for email

avizeke
27-11-2012, 13:22
using ps aux

in ssh

popuser 18145 0.0 0.1 40240 29184 ? SN 03:22 0:00 spamd child
popuser 18146 0.0 0.1 40240 29184 ? SN 03:22 0:00 spamd child


-

constant sending out

qmaild 15338 0.0 0.0 5848 2096 ? Ss 14:08 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
qmailr 15615 0.0 0.0 5832 1208 ? S 14:10 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks.kimsufi.com roknrollpixie@aol.com
qmailr 15741 0.0 0.0 5832 1208 ? S 14:11 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks.kimsufi.com brunettebaby895@aol.com
qmailr 15799 0.0 0.0 5832 1204 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks.kimsufi.com addydaddy135@aol.com
qmailr 15805 0.0 0.0 5832 1208 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks.kimsfi.com iluvcabbage@aol.com
qmailr 15822 0.0 0.0 5832 1208 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks.kimsufi.com icecream66@aol.com
qmailr 15824 0.0 0.0 5832 1208 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks.kimsufi.com tylrjsph@aol.com
qmailr 15826 0.0 0.0 5832 1204 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks.kimsufi.com kingjohn95@aol.com
qmailr 15835 0.0 0.0 5832 1204 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@kskimsufi.com.com bxdannygirl0307@aol.com
qmailr 15837 0.0 0.0 5832 1208 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks.kimsufi.com gatorgirl0016@aol.com
qmailr 15839 0.0 0.0 5832 1204 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@kskimsufi.com.kimsufi.com www.pookychrissy@aol.com
qmailr 15840 0.0 0.0 5832 1204 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@kskimsufi.com.kimsufi.com bballbabe0251@aol.com
qmailr 15842 0.0 0.0 5832 1208 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@kskimsufi.com.kimsufi.com morgy81389@aol.com
qmailr 15845 0.0 0.0 5832 1212 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@kskimsufi.comkimsufi.com www.hsfalways@aol.com
qmailr 15846 0.0 0.0 5832 1208 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@kskimsufi.com.kimsufi.com marveenl@aol.com
qmailr 15848 0.0 0.0 5832 1204 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@ks2kimsufi.com.kimsufi.com greatromances98@aol.com
qmailr 15860 0.0 0.0 5832 1204 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@kskimsufi.comkimsufi.com witeboy1220@aol.com
qmailr 15861 0.0 0.0 5832 1204 ? S 14:12 0:00 /var/qmail/bin/qmail-remote.moved aol.com anonymous@kskimsufi.com.kimsufi.com mario64@aol.com

avizeke
27-11-2012, 12:56
ovh has done acheck and the ip isnt on any blacklist. just hotmails. as the spam is only been sent to hotmail.

i need to find out how to prevent these emails been sent out from my mail server.

how would i be able to check internally through ssh to identify a bigger understanding on what and how its been sent

Myatu
26-11-2012, 17:55
Quote Originally Posted by avizeke
how would you guys handle the spam and re approved again by hotmail.
Well, for one stop the mail server and secure it, as DigitalDaz already mentioned.

When you have secured it (tip: use SPF records), check it against http://www.mailradar.com/openrelay/.

If it passes, then you can start the process of unblocking your server. More than likely, you've ended up on more than just Hotmail/Live's blacklist. Check with http://www.mailradar.com/rbl/ and http://www.mxtoolbox.com/blacklists.aspx who has blacklisted you.

For Mickeysoft, start with https://support.msn.com/eform.aspx?p...eformts&scrx=1 - as reason you can specify a configuration error (we're only human).

avizeke
26-11-2012, 17:50
so stopping the mail server then yes for the time being... but how would i be able to look more into stopping the spam emails....

DigitalDaz
26-11-2012, 17:39
You could make a good start be stopping the server sending out the spam emails!

avizeke
26-11-2012, 14:11
Thought i would ask on here seen as though OVH times for respons on KS servers are a joke, waiting 3 days for a response to a ticket. laughable !

i bought a new ks server on saturday, i transfered my websites over with a centos 6 and plesk installed on it as default by OVH's panel. and the mail server is instantly sending spam emails close to about 3000 mails every ten minutes.

Which has now blocked the Hotmail comminication black listing the IP. One of the reasons i moved to a new system is because my previous IP with OVH was also blocked, and there " support" was inconsistent

this is the error by mailer demon@Ks2xxxx.kimsufi.com.

Connected to 65.xx.xxx.xx but sender was rejected.
Remote host said: 550 SC-001 (COL0-MC4-F36) Unfortunately, messages from 188.165.220.191 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to.http://mail.live.com/mail/troubleshooting.aspx#errors.


how would you guys handle the spam and re approved again by hotmail.