hey all. any help on this aspect would be appreciated.
Centos 6
Plesk 10.4
From what i can understand currently, i believe i am experiencing the mail server spamming, Ovh staff created a incident of "anti hack"and the IP been blacklisted with trendmicro.
Configuration of plesk is default, for mail server and firewall and DNS. So i want soem advise and recommendations on the best way of handling this matter. from whitlisting emails. as well as whitelisting network through mail settings plesk side.
evidence so far - This to me shows clear conjection of mail returned,
[root@website ~]# cd /var/qmail/queue/
[root@website queue]# cd mess/
[root@website mess]# ls -l
total 22580
drwxr-x--- 2 qmailq qmail 1015808 Feb 8 03:25 0
drwxr-x--- 2 qmailq qmail 1011712 Feb 8 03:26 1
drwxr-x--- 2 qmailq qmail 999424 Feb 8 03:25 10
drwxr-x--- 2 qmailq qmail 1024000 Feb 8 03:26 11
drwxr-x--- 2 qmailq qmail 991232 Feb 8 03:26 12
drwxr-x--- 2 qmailq qmail 1044480 Feb 8 03:26 13
drwxr-x--- 2 qmailq qmail 978944 Feb 8 03:26 14
drwxr-x--- 2 qmailq qmail 1007616 Feb 8 03:25 15
drwxr-x--- 2 qmailq qmail 1011712 Feb 8 03:26 16
drwxr-x--- 2 qmailq qmail 937984 Feb 8 03:26 17
drwxr-x--- 2 qmailq qmail 1024000 Feb 8 03:26 18
drwxr-x--- 2 qmailq qmail 958464 Feb 8 03:26 19
drwxr-x--- 2 qmailq qmail 987136 Feb 8 03:26 2
drwxr-x--- 2 qmailq qmail 983040 Feb 8 03:26 20
drwxr-x--- 2 qmailq qmail 1011712 Feb 8 03:26 21
drwxr-x--- 2 qmailq qmail 1003520 Feb 8 03:26 22
drwxr-x--- 2 qmailq qmail 991232 Feb 8 03:26 3
drwxr-x--- 2 qmailq qmail 983040 Feb 8 03:26 4
drwxr-x--- 2 qmailq qmail 1003520 Feb 8 03:26 5
drwxr-x--- 2 qmailq qmail 1019904 Feb 8 03:25 6
drwxr-x--- 2 qmailq qmail 1003520 Feb 8 03:26 7
drwxr-x--- 2 qmailq qmail 1019904 Feb 8 03:25 8
drwxr-x--- 2 qmailq qmail 1015808 Feb 8 03:25 9
all emails are showing addresses of ( this is generic )
from:
MAILER-DAEMON@ks111.kimsufi.com
To:
anonymous@ks111.kimsufi.com
Return-Path:
To: rodge13@hotm1ail.com
-
checked mail auth and there is nothing out of the ordinary, or no one else has access for additional email accounts.
/usr/local/psa/admin/bin/mail_auth_view
-
This produced absolute live constant feed of spam email been sent, over 200 lines a second
tail -f /usr/local/psa/var/log/maillog
result -
Feb 8 04:13:13 website qmail-queue-handlers[19683]: Handlers Filter before-queue for qmail started ...
Feb 8 04:13:13 website qmail-queue-handlers[19683]: from=#@[]
Feb 8 04:13:13 website qmail-queue-handlers[19683]: to=postmaster@ks111.kimsufi.com
Feb 8 04:13:13 website qmail-queue-handlers[19683]: handlers_stderr: SKIP
Feb 8 04:13:13 website qmail-queue-handlers[19683]: SKIP during call 'check-quota' handler
Feb 8 04:13:13 website qmail-queue-handlers[19683]: starter: submitter[19685] exited normally
Feb 8 04:13:13 website qmail: 1360293193.264604 bounce msg 71507736 qp 19683
Feb 8 04:13:13 website qmail: 1360293193.264621 end msg 71507736
Feb 8 04:13:13 website qmail: 1360293193.264751 delivery 16589: success: did_0+1+0/qp_19679/
Feb 8 04:13:13 website qmail: 1360293193.264785 status: local 1/10 remote 1/20
Feb 8 04:13:13 website qmail: 1360293193.264803 delivery 16590: failure: Sorry,_I_wasn't_able_to_establish_an_SMTP_connecti on._(#4.4.1)/I'm_not_going_to_try_again;_this_message_has_been_ in_the_queue_too_long./
Feb 8 04:13:13 website qmail: 1360293193.264883 status: local 1/10 remote 0/20
Feb 8 04:13:13 website qmail: 1360293193.264903 new msg 71785932
Feb 8 04:13:13 website qmail: 1360293193.264916 info msg 71785932: bytes 4274 from <#@[]> qp 12745 uid 2522
Feb 8 04:13:13 website qmail-queue-handlers[19688]: Handlers Filter before-queue for qmail started ...
Feb 8 04:13:13 website qmail-queue-handlers[19688]: from=#@[]
Feb 8 04:13:13 website qmail-queue-handlers[19688]: to=12345@12345.com
Feb 8 04:13:13 website qmail-queue-handlers[19688]: handlers_stderr: SKIP
Feb 8 04:13:13 website qmail-queue-handlers[19688]: SKIP during call 'check-quota' handler
Feb 8 04:13:13 website qmail-queue-handlers[19688]: starter: submitter[19690] exited normally
Feb 8 04:13:13 website qmail: 1360293193.416319 starting delivery 16592: msg 71516431 to remote as@as.com
Feb 8 04:13:13 website qmail: 1360293193.416338 status: local 1/10 remote 1/20
Feb 8 04:13:13 website qmail: 1360293193.416349 end msg 71783701
Feb 8 04:13:13 website qmail: 1360293193.416469 delivery 16591: success: did_0+1+0/qp_19688/
Feb 8 04:13:13 website qmail: 1360293193.416485 status: local 0/10 remote 1/20
Feb 8 04:13:13 website qmail: 1360293193.416518 new msg 71777905
Feb 8 04:13:13 website qmail: 1360293193.416548 info msg 71777905: bytes 4262 from <#@[]> qp 12763 uid 2522
Feb 8 04:13:13 website qmail-remote-handlers[19691]: Handlers Filter before-remote for qmail started ...
Feb 8 04:13:13 website qmail-remote-handlers[19691]: from=postmaster@mywebsite.com
Feb 8 04:13:13 website qmail-remote-handlers[19691]: to=as@as.com
Feb 8 04:13:13 website qmail: 1360293193.477025 starting delivery 16593: msg 71786001 to local postmaster@ks111.kimsufi.com
some aspects here are more revealing..
Feb 8 04:13:13 website qmail-queue-handlers[19688]: to=12345@12345.com
the email address i changed to the main admin plesk user, and serverside picked this quickly. this to me indicates that the account has been brute forced and then using SMTP AUTH to inject mail to the list.
Feb 8 04:13:13 website qmail: 1360293193.264604 bounce msg 71507736 qp 19683
this here shows me that its externally driven by "bounce" method
Firstly- it looks like its using Qmail yet Through plesk its set to use SMTP
secondly - the whitelist network under plesk mail is 127.0.0.0 / 8 - indicating this is local , wouldnt it be better applying the proper IP for the server rather than the local.
thirdly - wouldn it be better whitlisting email addresses specific to the ones being used. am i right in assuming its irrelivant as the spam may not be done through plesk and instead done through backend.