plesk mail server protection questions

yup its enabled .

i will mail you a email address of contact instead i think.

I use KeePass, which has a password generator as well. Brilliant little tool, works on Linux, Windows, Android, iPhone even BB.

Moral of the story: Use better passwords.

https://secure.pctools.com/guides/pa...word_generator

Nope: Click on your "User CP" -> "Edit Options" and select "Enable Private Messaging".

Note to OVH: Really should enable this by default...

PM's enabled, i believe... lemme know if your still having this issue.

thanks

P.S. @avizeke - you need to enable PMs to allow me to reply

Glad it is resolved now

mr Myatu thanks for all your help, in pointing me in the right direction.

i resolved the matter by deleting /mess and /report and recreating the directories, and permissions, then changing all passwords to unique indevidual ones, and made the usernames more complicated on plesk ( adding a captial letter word then numbers ). its been a day now and the mail server is now running quickly, with nothing in queue.


For anyone who has a similar issue to this, DO NOT have your username and passwords the same on plesk as they are on your web applications. also dont have your admin plesk account the same as your mail server password. I believe they brute forced the admin account getting the email address and getting typical passwords matched what was on the apache web server. Bad practice and quite common.

That's the one: apache. So it's done via your webserver. Now you continue on to this article: http://kb.parallels.com/en/1711

beginning to learn that plesk is bad practice.

I thought Plesk dropped qmail (yuk) these days.

no. no postmaster .

postmaster@website.com

it does spit this command log out when tailing the logs

Feb 8 20:23:57 website qmail-remote-handlers[27176]: from=postmaster@website.com


ahh ok i will check that uid now. its hard siving through it all

data
Feb 8 04:13:13 website qmail: 1360293193.416548 info msg 71777905: bytes 4262 from <#@[]> qp 12763 uid 2522


find /var/qmail/queue/mess/ -name 71777905
/var/qmail/queue/mess/11/71777905


will show the top header bare in mind its double bounced

nano /var/qmail/queue/mess/11/71777905
Received: (qmail 5203 invoked by alias); 8 Feb 2013 04:34:00 +0100

Received: (qmail 5203 invoked by alias); 8 Feb 2013 04:34:00 +0100
Delivered-To: postmaster@ks111.kimsufi.com
Received: (qmail 2405 invoked for bounce); 8 Feb 2013 04:24:29 +0100
Date: 8 Feb 2013 04:24:29 +0100
From: MAILER-DAEMON@ks111.kimsufi.com
To: postmaster@ks111.kimsufi.com
Subject: failure notice

Hi. This is the qmail-send program at ks111.kimsufi.com.
I tried to deliver a bounce message to this address, but the bounce bounced!

---

:
Sorry, I wasn't able to establish an SMTP connection. (#4.4.1)
I'm not going to try again; this message has been in the queue too long.

---

Return-Path: <>
Received: (qmail 4042 invoked by alias); 31 Jan 2013 08:33:36 +0100
Delivered-To: anonymous@ks111.kimsufi.com
Received: (qmail 3954 invoked for bounce); 31 Jan 2013 08:33:34 +0100

-

Return-Path:
Received: (qmail 12549 invoked by uid 502); 30 Jan 2013 04:20:05 +0100
Message-ID: <20130130032005.12546.qmail@ks111.kimsufi.com>


result

grep 502 /etc/passwd
psaftp:x:501:502:anonftp psa user:/:/sbin/nologin
apache:x:502:503:Apache server:/:/sbin/nologin

running to see what php scripts are being used on the system
lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print php
httpd 31613 apache mem REG 8,1 151435 72320665 /var/www/vhosts/web1-gaming.eu/httpdocs/src/func/cup.php
httpd 10070 apache mem REG 8,1 11821 72343561 /var/www/vhosts/web.com/httpdocs/support/track.php
httpd 31613 apache mem REG 8,1 13185 72401276 /var/www/vhosts/web.com/httpdocs/libraries/joomla/regist
httpd 25139 apache mem REG 8,1 122453 73163084 /var/www/vhosts/web.com/httpdocs/whmcs/includes/function
httpd 25139 apache 39r REG 8,1 122453 73163084 /var/www/vhosts/web.com/httpdocs/whmcs/includes/function
httpd 25139 apache 40r REG 8,1 122453 73163084 /var/www/vhosts/web.com/httpdocs/whmcs/includes/function
httpd 30240 apache mem REG 8,1 4036 73729931 /var/www/vhosts/web.com/httpdocs/modules/mod_banners/help


- updated
tailing log files now show
Feb 9 02:00:46 website qmail: 1360371646.543940 warning: trouble injecting bounce message, will try later
Feb 9 02:04:09 website qmail-queue-handlers[21788]: Unable to get sender domain by sender mailname



been checking the php scripts and there is nothing above the ordinary. i have changed all passwords and all different than to each other from domain accounts to admin account, mail accounts all different and not the same passwords.


now this is showing up in the tail log

Feb 9 02:34:49 website qmail: 1360373689.499932 end msg 76775771
Feb 9 02:34:49 website qmail: 1360373689.500258 end msg 72038944
Feb 9 02:34:49 website qmail: 1360373689.500565 end msg 71747488
Feb 9 02:34:49 website qmail: 1360373689.512545 end msg 71883188
Feb 9 02:34:49 website qmail: 1360373689.522122 end msg 71868422
Feb 9 02:34:49 website qmail: 1360373689.529332 end msg 71722234

just this now nothing else.

That's just undeliverable bounce message (don't you have a postmaster address setup, btw?)

Looking back at the log, take this uid for example:

nano /var/qmail/queue/mess/0/71508541

Received: (qmail 25685 invoked by alias); 8 Feb 2013 11:47:51 +0100
Delivered-To: postmaster@ks111.kimsufi.com
Received: (qmail 3372 invoked for bounce); 8 Feb 2013 11:43:07 +0100

it does show alias and not uid.

grep alias on /etc/passwd
grep: on: No such file or directory
/etc/passwd:alias:x:2021:2020:Qmail User:/var/qmail/alias:/sbin/nologin


i checked a few spam emails and they all state alias

You need to look inside file "/var/qmail/queue/mess/0/71508541" first, looking at the "Received:" header. As per the guide, you would see something similar to:

You'll then do a "grep 10003" on /etc/passwd, to see who actually this is. If it's "www-data", "apache" or the likes, then it is very likely done via a PHP (or similar) script.

thanks for the reply

/var/qmail/bin/qmail-qstat
messages in queue: 899464
messages in queue but not yet preprocessed: 0

over 90,000 queued !!!! jeez. think i would rather have a STD .


/var/qmail/bin/qmail-qread
8 Feb 2013 11:50:27 GMT #71508541 3909 <#@[]>
remote admin1@admin1.com


find /var/qmail/queue/mess/ -name 71508541
/var/qmail/queue/mess/0/71508541


grep 71508541 /etc/passwd
nothing.

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
^C
this pointed to a valid php script from whmcs, through a domain example :
/var/www/vhosts/domain/httpdocs/whmcs/users.php



-

Follow these instructions: http://kb.parallels.com/en/766

hey all. any help on this aspect would be appreciated.

Centos 6
Plesk 10.4

From what i can understand currently, i believe i am experiencing the mail server spamming, Ovh staff created a incident of "anti hack"and the IP been blacklisted with trendmicro.

Configuration of plesk is default, for mail server and firewall and DNS. So i want soem advise and recommendations on the best way of handling this matter. from whitlisting emails. as well as whitelisting network through mail settings plesk side.




evidence so far - This to me shows clear conjection of mail returned,

[root@website ~]# cd /var/qmail/queue/
[root@website queue]# cd mess/

[root@website mess]# ls -l
total 22580
drwxr-x--- 2 qmailq qmail 1015808 Feb 8 03:25 0
drwxr-x--- 2 qmailq qmail 1011712 Feb 8 03:26 1
drwxr-x--- 2 qmailq qmail 999424 Feb 8 03:25 10
drwxr-x--- 2 qmailq qmail 1024000 Feb 8 03:26 11
drwxr-x--- 2 qmailq qmail 991232 Feb 8 03:26 12
drwxr-x--- 2 qmailq qmail 1044480 Feb 8 03:26 13
drwxr-x--- 2 qmailq qmail 978944 Feb 8 03:26 14
drwxr-x--- 2 qmailq qmail 1007616 Feb 8 03:25 15
drwxr-x--- 2 qmailq qmail 1011712 Feb 8 03:26 16
drwxr-x--- 2 qmailq qmail 937984 Feb 8 03:26 17
drwxr-x--- 2 qmailq qmail 1024000 Feb 8 03:26 18
drwxr-x--- 2 qmailq qmail 958464 Feb 8 03:26 19
drwxr-x--- 2 qmailq qmail 987136 Feb 8 03:26 2
drwxr-x--- 2 qmailq qmail 983040 Feb 8 03:26 20
drwxr-x--- 2 qmailq qmail 1011712 Feb 8 03:26 21
drwxr-x--- 2 qmailq qmail 1003520 Feb 8 03:26 22
drwxr-x--- 2 qmailq qmail 991232 Feb 8 03:26 3
drwxr-x--- 2 qmailq qmail 983040 Feb 8 03:26 4
drwxr-x--- 2 qmailq qmail 1003520 Feb 8 03:26 5
drwxr-x--- 2 qmailq qmail 1019904 Feb 8 03:25 6
drwxr-x--- 2 qmailq qmail 1003520 Feb 8 03:26 7
drwxr-x--- 2 qmailq qmail 1019904 Feb 8 03:25 8
drwxr-x--- 2 qmailq qmail 1015808 Feb 8 03:25 9



all emails are showing addresses of ( this is generic )

from: MAILER-DAEMON@ks111.kimsufi.com
To: anonymous@ks111.kimsufi.com
Return-Path:
To: rodge13@hotm1ail.com


-
checked mail auth and there is nothing out of the ordinary, or no one else has access for additional email accounts.
/usr/local/psa/admin/bin/mail_auth_view

-

This produced absolute live constant feed of spam email been sent, over 200 lines a second
tail -f /usr/local/psa/var/log/maillog

result -
Feb 8 04:13:13 website qmail-queue-handlers[19683]: Handlers Filter before-queue for qmail started ...
Feb 8 04:13:13 website qmail-queue-handlers[19683]: from=#@[]
Feb 8 04:13:13 website qmail-queue-handlers[19683]: to=postmaster@ks111.kimsufi.com
Feb 8 04:13:13 website qmail-queue-handlers[19683]: handlers_stderr: SKIP
Feb 8 04:13:13 website qmail-queue-handlers[19683]: SKIP during call 'check-quota' handler
Feb 8 04:13:13 website qmail-queue-handlers[19683]: starter: submitter[19685] exited normally
Feb 8 04:13:13 website qmail: 1360293193.264604 bounce msg 71507736 qp 19683
Feb 8 04:13:13 website qmail: 1360293193.264621 end msg 71507736
Feb 8 04:13:13 website qmail: 1360293193.264751 delivery 16589: success: did_0+1+0/qp_19679/
Feb 8 04:13:13 website qmail: 1360293193.264785 status: local 1/10 remote 1/20
Feb 8 04:13:13 website qmail: 1360293193.264803 delivery 16590: failure: Sorry,_I_wasn't_able_to_establish_an_SMTP_connecti on._(#4.4.1)/I'm_not_going_to_try_again;_this_message_has_been_ in_the_queue_too_long./
Feb 8 04:13:13 website qmail: 1360293193.264883 status: local 1/10 remote 0/20
Feb 8 04:13:13 website qmail: 1360293193.264903 new msg 71785932
Feb 8 04:13:13 website qmail: 1360293193.264916 info msg 71785932: bytes 4274 from <#@[]> qp 12745 uid 2522
Feb 8 04:13:13 website qmail-queue-handlers[19688]: Handlers Filter before-queue for qmail started ...
Feb 8 04:13:13 website qmail-queue-handlers[19688]: from=#@[]
Feb 8 04:13:13 website qmail-queue-handlers[19688]: to=12345@12345.com
Feb 8 04:13:13 website qmail-queue-handlers[19688]: handlers_stderr: SKIP
Feb 8 04:13:13 website qmail-queue-handlers[19688]: SKIP during call 'check-quota' handler
Feb 8 04:13:13 website qmail-queue-handlers[19688]: starter: submitter[19690] exited normally
Feb 8 04:13:13 website qmail: 1360293193.416319 starting delivery 16592: msg 71516431 to remote as@as.com
Feb 8 04:13:13 website qmail: 1360293193.416338 status: local 1/10 remote 1/20
Feb 8 04:13:13 website qmail: 1360293193.416349 end msg 71783701
Feb 8 04:13:13 website qmail: 1360293193.416469 delivery 16591: success: did_0+1+0/qp_19688/
Feb 8 04:13:13 website qmail: 1360293193.416485 status: local 0/10 remote 1/20
Feb 8 04:13:13 website qmail: 1360293193.416518 new msg 71777905
Feb 8 04:13:13 website qmail: 1360293193.416548 info msg 71777905: bytes 4262 from <#@[]> qp 12763 uid 2522
Feb 8 04:13:13 website qmail-remote-handlers[19691]: Handlers Filter before-remote for qmail started ...
Feb 8 04:13:13 website qmail-remote-handlers[19691]: from=postmaster@mywebsite.com
Feb 8 04:13:13 website qmail-remote-handlers[19691]: to=as@as.com
Feb 8 04:13:13 website qmail: 1360293193.477025 starting delivery 16593: msg 71786001 to local postmaster@ks111.kimsufi.com

some aspects here are more revealing..

Feb 8 04:13:13 website qmail-queue-handlers[19688]: to=12345@12345.com
the email address i changed to the main admin plesk user, and serverside picked this quickly. this to me indicates that the account has been brute forced and then using SMTP AUTH to inject mail to the list.


Feb 8 04:13:13 website qmail: 1360293193.264604 bounce msg 71507736 qp 19683
this here shows me that its externally driven by "bounce" method







Firstly- it looks like its using Qmail yet Through plesk its set to use SMTP

secondly - the whitelist network under plesk mail is 127.0.0.0 / 8 - indicating this is local , wouldnt it be better applying the proper IP for the server rather than the local.

thirdly - wouldn it be better whitlisting email addresses specific to the ones being used. am i right in assuming its irrelivant as the spam may not be done through plesk and instead done through backend.