Plesk 11.x / Linux :: Spam Attack - Passwords Discovered
May 28, 2014
I'm getting a big problem on my server.
From 1 week until now I got 4 spam attacks. The attacker is the same, because the emails sent are iqual.
The technique is also the same, they use an email account (compromissed password) and send emails through smtp server.
When I detect the attack, i do:
1. identify the compromised account
2. Change password from the compromised account
3. Stop qmail
4. Clear queue with qmail-remove
5. Start qmail
The problem is that they already used 4 diferent domains since the first attack. So, here is my problem, how do they discover the passwords?! How can I solve this problem? I have hundreds of emails accounts and can't change it all.
I need reinstall qmail after spam atack and follows the post.URL....It says:
rpm -Uvh --force psa-qmail
but my system return an error message..error: opening psa-qmail failed: it does not existe file or directory (error: la apertura de psa-qmail falló: No existe el fichero o el directorio)
I am having a Plesk server and when I scanned it with tools like OpenVas, It detected the following vulnerabilities with CVE acronym. As the corresponding ports and services are being controlled by Plesk, I require to patch it.URL....As you can see this vulnerability has been hit on port 106. I checked the Plesk server and found the port 106 being used by service "poppassd". This was nothing I installed and came along with the Plesk installation. Hence just wanted to make sure whether it has a patch from Parallels. As per my investigation this service is used for changing mailbox passwords and I am currently using Roundcube client. How to patch this vulnerability.
As per the solution in pic, the vulnerability "SMTP antivirus scanner DoS" can be resolved by upgrading or installing anti virus for Plesk mail server. I am ready to buy Dr.Web or Kaspersky from Parallels. But wanted to make sure whether any of the above antivirus can resolve the vulnerability.
We use our own backoffice for remote logins. Passwords for panel login are encrypted. Is it possible to remove the option for customers to change their password for panel login so they will stay in sync with our own backoffice?
If it's not possible, is there a way to decrypt the panel login passwords, like there is for the admin-password (/usr/local/psa/bin/admin --show-password)?
I need to be able to access email passwords in plain text (not encrypted). I'm running with updates so as to not force encryption, which I'm told is a one-way deal. I'm going to have to go to new hardware soon, as I'm finding the hardware starting to fail.
I understand the "mail_auth_view" utility shows the passwords, and was wondering if it will decrypt them for you?
If not, how can I keep the behavior of non-encrypted email passwords so that the customer administrators still have access to them for their users? I know a new install forces encryption, which is why I can't do that. How can I preserve the non-encrypted passwords and move to new hardware? This seems to be a deal breaker for my customers.
So one of my domains is getting a dictionary attack. It is a popular domain and "big deal" it happens all the time. Well, this time it is the most ruthless distributed dictionary attack I have ever seen.
Today marks the one week period and emails are flooding in 10 to 15 a second (of course none of them ever get delivered). It is like hail pounding on a thin tin roof and the denial/logging alone has the server load at least quadrupled!
Oh yeh, the best part. I have a beautiful list of over 7,000 banned IP addresses (and growing every minute, now THATS DISTRIBUTED!).
We've been seeing sluggish performance on our mail gateways, and so I started doing some digging in the logs. It looks like we are filling up with messages like:
2007-05-16 12:22:16 Connection from [xx.xx.xx.xx] refused: too many connections
We have our max connections set to 20 (total, not host-specific) in exim4. So I started tailing the logs, and sure enough, we are getting bombarded with requests to randomstring@ourdomain.com coming from all over the map. The requests are getting denied of course, but that doesn't help the connection issue since they are consuming all of them, preventing real mail (for the most part) from getting through.
What is the proper way to deal with something like this? I could certainly just up the max connections value from 20 to 40 or 50 or whatever, but I'm not sure what kind of performance impact that will have on the rest of the traffic going through our gateways.
Since the spam attempts are coming from all over the place, it doesn't seem like I can just firewall out a few addresses and be done with it.
This particular rack is a cluster of web and database servers behind two gateway boxes, which handle the mail traffic (so this problem is on the gateways, the actual mail server itself sits behind the gateways and never actually sees these fake emails).
I have 5 Linux Plesk 12 servers, and I use Spamassassin, usually at a sensitivity of 2 or 3, I also use the following DNS
Blackhole lists: zen. spamhaus. org;b. barracudacentral.org;abuse.rfc-ignorant.org;cbl.abuseat.org;bl.spamcop.net;nomail.rhsbl.sorbs.net
But all of this seems to have minimal effect. I examine spam that comes through which looks very obviously like spam, but Spamassassin gives it a very low score, usually in the negative numbers.
Is SA just not as effective as I thought? Seems like if Gmail, etc can filter spam so effectively, then why can't SA? If there's something I'm not doing right, or what you all do to combat spam with Plesk 12.
My server is saturated in SPAM e-mails being sent from it, however I am struggling in tracing the root of this problem. I have now exhausted 4 IP addresses and our provider is blocking port 25 automatically on a number of occasions now.
I have used the KB article: [URL] .... to trace the highest senders of e-mail, however this has proved to be unsuccessful in finding "all" of the offending domains.
I have suspended e-mail and domains on a number of subscriptions due to the high number of e-mails being sent from the system. I have also enabled outbound mail control and set limits to 10/hr however there are domains attempting to exceed this on an hourly basis. I have investigated these subscriptions but am not able to find anything offending. Is there any feature within plesk that can show me exactly where the spam is coming from...
I am dealing with a situation which i cannot understand. I am running an website for a resort and occasionally i am sending e-mail stop the people who book villas using the website. By occasionally i mean last year i sent 2 e-mail campaigns with a proper spam score.
However, at this moment, even the e-mails that i receive from the website's contact form arrive as Junk into Gmail for example.
Domain abc.com is hosted on our server, it has a hosted e-mail 123@abc.com. This e-mail adress keeps getting SPAM messages from an address abc@srv2.xyz.com (where srv2.xyz.com is our server FQDN). What we understood by reading the headers (posted below) is that someone is sending an e-mail to support@abc.com. This e-mail adress, as configured in Plesk, redirects e-mails to 123@abc.com. But we don't understand how someone managed to send an e-mail from an unexistent abc@srv2.xyz.com to it.
Here are the headers:
DomainKey-Status: no signature Return-Path: <Coulter_Faustinoa1@aspli.com> X-Original-To: 123@abc.com
I just did the update to 12.0.18 #6 and everything seemed to go pretty well. One feature we were really interested in was the Outgoing Spam Filter. Unfortunately, the error I see when I go to that feature reads, "Protection : Not active. There are some problems that prevent the service from being started."
When I Google that error, I'm brought to some KB articles but they are all for the older Outgoing Spam Filter that you need a license key for. I don't believe that is the case any more - if it is, I don't know where to get the key. I will say point out I'm a bit of a Linux novice (we are running CentOS 6.5 on this server), so I'm not really sure where to look....
I have a hard problem with my VPS. I have postfix as mail server on plesk 12 under ubuntu 12.
I dont know why the outgoing mails of all my domains in my servers are getting spam in servers like gmail, yahoo, hotmail...
I'm using mxtoolbox to fix errors and warnings and finally fixed all of them, but my mails are still outgoing to spam.
In mxtoolbox actually I have no mail server errors / warning, u can see it with, for example, this one of my domains: [URL] ....
Headers:
This message is an automatic response from Port25's authentication verifier service at verifier.port25.com. The service allows email senders to perform a simple check of various sender authentication mechanisms. It is provided free of charge, in the hope that it is useful to the email community.
I facing a serious problem with my qmail and plesk 11.0.9.I found the way spammer did with my server by listening everything on port 25. Maybe he know the RCPT hosts of mine, and they send emails with random username but with domain hosted on my Plesk. (user1@mydomain.com, user2@ my domain.com, ... userxxx@mydomain.com).
qmail only check domain in RCPT if spammer input:"mail from user1@mydomain.com" - (with out ":") - no email address on my server.then server reply: 550, no mailbox here by that name. (#5.7.17)
But qmail check username and domain if spammer input:""mail from: user1@mydomain.com" - (with ":") - no email address on my server. Then server reply: 250 OK..This is really weird! I tried with all my plesk server, this bug still effected.Click to expand...
So, I have been searching everywhere online and have not come to a fully working conclusion with the issue regarding outgoing emails going to spam via gmail, hotmail, etc.Domain keys are activated, but it seems that domain keys is deprecated, making it useless when it comes to spam detection for email servers such as google, aol, etc.
The only alternative found was here: URL.....But that means that every customers DKIM will have to be created manually via command line. This would be a mission when having over 500+ ongoing customers signing up.Will you guys be implementing DKIM automation for Plesk? I am pretty much against trying to use c(p)anel + Centos and just love Plesk. So I prefer Plesk any day..
I have different adresses configured with several domains on the same server. All the emails send to gmail/hotmail adresses are marked spam.
Looking in the headers everything seems fine, including SPF:
Delivered-To: xxx@gmail.com Received: by 10.202.174.138 with SMTP id x132csp563903oie; Wed, 20 May 2015 04:53:19 -0700 (PDT) X-Received: by 10.180.109.136 with SMTP id hs8mr40446245wib.73.1432122799197; Wed, 20 May 2015 04:53:19 -0700 (PDT) Return-Path: <x@x.nl> Received: from x.net (x.net. [xx])
I spent a lot of time trying to not have alarm messages into spam folder.
already added address to my contacts already mark it as important already changed sender email... but
Plesk where take email for Alarm Message?
Because I changed email (external) with 1 internal, but update alert arrive with administrator email and now is not going to spam, but alarm email arrive with old email (external, that is marked as pishing) ....
I have some error when the new outgoing spam protection (limitation for outgoing mail) is enabled. Mail clients are unable to use SMTP for sending mails. "My mail client says: The message could not be sent. You are not allowed to use sendmail utility."
I don't undestand the blocking behaviour since the checkbox "Allow scripts and users to use Sendmail" is checked and no limit is exeeded.This is the relevant log part of maillog:
Code:
Jul 3 00:44:36 srv01 postfix/smtpd[3326]: C0E5182A20: client=46.128.x.x.dynamic.cablesurf.de[46.128.x.x], sasl_method=CRAM-MD5, sasl_username=info@domain.de Jul 3 00:44:36 srv01 postfix/cleanup[3331]: C0E5182A20: message-id=<0A380CA8-AAE3-4FA8-BA7A-A3FDF7CD16E2@domain.de> Jul 3 00:44:37 srv01 /usr/lib/plesk-9.0/psa-pc-remote[3280]: handlers_stderr: DATA REPLY:554:[B]5.7.0 The message could not be sent. You are not allowed to use sendmail utility.[/B] REJECT Jul 3 00:44:37 srv01 /usr/lib/plesk-9.0/psa-pc-remote[3280]: REJECT during call 'limit-out' handler Jul 3 00:44:37 srv01 postfix/cleanup[3331]: C0E5182A20: milter-reject: END-OF-MESSAGE from 46.128.213.43.dynamic.cablesurf.de[46.128.x.x]: 5.7.0 The message could not be sent. You are not allowed to use sendmail utility.; from=<info@domain.de> to=<mail@domain2.de> proto=ESMTP helo=<[192.168.1.20]> Jul 3 00:44:37 srv01 postfix/smtpd[3326]: disconnect from 46.128.x.x.dynamic.cablesurf.de[46.128.x.x]
Moreover I disabled the line "non_smtpd_milters" in postfix main.conf since my server has same issues discribed in the following thread: Postfix: mails sent through sendmail binary are blocked because of wrong HELO
I have tried to send emails to gmail from horde and form php but the are mark as spam even if the gmail headers are ok:
Delivered-To: my_gmail_account@gmail.com Received: by 10.112.205.233 with SMTP id lj9csp202933lbc; Wed, 7 Aug 2013 05:58:22 -0700 (PDT) X-Received: by 10.15.31.9 with SMTP id x9mr2966600eeu.103.1375880301851; Wed, 07 Aug 2013 05:58:21 -0700 (PDT) Return-Path: <info@my_domain.com>
I am happily running Plesk 11.5; with just one small but annoying persistent problem:
I have Clients with large mailinglistes - SpamAssassin - Server-wide greylisting - DNSBL is running.
But apparently many of the lists mail addresses have been harvested over the years. And as there is no easy way to use SA in mailman, I am down to greylisting only for list addresses.
This results in insanely large amounts of SPAM (-> moderation requests) on the client's lists. Is this behavior improved in Plesk 12?
Or can probably SIEVE filters work here - are those available to mailman? (probably not as they work in Dovecot?)
I are running an Plesk 11.5 on a Ubuntu 12.04 machine. Since days i have problems where i see scripts of phishing sites and mailer scripts installed in the httpdocs directory of various domain.
How I can prevent that people outsiders install this scripts on the server? Where is the bug that allows this?
