#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2014
    Posts
    6
    Rep Power
    0

    Angry server IP blocked


    I have a plesk server. I'm not a server admin...I'm a web developer that has a dedicated server for convenience for my clients. I paid a server admin to secure the server (because I just know the basics). My server has been running fine for a couple of years. Yesterday (after checking the mail log after a woocommerce email was not delivered), I noticed my server was just added to several blacklist. I don't see any spam being sent out in the mail log and everything on the php mail log looks legitimate. I also have outgoing mail limited to 50 per domain per hour in plesk and didn't see any domains that have exceeded that. I then went to senderscore.org and noticed there are several domains not on my server sending emails. What can I do to stop these domains from messing up my sender score and getting me blacklisted? I'm using postfix and my server has SMTP authorization enabled for relay. PLEASE HELP
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2014
    Posts
    6
    Rep Power
    0
    all this started yesterday. There is a HUGE on my instantaneous spike of mail being sent (starting yesterday). Look at this graph from senderscore.org . This is the error that was in the maillog:

    delay=1.1, delays=0.24/0/0.72/0.17, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[173.194.68.27] said: 421-4.7.0 .........4] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited.
  4. #3
  5. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,436
    Rep Power
    9645
    Well, you have to find out where those emails are being sent from and how they're using the server to do it. Is the mail server compromised? Did someone get a login?
  6. #4
  7. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,553
    Rep Power
    4549
    You also didn't mention what you host on the server. My guess is you have a compromised app or site on your server. For example, https://www.google.com/search?q=word...utf-8&oe=utf-8
    ======
    Doug G
    ======
    I've never been able to appreciate the sublime arrogance of folks who feel they were put on earth just to save other folks from themselves .." - Donald Hamilton
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2014
    Posts
    6
    Rep Power
    0
    Thanks for you replies! I host about 75 websites with about 1/3 of them being wordpress sites. I've had a compromised site in the past, but that showed up with maldet scan. I also have a script installed that logs every time PHP mailer is used. Nothing unusual is on the log. Matter of fact I cleared it yesterday and only 5 legitimate emails have been sent.

    Nothing is showing my server has been compromised:
    1. Maldet scan is clean.
    2. Php mailer is not being abused.
    3. No domain is sending more than a few emails an hour according to plesk
    4. 24/25 sending domains on senderscore.org I am NOT hosting (which leads me to believe my server IP is being spoofed).

    Is there anything else I can check to see if my server has been compromised or to find out how these domains I don't host are someone using my server?
  10. #6
  11. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,553
    Rep Power
    4549
    Have you checked the server httpd logs and mail logs? Also you might take a look at mail queues using postfix admin tools.

    Made sure your server os is all up-to-date. I had a centos server get "shellshocked" on a day 1 exploit.

    I often review site source code files looking for any suspicious-named php files, files with suspiciously new timestamps, etc.
    ======
    Doug G
    ======
    I've never been able to appreciate the sublime arrogance of folks who feel they were put on earth just to save other folks from themselves .." - Donald Hamilton
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2014
    Posts
    6
    Rep Power
    0
    looking at postfix/main.cf and I noticed

    mynetworks =

    and that's it.....should this be clearly defined as mynetworks = 168.100.189.0/24, 127.0.0.0/8?

    Is this leaving my server wide open???
  14. #8
  15. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,436
    Rep Power
    9645
    Probably not. An empty value just means Postfix will use the default, which is either the host or the host's subnet depending on your version. Putting a value in there wouldn't hurt.

    Access logs should be your next stop.

IMN logo majestic logo threadwatch logo seochat tools logo