How do I stop SMTP Relay SPAM

Injunjer said 2 years, 2 months ago:

Recently, I am experiencing a lot of smtp relay spam. A spammer is using my smtp relay to send 1,000′s of spam each day, not to my hosting customers or domains, just sending spam to a spam email list using my smtp relay on my virtual dedicated server purchased from godaddy who does not want to help with the problem. They rotate the from address of customer-service@amazon.com or anything@anything.com sending email to their email list. Does anybody know how to stop this assault without logging into the root? I hope to solve the problem via the plesk control panel. Why would godaddy lease a server vulnerable to spammers? And, not help on the issue?

christianh said 2 years, 2 months ago:

@Injunjer

The following article should give you more information:

http://kb.parallels.com/article_22_1394_en.html

You may also want to consult the forums at:

http://forum.parallels.com/

–Christian

Injunjer said 2 years, 2 months ago:

christianh, my ip address is set to 127.0.0.0 / 8

Does 127.0.0.1 / 8 make a difference?

Everything else looks good and default.

chrisg said 2 years, 2 months ago:

@Injunjer,

The article previously referenced is simply stating that if you believe someone is accessing your SMTP relay from outside of the server, you may have an open relay on your server account. This can easily be tested by running a relay test on your Server’s IP address which will not be 127.0.0.0 / 8. Every Virtual Dedicated Server or Dedicated Server account should have specific IP address such as 123.45.67.89.

You can find mail relay test resources through your preferred search engine by simply searching the term ‘Open Relay’. Once you have run a test to confirm your server has an open relay, the instructions provided in that same article should walk you through how to close the relay.

However; if your testing confirms that your relays are already closed, this would then indicate that you have a script inside your server that is not properly configured and allowing unauthenticated connections. Unfortunately there is little we or our Server Support teams can do to assist if this is the case. You would need to investigate your server and locate the script that may be causing this.

Christopher G.

Injunjer said 2 years, 2 months ago:

Thanks for your insight Christopher. I have already investigated the open relay question and there is no open relay. Actually, it is completely closed with undesirable consequences. And, there are no, zero, scripts running on the server whatsoever. Those are the two simple issues, so where would go from there knowing those facts? If you go the to plesk parallels website forum, you will see that plesk has holes in the smtp module, well known problem by many plesk users. Our question is… does anybody know the work-arounds to plug these holes without shutting down smtp with closed relay. I have recently found third party software made specifically for the plesk control panel that acts like front-end security to the smtp module. But, there is a monthly fee. Most likely worth it. Point being that plesk should be doing this for us. An easy fix, just missing.

chrisg said 2 years, 2 months ago:

@Injunjer,

Thank you for this update.

I have just reviewed the information provided with our Server Support team. If no scripts are on your server that could be the potential cause of the compromise, you should still have logs that are generated on the server reporting where the actual holes are. As you are using Plesk on a Linux environment, all mail should be handled through QMail which stores the logs in the following path:

/usr/local/psa/var/log/maillog

I would recommend reviewing these logs which should help you further in locating the source of the issue. Unfortunately, we don’t have any information on how to ‘workaround’ holes in Plesk.

If you still require assistance in this regard, I would highly recommend submitting a trouble ticket so that our Server Support team can access and review your account for further assistance. You will want to refer to the instructions provided in the following URL to submit a trouble ticket for your server:

http://support.godaddy.com/help/article/4596

Christopher G.

Injunjer said 2 years, 2 months ago:

Hi Christopher,

The logs are no longer available. There was so much spam mail, the logs locked the maillog and all had to be deleted via root. I did review the logs and the faked or real sending ip address was noted. That was no help, it came from a known spam company in Turkey.

I have already tried the ticket and chat route.
Seems like nobody knows anything about this topic or simply does not care.

All I really need to know is if anybody available to you knows how exactly to setup the plesk mail services to allow hosting customers to use the incoming and outgoing mail server while keeping all hackers out. There are a number of mail setup options and spam setup options available to block mail at the server and domain level, but there is really very little documentation explaining how they all work in detail. I have read and searched and read about each option, but there is little to be told other than someone who knows firsthand how it all works in detail and by experience. Half of what you read in forums is here say and half is just wrong or guessing.

For example, plesk documentation states:

Select the mail relay mode.
With closed relay the mail server will accept only e-mail addressed to the users who have mailboxes on this server. Your customers will not be able to send any mail through your outgoing SMTP server, therefore, we do not recommend closing mail relay.

This is so untrue, I have selected closed relay and all of my hosting customers, including my hosting account, is always able to the send mail through the outgoing SMTP server.

I also have Enable message submission checked which forces my customers to use port 587 to send mail for outbound protection in my fight against spammers using the outgoing mail server and shutting down my operations daily.

And, I have my SPF records setup for inbound protection.

So far, all is well. All of my actions were speculation base on what I read and some trial and error.

All I am asking anyone who will listen and cares, do you know something, do you have any experience, will you share your knowledge?

My opinion is that plesk should deliver a secure mail system in their default setup so there is no guessing and no surprise attacks such as the one I recently experienced.

I have experienced a lot of finger pointers lately and no action which has lead to my frustration.

Any comments or help?

Thanks for taking your time to reply.

chrisg said 2 years, 2 months ago:

@Injunjer,

As you mention having a Trouble Ticket previously opened with our server support team, I have investigated into this issue further through your account. At this time, our Server team will be thoroughly investigating your account and responding through the re-opened ticket once more information is found in regards to this issue.

Christopher G.