Hi,
I have situation where there are spammer in my Shared Hosting Server using Plesk Horde Webmails to sent SPAM , but i'm not able to detect which email account that sending the email.
I have checked manually in the SMTP Activity LOGS and also in C:\Program Files\Parallels\Plesk\Mail Servers\Mail Enable\Queues\SMTP\Outgoing and "Outgoing\messages" folder , but there are no hints which email account has been used.
The messages was something like this :
Received: from WINDOWS8 ([127.0.0.1]) by win8.myhostingdomain.com with MailEnable ESMTP; Tue, 28 Sep 2010 23:53:40 +0800
Date: Tue, 28 Sep 2010 15:53:40 +0000
Subject: COMPLIMENT YOUR BANK DRAFT IS READY
To: car2sky@yahoo.com
From: John Obi <quadriwale@sify.com>
Reply-To: quadriwale@sify.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
<body here>
I have tried to untick "Allow relay from priviledged IP ranges" , but it seems the webmail was not able to sent out email as it need 127.0.0.1 IP to be there .
I'm willing to pay if require to purchase third party software for this.
Appreciates if anybody can help on how i can detect who are sending those spam emails so i can block it.
Thank you.
Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?
-
- Posts: 5858
- Joined: Fri Jan 16, 2004 6:49 am
- Location: Melbourne
Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?
Check for this:
http://www.mailenable.com/kb/Content/Ar ... D=me020280
The usual things to search for are:
ME-I0108: Relay Granted: Sender has authenticated.
ME-I0107: Relay Granted: Sender IP (IPAddress) is within an authorized IP range.
http://www.mailenable.com/kb/Content/Ar ... D=me020280
The usual things to search for are:
ME-I0108: Relay Granted: Sender has authenticated.
ME-I0107: Relay Granted: Sender IP (IPAddress) is within an authorized IP range.
Regards,
Product Services
MailEnable Pty Ltd
To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.
Product Services
MailEnable Pty Ltd
To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.
Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?
Hi,
I have the same problem. The mail is probably sent through an account on the server, but i cant track it down. Nothing in logs, except the message above - relay granted to local host. The problem will definitely be resolved if I deny 127.0.0.1 from relay list, but Horde will not work properly. Is there any way to change the horde authorization (windows/username-password) or change the IP address in Horde configuration to send from other IP, public address maybe?
thanx
I have the same problem. The mail is probably sent through an account on the server, but i cant track it down. Nothing in logs, except the message above - relay granted to local host. The problem will definitely be resolved if I deny 127.0.0.1 from relay list, but Horde will not work properly. Is there any way to change the horde authorization (windows/username-password) or change the IP address in Horde configuration to send from other IP, public address maybe?
thanx
Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?
varidzok wrote:Hi,
I have the same problem. The mail is probably sent through an account on the server, but i cant track it down. Nothing in logs, except the message above - relay granted to local host. The problem will definitely be resolved if I deny 127.0.0.1 from relay list, but Horde will not work properly. Is there any way to change the horde authorization (windows/username-password) or change the IP address in Horde configuration to send from other IP, public address maybe?
thanx
We are seeing the same trend, however these are coming from MeWebmail...
Cheers
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com
-
- Posts: 2
- Joined: Thu Sep 04, 2014 3:07 pm
Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP
I know this is a very old thread but I couldn't find anything more up to date on this topic.
My MailEnable Logs show a few SPAM mails daily that are being sent from my internal address:
Today it was 4 mails, all with the same FROM an TO addresses and all with at least 2-3 hours between them:
I have absolutely noo Idea where these mails are coming from. The debug log only logs Relay Granted: Sender IP (127.0.0.1) is within an authorized IP range
Any ideas?
My MailEnable Logs show a few SPAM mails daily that are being sent from my internal address:
Today it was 4 mails, all with the same FROM an TO addresses and all with at least 2-3 hours between them:
Code: Select all
09/03/14 01:27:52 SMTP-IN 9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI 728 127.0.0.1 220 mail.mydomain.de ESMTP MailEnable Service, Version: 6.0-- ready at 09/03/14 01:27:52 0 0
09/03/14 01:27:52 SMTP-IN 9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI 728 127.0.0.1 EHLO EHLO [46.163.69.xxx] 250-mydomain.de [127.0.0.1], this server offers 4 extensions 120 21
09/03/14 01:27:52 SMTP-IN 9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI 728 127.0.0.1 MAIL MAIL FROM:<service@paypal.de> 250 Requested mail action okay, completed 43 31
09/03/14 01:27:52 SMTP-IN 9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI 728 127.0.0.1 RCPT RCPT TO:<marcel.22578@gmx.de> 250 Requested mail action okay, completed 43 31
09/03/14 01:27:52 SMTP-IN 9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI 728 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
09/03/14 01:27:52 SMTP-IN 52CB1931AB504B59B2E2E7D65F684B81.MAI 728 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
09/03/14 01:28:27 SMTP-OU CD22078CE60A4D43A3DEF5E695B7115A.MAI 832 213.165.67.99 CONN 220 gmx.net (mxgmx008) Nemesis ESMTP Service ready 0 52
09/03/14 01:28:27 SMTP-OU CD22078CE60A4D43A3DEF5E695B7115A.MAI 832 213.165.67.99 EHLO EHLO mail.mydomain.de 250-gmx.net Hello mail.mydomain.de [46.163.106.xxx] 20 84
09/03/14 01:28:28 SMTP-OU CD22078CE60A4D43A3DEF5E695B7115A.MAI 832 213.165.67.99 MAIL MAIL FROM:<service@paypal.de> SIZE=728 250 Requested mail action okay, completed 40 43
09/03/14 01:28:28 SMTP-OU CD22078CE60A4D43A3DEF5E695B7115A.MAI 832 213.165.67.99 RCPT RCPT TO:<marcel.22578@gmx.de> 250 OK 31 8
09/03/14 01:28:28 SMTP-OU CD22078CE60A4D43A3DEF5E695B7115A.MAI 832 213.165.67.99 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 6 46
09/03/14 01:28:28 SMTP-OU CD22078CE60A4D43A3DEF5E695B7115A.MAI 832 213.165.67.99 DATE 250 Requested mail action okay, completed: id=0M8qFQ-1XYuCF3xM4-00CEOj 739 72
09/03/14 01:28:28 SMTP-OU CD22078CE60A4D43A3DEF5E695B7115A.MAI 832 213.165.67.99 QUIT QUIT 221 gmx.net Service closing transmission channel 6 50
I have absolutely noo Idea where these mails are coming from. The debug log only logs Relay Granted: Sender IP (127.0.0.1) is within an authorized IP range
Any ideas?
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP
Hi,
It sounds like you have a script or webpage (most likely infected) under IIS that is using 127.0.0.1 to send from. You most likely have the SMTP relay option for allowing privileged IP's to relay where 127.0.0.1 is being granted relay rights. In order to stop this remove 127.0.0.1 from the SMTP privileged IP's relay list and then configure all your web forms that require sending via the MailEnable SMTP service to authenticate. Scan the server for infections as well.
It sounds like you have a script or webpage (most likely infected) under IIS that is using 127.0.0.1 to send from. You most likely have the SMTP relay option for allowing privileged IP's to relay where 127.0.0.1 is being granted relay rights. In order to stop this remove 127.0.0.1 from the SMTP privileged IP's relay list and then configure all your web forms that require sending via the MailEnable SMTP service to authenticate. Scan the server for infections as well.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 2
- Joined: Thu Sep 04, 2014 3:07 pm
Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP
Thanks for the response.
Yes, I'm allowing a relay for local adresses (127.0.0.1) so I can receive status updates and infos sent from plesk on a virtual server. I wouldn't know how to configure plesk to authenticate so I guess disbling the local relay is not an option.
There are only a couple testing websites hosted on the server so I don't see how any of them could be used to send mails - but I'll double check to make sure there is no contact form that could be used to send spam.
Is there any way to find the source (i.E. Script / Application) that has initiated the local mail send?
So far there haven't been any more spam mails but since I didn't change the settings yet I guess it could happen again any given day.
Yes, I'm allowing a relay for local adresses (127.0.0.1) so I can receive status updates and infos sent from plesk on a virtual server. I wouldn't know how to configure plesk to authenticate so I guess disbling the local relay is not an option.
There are only a couple testing websites hosted on the server so I don't see how any of them could be used to send mails - but I'll double check to make sure there is no contact form that could be used to send spam.
Is there any way to find the source (i.E. Script / Application) that has initiated the local mail send?
So far there haven't been any more spam mails but since I didn't change the settings yet I guess it could happen again any given day.
Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?
Dear All,
I do not have much knowledge about the Mail Setup. Since Mail Enable is integrated with Plesk. it's been use to send email.
MTA (Mail Transfer Agent) has some security loop wholes. May be, I am not right but for me. it's difficult to say, mail enable MTA is safe because spammer are able to generate malicious emails using my server resources. And I have received multiple complaint for unsolicited email from respective organization to prevent it.
Per the log, emails are generated using the 127.0.0.1 ip. Not sure, How it's skipping user authentication and originating spam email.
Is there a way to prevent such spammer and ask them to authenticate before sending emails? Please see below couple of line from log.
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 HELO HELO+PLESK-WEB.SERVOHOST.IN 250+Requested+mail+action+okay,+completed PLESK-WEB 43 29
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 MAIL MAIL+FROM:<alegra_gallo@sainathfacilityservices.com> 250+Requested+mail+action+okay,+completed PLESK-WEB 43 54
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 RCPT RCPT+TO:<adhurim@alice.it> 503+This+mail+server+requires+authentication+when+attempting+to+send+to+a+non-local+e-mail+address.+Please+check+your+mail+client+settings+or+contact+your+administrator+to+verify+that+the+domain+or+address+is+defined+for+this+server. PLESK-WEB 235 28
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 QUIT QUIT 221+Service+closing+transmission+channel PLESK-WEB 42 6
2017-03-19 01:01:04 127.0.0.1 SMTP-IN 127.0.0.1 872 HELO HELO+PLESK-WEB.SERVOHOST.IN 250+Requested+mail+action+okay,+completed PLESK-WEB 43 29
Log from Smtp server
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 220 PLESK-WEB.home ESMTP MailEnable Service, Version: 8.50-- ready at 03/20/17 00:03:04 0 0
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 HELO HELO PLESK-WEB.SERVOHOST.IN 250 Requested mail action okay, completed 43 29
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 MAIL MAIL FROM:<fausta_ricci@sainathfacilityservices.com> 250 Requested mail action okay, completed 43 54
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 RCPT RCPT TO:<vin71@live.it> 503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server. 235 25
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
03/20/17 00:03:04 SMTP-IN 869305A1C4D5431F94CD64D0BA9CC8B5.MAI 200 127.0.0.1 220 PLESK-WEB.home ESMTP MailEnable Service, Version: 8.50-- ready at 03/20/17 00:03:04 0 0
03/20/17 00:03:04 SMTP-IN 869305A1C4D5431F94CD64D0BA9CC8B5.MAI 200 127.0.0.1 HELO HELO PLESK-WEB.SERVOHOST.IN 250 Requested mail action okay, completed 43 29
Please help me out to get out of this problem. If someone has standard procedure or guide to do security set using Mail Enable would be great.
I do not have much knowledge about the Mail Setup. Since Mail Enable is integrated with Plesk. it's been use to send email.
MTA (Mail Transfer Agent) has some security loop wholes. May be, I am not right but for me. it's difficult to say, mail enable MTA is safe because spammer are able to generate malicious emails using my server resources. And I have received multiple complaint for unsolicited email from respective organization to prevent it.
Per the log, emails are generated using the 127.0.0.1 ip. Not sure, How it's skipping user authentication and originating spam email.
Is there a way to prevent such spammer and ask them to authenticate before sending emails? Please see below couple of line from log.
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 HELO HELO+PLESK-WEB.SERVOHOST.IN 250+Requested+mail+action+okay,+completed PLESK-WEB 43 29
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 MAIL MAIL+FROM:<alegra_gallo@sainathfacilityservices.com> 250+Requested+mail+action+okay,+completed PLESK-WEB 43 54
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 RCPT RCPT+TO:<adhurim@alice.it> 503+This+mail+server+requires+authentication+when+attempting+to+send+to+a+non-local+e-mail+address.+Please+check+your+mail+client+settings+or+contact+your+administrator+to+verify+that+the+domain+or+address+is+defined+for+this+server. PLESK-WEB 235 28
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 QUIT QUIT 221+Service+closing+transmission+channel PLESK-WEB 42 6
2017-03-19 01:01:04 127.0.0.1 SMTP-IN 127.0.0.1 872 HELO HELO+PLESK-WEB.SERVOHOST.IN 250+Requested+mail+action+okay,+completed PLESK-WEB 43 29
Log from Smtp server
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 220 PLESK-WEB.home ESMTP MailEnable Service, Version: 8.50-- ready at 03/20/17 00:03:04 0 0
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 HELO HELO PLESK-WEB.SERVOHOST.IN 250 Requested mail action okay, completed 43 29
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 MAIL MAIL FROM:<fausta_ricci@sainathfacilityservices.com> 250 Requested mail action okay, completed 43 54
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 RCPT RCPT TO:<vin71@live.it> 503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server. 235 25
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
03/20/17 00:03:04 SMTP-IN 869305A1C4D5431F94CD64D0BA9CC8B5.MAI 200 127.0.0.1 220 PLESK-WEB.home ESMTP MailEnable Service, Version: 8.50-- ready at 03/20/17 00:03:04 0 0
03/20/17 00:03:04 SMTP-IN 869305A1C4D5431F94CD64D0BA9CC8B5.MAI 200 127.0.0.1 HELO HELO PLESK-WEB.SERVOHOST.IN 250 Requested mail action okay, completed 43 29
Please help me out to get out of this problem. If someone has standard procedure or guide to do security set using Mail Enable would be great.
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?
Hi Servohost,
The log files you provided do not show any evidence of spam being relayed by your server. The logs report "503 This mail server requires authentication" which means the relay to send out is not being granted to 127.0.0.1. You need to provide log files of an outbound send (I.e: SMTP-OU) where the message has been dispatched to the remote mail server.
The log files you provided do not show any evidence of spam being relayed by your server. The logs report "503 This mail server requires authentication" which means the relay to send out is not being granted to 127.0.0.1. You need to provide log files of an outbound send (I.e: SMTP-OU) where the message has been dispatched to the remote mail server.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support