Server hacked

Discussions on webmail and the Professional version.
Post Reply
vttech
Posts: 1
Joined: Fri May 10, 2013 12:04 am

Server hacked

Post by vttech » Fri May 10, 2013 12:26 am

Running MailEnable Pro 3.65.
Server has been getting hacked for couple of months now; tried assigning new IP to SMTP and it happened again. Server is blacklisted again.
I set Plesk to move all logs to a different location as it was only keeping one day; so I have access to all logs.

What exactly do I need to look for? Here are a few lines which are followed by hundred more with different IPs and addresses

2013-05-07 23:02:25 210.6.92.xx SMTP-IN MYIPADDRESS 1016 RSET RSET 250+Requested+mail+action+okay,+completed MYDOMAIN 43 6
2013-05-07 23:02:25 210.6.92.xx SMTP-IN MYIPADDRESS 1016 QUIT QUIT 221+Service+closing+transmission+channel MYDOMAIN 42 6
2013-05-07 23:02:25 98.136.216.yy SMTP-OU MYSEVER MYSMTPIPADDRESS 1228 CONN MYDOMAIN 0 63
2013-05-07 23:02:25 98.136.216.yy SMTP-OU MYSEVER MYSMTPIPADDRESS 1228 EHLO 220+mta1089.mail.gq1.yahoo.com+ESMTP+YSmtpProxy+service+ready MYDOMAIN 23 81
2013-05-07 23:02:25 98.136.216.yy SMTP-OU MYSEVER MYSMTPIPADDRESS 1228 MAIL EHLO+MYSERVER250-mta1089.mail.gq1.yahoo.com MYDOMAIN 51 45
2013-05-07 23:02:25 98.136.216.yy SMTP-OU MYSERVER MYSMTPIPADDRESS 1228 RCPT MAIL+FROM:<postmaster@MYSERVER>+SIZE=2435 250+sender+<postmaster@MYSERVER>+ok MYDOMAIN 28 37

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Re: Server hacked

Post by MailEnable » Fri May 10, 2013 2:19 pm

First, you should run the diagnostic report and make sure the server is secured properly (ie: then its not open relay).
If you search the KB for "relay" there is more information.

If its secured, then the spammer must know a password. The message tracking utility in the tray utilityu will help you find the origin of the spam (if you backtrack the message from the SMTP outbound queue).
You can also look at the metray utility and see which SMTP sender/account is generating the most email.

I would also suggest searching the KB for the term "abuse" since there are an array of articles that describe how you can isolate and address the problem.
Regards, Andrew

Post Reply