Portal Home > Knowledgebase > Articles Database > Lots of emails in Plesk mail queue
Lots of emails in Plesk mail queue
Posted by Zaggs, 03-09-2010, 12:44 PM |
Hi
I seem to have a problem on my Plesk server. When I try to open the mail queue, the page just seems to hang for ages and eventually crashes the server. It seems there are a LOT of emails in there waiting to be sent. I am also trying to send email from the server which is not being received by the recipients (with no bounceback message).
Does anyone know how I can check the problem?
I am guessing a hacker has comprimised one of the accounts and is sending bulk spam.
Please advise.
|
Posted by ihsystemihsystem, 03-09-2010, 02:47 PM |
You can check the mail queue by using Plesk interface or Install qmhandle by using SSH and check the mailqueue by command qmhandle -s
Also you can check the Establish connections thru netstat command, which helps you trace the IP who is sending spam.
|
Posted by Zaggs, 03-09-2010, 02:53 PM |
Thanks, I am able to check the mailqueue. I have done that from admin and I can see emails there.
However, how can I trace where the emails are coming from using netstat?
|
Posted by expressadmin, 03-09-2010, 04:45 PM |
The messages are nothing more than text files in /var/qmail/queue/mess/. It takes some digging to understand what message goes with what envelope, but you should be able to determine things.
I highly recommend qmHandle. It allows you to view messages, as well as perform searches and deletes them from the queues.
Plesk's web interface is a poor substitute.
|
Posted by Zaggs, 03-09-2010, 04:53 PM |
Ok, I have managed to figure out how to find the messages and open them etc, but the headers do not really help me.
|
Posted by Zaggs, 03-09-2010, 05:02 PM |
Here is an example spam email in the queue:
|
Posted by expressadmin, 03-09-2010, 05:09 PM |
Could be a case of backscatter where your server is handling the bounce replies for forged messages from your domain.
Its hard to tell exactly what is going on with out knowing a more complete picture.
Is 203.126.152.242 your server's IP address?
It could also be a case of a double bounce... If that's the case you can easily send double bounce messages to a null handler and discard them safely (since a double bounce means that nobody is ever going to care about it).
Give us a little bit better idea of how the mail is flowing in the above message and we might be able to help you deal with it.
|
Posted by Zaggs, 03-09-2010, 05:13 PM |
203.126.152.242 is not my server IP if that helps. server.mydomain.com is my server name.
|
Posted by Zaggs, 03-09-2010, 05:15 PM |
My server IP is not mentioned once in the email above.
|
Posted by VIPoint, 03-09-2010, 05:20 PM |
The e-mail was sent from dolce.muller@terra.com.do to hul@kj.kz . Please check if the domain terra.com.do is present in the server. If the domain is present then the domain is sending out SPAM mails from the server.
If you cannot find the domain in the server, please set the "default address" for all your domain to discard.
|
Posted by expressadmin, 03-09-2010, 05:24 PM |
Upon further inspection, most likely you probably have a compromised POP3 login. Do you have short user names enabled on your Plesk server (users can login by using username, instead of username@domain.com)?
If you do, most likely one of your accounts has been brute forced due to a weak username/password combination and they are using SMTP AUTH to inject messages into your server's queue to deliver them.
I am leaning in that direction based on the message headers.
You will have to look at your mail logs to determine who is authenticating right before the messages are being injected into the queue. You have a timestamp in the message so that should help you find where in the logs to be looking (generally).
Another thing you can use is /usr/local/psa/admin/bin/mail_auth_view. This dumps the username and password combinations for your server (all domains). You might be able to spot some common or weak passwords (test/test for example) that are being used.
|
Posted by Zaggs, 03-09-2010, 05:30 PM |
After closer inspection, the domain is not located on the server. Where can I set the default address to discard?
1) Short usernames are not enabled on the server (i.e. I have "Only use of full POP3/IMAP mail accounts names is allowed" enabled.)
Thank you for the other pointers, I will give them a try now and report back shortly.
|
Posted by keserhosting, 03-10-2010, 07:56 PM |
Try to check the maillogs using the command,
tail -f /usr/local/psa/var/log/maillog
This will help you to trace the problem.
|
Add to Favourites Print this Article
Also Read
Burst down?? (Views: 637)