SYSTEM INFORMATION
OS type and version
Ubuntu Linux 20.04.6
Webmin version
2.105
Usermin version
2.005
Virtualmin version
7.9.0 Pro
Theme version
21.09.5
Package updates
All installed packages are up to date
protection against spam threats
hello friends I have a server each time it comes across people who use it to send spam is there security for that thank you very much
calport
February 29, 2024, 10:57pm
2
Virtualmin → Email Settings → Mail Rate Limiting
Use this to put a limit to the number of messages that a virtual server can send in a day. When the spammer hits that limit, all the other mail that he wishes to send will be automatically rejected by your Virtualmin system.
Problem solved.
thank you very much Mr you are always there to help me but is there a solution so that the other email addresses remain operational except of course the address where there is the problem
You want mail rate limits for every individual mailbox?
See
1 Like
Looking at your screenshot, it’s quite clear that one user in particular, azzedine.moufaddal @ atlanticfoods.ma is spamming heavily.
Most likely, this users password is known and his/her computer might also be infected with something.
In these cases you should advice the user to do a proper virus/malware search on their computer and change the account password before any more harm can be done.
1 Like
it’s strange that even if I changed the password and I also suspended the account he continued to send the emails
jimr1
March 1, 2024, 11:24am
7
you need to check the logs to see who is sending look at the mail.log at around 2024/02/29 08:15 pm and see who logs in to the mail server and sends the mail
1 Like
Feb 25 07:19:10 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:19:14 atlanticfoods postfix/smtpd[1697566]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:19:14 atlanticfoods postfix/smtpd[1697566]: connect from unknown[45.129.14.128]
Feb 25 07:19:17 atlanticfoods postfix/smtpd[1701559]: lost connection after CONNECT from p798092-mobac01.tokyo.ocn.ne.jp[122.27.228.91]
Feb 25 07:19:17 atlanticfoods postfix/smtpd[1701559]: disconnect from p798092-mobac01.tokyo.ocn.ne.jp[122.27.228.91] commands=0/0
Feb 25 07:19:22 atlanticfoods postfix/smtpd[1697566]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:19:22 atlanticfoods postfix/smtpd[1697566]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:19:29 atlanticfoods postfix/smtpd[1701559]: warning: hostname 129-181-195-190.cab.prima.net.ar does not resolve to address 190.195.181.129: No address associated with hostname
Feb 25 07:19:29 atlanticfoods postfix/smtpd[1701559]: connect from unknown[190.195.181.129]
Feb 25 07:19:29 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:19:29 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:19:37 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:19:38 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:19:42 atlanticfoods postfix/smtpd[1701559]: warning: unknown[190.195.181.129]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:19:43 atlanticfoods postfix/smtpd[1701559]: lost connection after AUTH from unknown[190.195.181.129]
Feb 25 07:19:43 atlanticfoods postfix/smtpd[1701559]: disconnect from unknown[190.195.181.129] ehlo=1 auth=0/1 commands=1/2
Feb 25 07:19:44 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:19:44 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:19:54 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:19:55 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:20:00 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:20:00 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:20:07 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:20:08 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:20:15 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:20:15 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:20:22 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:20:22 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:20:31 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:20:31 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:20:39 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:20:40 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:20:46 atlanticfoods dovecot: imap-login: Login: user=benabdeljalil.nacer@atlanticfoods.ma , method=PLAIN, rip=105.135.151.31, lip=31.220.84.53, mpid=1701816, TLS, session=
Feb 25 07:20:46 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:20:46 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:20:47 atlanticfoods dovecot: imap(benabdeljalil.nacer@atlanticfoods.ma)<1701816>: Connection closed (SELECT finished 0.261 secs ago) in=104 out=991 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 25 07:20:53 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:20:53 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:02 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:21:02 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:21:05 atlanticfoods dovecot: imap-login: Login: user=laghrissi.abdellah@atlanticfoods.ma , method=PLAIN, rip=196.115.34.41, lip=31.220.84.53, mpid=1701824, TLS, session=
Feb 25 07:21:05 atlanticfoods dovecot: imap-login: Login: user=laghrissi.abdellah@atlanticfoods.ma , method=PLAIN, rip=196.115.34.41, lip=31.220.84.53, mpid=1701825, TLS, session=
Feb 25 07:21:06 atlanticfoods dovecot: imap(laghrissi.abdellah@atlanticfoods.ma)<1701824>: Connection closed (LIST finished 0.194 secs ago) in=50 out=1672 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 25 07:21:06 atlanticfoods dovecot: imap-login: Login: user=laghrissi.abdellah@atlanticfoods.ma , method=PLAIN, rip=196.115.34.41, lip=31.220.84.53, mpid=1701829, TLS, session=<+fxdzC4SLOzEcyIp>
Feb 25 07:21:07 atlanticfoods dovecot: imap(laghrissi.abdellah@atlanticfoods.ma)<1701829><+fxdzC4SLOzEcyIp>: Connection closed (UID SEARCH finished 0.522 secs ago) in=81 out=1379 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 25 07:21:08 atlanticfoods dovecot: imap-login: Login: user=laghrissi.abdellah@atlanticfoods.ma , method=PLAIN, rip=196.115.34.41, lip=31.220.84.53, mpid=1701831, TLS, session=
Feb 25 07:21:08 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:09 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:09 atlanticfoods dovecot: imap(laghrissi.abdellah@atlanticfoods.ma)<1701825>: Connection closed (UID FETCH finished 3.001 secs ago) in=83 out=129408 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=127994
Feb 25 07:21:09 atlanticfoods dovecot: imap(laghrissi.abdellah@atlanticfoods.ma)<1701831>: Connection closed (UID FETCH finished 0.307 secs ago) in=163 out=1657 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 25 07:21:17 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:21:17 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:21:25 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:25 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:32 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:21:32 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:21:42 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:43 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:48 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:21:48 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:21:53 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.88.90.174]
Feb 25 07:21:54 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:55 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:56 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.88.90.174]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:56 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.88.90.174] ehlo=1 auth=0/1 quit=1 commands=2/3
Feb 25 07:22:03 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:22:03 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:22:10 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:22:10 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:22:19 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:22:19 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:22:26 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:22:26 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:22:34 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:22:34 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:22:35 atlanticfoods dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 4 secs): user=dafir.ali@atlanticfoods.ma , method=PLAIN, rip=105.154.98.208, lip=31.220.84.53, TLS, session=
Feb 25 07:22:43 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:22:44 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:22:44 atlanticfoods dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 8 secs): user=dafir.ali@atlanticfoods.ma , method=PLAIN, rip=105.154.98.208, lip=31.220.84.53, TLS, session=
Feb 25 07:22:49 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:22:49 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:22:57 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:22:58 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:23:05 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:23:05 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:23:11 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:23:11 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:23:20 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:23:20 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:23:28 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:23:28 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:23:35 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:23:35 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:23:43 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:23:43 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:23:51 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:23:51 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:23:58 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:24:00 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:24:06 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:24:06 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:24:14 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:24:15 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:24:22 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:24:22 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:24:30 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:24:31 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:24:37 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:24:37 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:24:45 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:24:46 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:24:52 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:24:52 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:24:59 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
jimr1
March 1, 2024, 12:34pm
9
is your last entry you should be looking at around 20:15 which is 08:15 pm, so your about 12 hours out
please how can I send you the file it has more than 30000 lines
jimr1
March 1, 2024, 4:42pm
11
just copy the area required and paste it into a post there is no need for the whole file
I find a lot of line for the 12 hours
ID10T
March 1, 2024, 5:23pm
13
Feb 25 07:24:59 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Is Fail2Ban working on your system? This many authentication failures from one address should be tripping a block.
1 Like
jimr1
March 1, 2024, 5:45pm
14
This is outward not inward … someone is spamming from his server and not spamming to his server so the fail2ban not banning is another issue
jimr1
March 1, 2024, 5:48pm
15
You don’t need the 12 hours you just need entries from around 20:15 just so you can see who attempted to send mail from your server
ID10T
March 1, 2024, 6:40pm
16
Unless the OP’s server address is 45.129.14.128, it is someone attempting to remotely log in and send spam from that account.
exactly as our friend said that one sends messages from my server even if I deleted the box displayed in the photo I see the messages still coming out from then the post fixed so I can say that one has access to my server who what I have to do for this case and I can tell you even if I deleted this box or changed the password or suspended it the spammer he still has access I don’t know for what and I received a message from then my provider of my vps will suspend port 25 for a day if I don’t stop it
ID10T
March 1, 2024, 7:03pm
18
If you deleted the mailbox then of course the login will fail. I see a lot of fails. The failed attempts don’t result in outgoing spam. You need to learn to read your log files and understand what they say.
sudo firewall-cmd --add-rich-rule=“rule family=‘ipv4’ source address=''45.129.14.128 drop”
jimr1
March 1, 2024, 7:05pm
19
However the person who is sending spam as they can log in and the spam ends up queued in the postfix queue
ID10T
March 1, 2024, 7:08pm
20
I thought the mailbox was deleted. You are saying mail gets queued from a failed login? That doesn’t sound right.
OP. Clear the queue and see if anything new shows up.
EDIT: Maybe the settings I have in my postifx config would help? In theory it would terminate the connection after the fail?
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
# check_policy_service unix:private/policyd-spf