| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Ubuntu Linux 20.04.6 |
| Webmin version | 2.105 |
| Usermin version | 2.005 |
| Virtualmin version | 7.9.0 Pro |
| Theme version | 21.09.5 |
| Package updates | All installed packages are up to date |
protection against spam threats
hello friends I have a server each time it comes across people who use it to send spam is there security for that thank you very much
Virtualmin → Email Settings → Mail Rate Limiting
Use this to put a limit to the number of messages that a virtual server can send in a day. When the spammer hits that limit, all the other mail that he wishes to send will be automatically rejected by your Virtualmin system.
Problem solved.
thank you very much Mr you are always there to help me but is there a solution so that the other email addresses remain operational except of course the address where there is the problem
You want mail rate limits for every individual mailbox?
See
Looking at your screenshot, it’s quite clear that one user in particular, azzedine.moufaddal @ atlanticfoods.ma is spamming heavily.
Most likely, this users password is known and his/her computer might also be infected with something.
In these cases you should advice the user to do a proper virus/malware search on their computer and change the account password before any more harm can be done.
it’s strange that even if I changed the password and I also suspended the account he continued to send the emails
you need to check the logs to see who is sending look at the mail.log at around 2024/02/29 08:15 pm and see who logs in to the mail server and sends the mail
Feb 25 07:19:10 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:19:14 atlanticfoods postfix/smtpd[1697566]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:19:14 atlanticfoods postfix/smtpd[1697566]: connect from unknown[45.129.14.128]
Feb 25 07:19:17 atlanticfoods postfix/smtpd[1701559]: lost connection after CONNECT from p798092-mobac01.tokyo.ocn.ne.jp[122.27.228.91]
Feb 25 07:19:17 atlanticfoods postfix/smtpd[1701559]: disconnect from p798092-mobac01.tokyo.ocn.ne.jp[122.27.228.91] commands=0/0
Feb 25 07:19:22 atlanticfoods postfix/smtpd[1697566]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:19:22 atlanticfoods postfix/smtpd[1697566]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:19:29 atlanticfoods postfix/smtpd[1701559]: warning: hostname 129-181-195-190.cab.prima.net.ar does not resolve to address 190.195.181.129: No address associated with hostname
Feb 25 07:19:29 atlanticfoods postfix/smtpd[1701559]: connect from unknown[190.195.181.129]
Feb 25 07:19:29 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:19:29 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:19:37 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:19:38 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:19:42 atlanticfoods postfix/smtpd[1701559]: warning: unknown[190.195.181.129]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:19:43 atlanticfoods postfix/smtpd[1701559]: lost connection after AUTH from unknown[190.195.181.129]
Feb 25 07:19:43 atlanticfoods postfix/smtpd[1701559]: disconnect from unknown[190.195.181.129] ehlo=1 auth=0/1 commands=1/2
Feb 25 07:19:44 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:19:44 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:19:54 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:19:55 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:20:00 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:20:00 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:20:07 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:20:08 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:20:15 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:20:15 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:20:22 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:20:22 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:20:31 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:20:31 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:20:39 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:20:40 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:20:46 atlanticfoods dovecot: imap-login: Login: user=benabdeljalil.nacer@atlanticfoods.ma, method=PLAIN, rip=105.135.151.31, lip=31.220.84.53, mpid=1701816, TLS, session=
Feb 25 07:20:46 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:20:46 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:20:47 atlanticfoods dovecot: imap(benabdeljalil.nacer@atlanticfoods.ma)<1701816>: Connection closed (SELECT finished 0.261 secs ago) in=104 out=991 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 25 07:20:53 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:20:53 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:02 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:21:02 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:21:05 atlanticfoods dovecot: imap-login: Login: user=laghrissi.abdellah@atlanticfoods.ma, method=PLAIN, rip=196.115.34.41, lip=31.220.84.53, mpid=1701824, TLS, session=
Feb 25 07:21:05 atlanticfoods dovecot: imap-login: Login: user=laghrissi.abdellah@atlanticfoods.ma, method=PLAIN, rip=196.115.34.41, lip=31.220.84.53, mpid=1701825, TLS, session=
Feb 25 07:21:06 atlanticfoods dovecot: imap(laghrissi.abdellah@atlanticfoods.ma)<1701824>: Connection closed (LIST finished 0.194 secs ago) in=50 out=1672 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 25 07:21:06 atlanticfoods dovecot: imap-login: Login: user=laghrissi.abdellah@atlanticfoods.ma, method=PLAIN, rip=196.115.34.41, lip=31.220.84.53, mpid=1701829, TLS, session=<+fxdzC4SLOzEcyIp>
Feb 25 07:21:07 atlanticfoods dovecot: imap(laghrissi.abdellah@atlanticfoods.ma)<1701829><+fxdzC4SLOzEcyIp>: Connection closed (UID SEARCH finished 0.522 secs ago) in=81 out=1379 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 25 07:21:08 atlanticfoods dovecot: imap-login: Login: user=laghrissi.abdellah@atlanticfoods.ma, method=PLAIN, rip=196.115.34.41, lip=31.220.84.53, mpid=1701831, TLS, session=
Feb 25 07:21:08 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:09 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:09 atlanticfoods dovecot: imap(laghrissi.abdellah@atlanticfoods.ma)<1701825>: Connection closed (UID FETCH finished 3.001 secs ago) in=83 out=129408 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=127994
Feb 25 07:21:09 atlanticfoods dovecot: imap(laghrissi.abdellah@atlanticfoods.ma)<1701831>: Connection closed (UID FETCH finished 0.307 secs ago) in=163 out=1657 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 25 07:21:17 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:21:17 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:21:25 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:25 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:32 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:21:32 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:21:42 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:43 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:48 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:21:48 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:21:53 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.88.90.174]
Feb 25 07:21:54 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:55 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:21:56 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.88.90.174]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:21:56 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.88.90.174] ehlo=1 auth=0/1 quit=1 commands=2/3
Feb 25 07:22:03 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:22:03 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:22:10 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:22:10 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:22:19 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:22:19 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:22:26 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:22:26 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:22:34 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:22:34 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:22:35 atlanticfoods dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 4 secs): user=dafir.ali@atlanticfoods.ma, method=PLAIN, rip=105.154.98.208, lip=31.220.84.53, TLS, session=
Feb 25 07:22:43 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:22:44 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:22:44 atlanticfoods dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 8 secs): user=dafir.ali@atlanticfoods.ma, method=PLAIN, rip=105.154.98.208, lip=31.220.84.53, TLS, session=
Feb 25 07:22:49 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:22:49 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:22:57 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:22:58 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:23:05 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:23:05 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:23:11 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:23:11 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:23:20 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:23:20 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:23:28 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:23:28 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:23:35 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:23:35 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:23:43 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:23:43 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:23:51 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:23:51 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:23:58 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:24:00 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:24:06 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:24:06 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:24:14 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:24:15 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:24:22 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:24:22 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:24:30 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:24:31 atlanticfoods postfix/smtpd[1701848]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:24:37 atlanticfoods postfix/smtpd[1701473]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:24:37 atlanticfoods postfix/smtpd[1701473]: connect from unknown[45.129.14.128]
Feb 25 07:24:45 atlanticfoods postfix/smtpd[1701473]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Feb 25 07:24:46 atlanticfoods postfix/smtpd[1701473]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb 25 07:24:52 atlanticfoods postfix/smtpd[1701848]: warning: hostname 128.hosted-by.198xd.com does not resolve to address 45.129.14.128
Feb 25 07:24:52 atlanticfoods postfix/smtpd[1701848]: connect from unknown[45.129.14.128]
Feb 25 07:24:59 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
is your last entry you should be looking at around 20:15 which is 08:15 pm, so your about 12 hours out
please how can I send you the file it has more than 30000 lines
just copy the area required and paste it into a post there is no need for the whole file
I find a lot of line for the 12 hours
Feb 25 07:24:59 atlanticfoods postfix/smtpd[1701848]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure
Is Fail2Ban working on your system? This many authentication failures from one address should be tripping a block.
This is outward not inward … someone is spamming from his server and not spamming to his server so the fail2ban not banning is another issue
You don’t need the 12 hours you just need entries from around 20:15 just so you can see who attempted to send mail from your server
Unless the OP’s server address is 45.129.14.128, it is someone attempting to remotely log in and send spam from that account.
exactly as our friend said that one sends messages from my server even if I deleted the box displayed in the photo I see the messages still coming out from then the post fixed so I can say that one has access to my server who what I have to do for this case and I can tell you even if I deleted this box or changed the password or suspended it the spammer he still has access I don’t know for what and I received a message from then my provider of my vps will suspend port 25 for a day if I don’t stop it
If you deleted the mailbox then of course the login will fail. I see a lot of fails. The failed attempts don’t result in outgoing spam. You need to learn to read your log files and understand what they say.
sudo firewall-cmd --add-rich-rule=“rule family=‘ipv4’ source address=''45.129.14.128 drop”
However the person who is sending spam as they can log in and the spam ends up queued in the postfix queue
I thought the mailbox was deleted. You are saying mail gets queued from a failed login? That doesn’t sound right.
OP. Clear the queue and see if anything new shows up.
EDIT: Maybe the settings I have in my postifx config would help? In theory it would terminate the connection after the fail?
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
# check_policy_service unix:private/policyd-spf