VPS server (Mail delivery Issue)

Lewis_008 · 03-01-2020, 08:56 PM

Hey Guys,

We are using a VPS server for both hosting websites and mails.
We started facing email issues. Upon going through logs I found that the emails are going from "domain username@vps.ourdomain" to info@domain , sales@domain etc.

I checked this with our hosting provider they informed to ignore it as its just a notification from VPS.

After that I did check some message contents which are turned out be spam.

So my question is the behavior of server is normal?? Is this a problem can anyone help me resolving this?

uteck · 03-01-2020, 09:02 PM

If you are seeing spam, then run ClamAV if it is installed, if not then install it and run a scan. Seems like you might have an infection, or your mail relay is open and forwarding spam.

Lewis_008 · 03-01-2020, 09:44 PM

Hi Utek

we have more than 300 sites hosted on this server. I did ask our hosting provider to that they informed like this "We can run a full scan, however note that it will cause a heavy load on your server, and can cause a possible crash of the VPS during its running,".
Its a managed VPS so we dont have the root access as well. Is there any other way to find out whats happening???

uteck · 03-01-2020, 10:31 PM

Since it is managed and your access is limited, then you need to get the host to do some digging. When I did VPS support the main cause for server infection was WordPress plugins that got hacked. Have them run the scan, if it is infected you need to know fast.

Take a look at the domain were the spam is coming from for any new user accounts or pages that were added. Look at any plugins and see if there are updates for them. Many third party plugins for WordPress are not very secure.

Lewis_008 · 03-01-2020, 10:38 PM

Quote:

Originally Posted by uteck

If you are seeing spam, then run ClamAV if it is installed, if not then install it and run a scan. Seems like you might have an infection, or your mail relay is open and forwarding spam.

I have enclosed few screenshots can u have a look at that?

astrogeek · 03-01-2020, 10:54 PM

If those emails are the spam you have identified, your VPS is sending spam, probably in addition to receiving it.

You need to have your web administrator review the site security and configuration. It may be that one or more of those 300 web sites is sending spam due to being comprmised or configured to do so by a user, or your mail server is misconfigured as an open relay, or both. That may not be the responsibility of the VPS provider or something included in the terms of your managed hosting.

Lewis_008 · 03-01-2020, 11:07 PM

Quote:

Originally Posted by astrogeek

If those emails are the spam you have identified, your VPS is sending spam, probably in addition to receiving it.

You need to have your web administrator review the site security and configuration. It may be that one or more of those 300 web sites is sending spam due to being comprmised or configured to do so by a user, or your mail server is misconfigured as an open relay, or both. That may not be the responsibility of the VPS provider or something included in the terms of your managed hosting.

I checked with some tools to check if our server is an open relay, but all the results came as not an open relay.

Lewis_008 · 03-01-2020, 11:09 PM

I E-mailed our hosting provider about scanning the server and awaiting reply.

astrogeek · 03-01-2020, 11:26 PM

Quote:

Originally Posted by Lewis_008

I E-mailed our hosting provider about scanning the server and awaiting reply.

That is probably a good place to start, but without knowing what is included in the "scan" it is hard to know how much hope to put in that. If by scan they mean something like a virus scan it may not turn up much on a web server sending spam.

Do those 300 web sites belong to different people? Do others have any access to your VPS? Who is responsible for configuring and administering the VPS? As mentioned by someone earlier, if any of those web sites are built around WordPress that is a very common source of trouble with numerous exploits and vulnerabilities being available to the miscreants who may abuse it.

Depending on what the scan turns up, I would suggest having the VPS administrator (not the hosting provider) familiar with its configuration try to identify the cause of those emails and eliminate it.

ADDED COMMENT: The spam is originating on the VPS, if I am reading the screenshots correctly, but the frequency is not really high and the recipient gmail address looks to be the same. That would make me think it might be some web page being abused which is not sending mass spam to random recipients on the internet... that is a good thing. You might begin by looking at that domain's vhost on the server, assuming it to be a legitimate domain (must be if dkim accepts it).

Lewis_008 · 03-02-2020, 12:01 AM

Quote:

Originally Posted by astrogeek

That is probably a good place to start, but without knowing what is included in the "scan" it is hard to know how much hope to put in that. If by scan they mean something like a virus scan it may not turn up much on a web server sending spam.

Do those 300 web sites belong to different people? Do others have any access to your VPS? Who is responsible for configuring and administering the VPS? As mentioned by someone earlier, if any of those web sites are built around WordPress that is a very common source of trouble with numerous exploits and vulnerabilities being available to the miscreants who may abuse it.

Depending on what the scan turns up, I would suggest having the VPS administrator (not the hosting provider) familiar with its configuration try to identify the cause of those emails and eliminate it.

Yes 300 sites are different and belongs respective owners.Our hosting providers are the admins of our VPS (TPP Wholesale). Server configuration and all done by them. And we don't encourage clients to have a WP site instead we build on other platforms like HTML, CSS, bootstrap etc. And for e-comm site we prefer Magento 2.0.

uteck · 03-02-2020, 01:48 PM

From the screenshot it looks like you need to train your spam engine a bit as it seems to be giving a false positive. It looks like a site is sending email to their gmail address.

I think you need to worry more about the privacy violation you did by disclosing a customers name and email.

Lewis_008 · 03-04-2020, 11:02 PM

Quote:

Originally Posted by astrogeek

That is probably a good place to start, but without knowing what is included in the "scan" it is hard to know how much hope to put in that. If by scan they mean something like a virus scan it may not turn up much on a web server sending spam.

Do those 300 web sites belong to different people? Do others have any access to your VPS? Who is responsible for configuring and administering the VPS? As mentioned by someone earlier, if any of those web sites are built around WordPress that is a very common source of trouble with numerous exploits and vulnerabilities being available to the miscreants who may abuse it.

Depending on what the scan turns up, I would suggest having the VPS administrator (not the hosting provider) familiar with its configuration try to identify the cause of those emails and eliminate it.

ADDED COMMENT: The spam is originating on the VPS, if I am reading the screenshots correctly, but the frequency is not really high and the recipient gmail address looks to be the same. That would make me think it might be some web page being abused which is not sending mass spam to random recipients on the internet... that is a good thing. You might begin by looking at that domain's vhost on the server, assuming it to be a legitimate domain (must be if dkim accepts it).

Yup, somehow we are working on this with our provider have to check what they have got till now.

Lewis_008 · 03-04-2020, 11:04 PM

Quote:

Originally Posted by uteck

From the screenshot it looks like you need to train your spam engine a bit as it seems to be giving a false positive. It looks like a site is sending email to their gmail address.

I think you need to worry more about the privacy violation you did by disclosing a customers name and email.

Will definitely implement this and as far as email is concerned that's our developer email and before sending that screenshot I checked with him and shared here. without those emails its difficult to check whats going on.

Lewis_008 · 03-04-2020, 11:07 PM

And also I have one doubt. Some emails shows its sender address and IP as localhost (127.0.0.1) at this point emails will go through the server but doesnt show up in the inbox. Any reason for this?

Lewis_008 · 03-05-2020, 12:45 AM

Quote:

Originally Posted by astrogeek

That is probably a good place to start, but without knowing what is included in the "scan" it is hard to know how much hope to put in that. If by scan they mean something like a virus scan it may not turn up much on a web server sending spam.

Do those 300 web sites belong to different people? Do others have any access to your VPS? Who is responsible for configuring and administering the VPS? As mentioned by someone earlier, if any of those web sites are built around WordPress that is a very common source of trouble with numerous exploits and vulnerabilities being available to the miscreants who may abuse it.

Depending on what the scan turns up, I would suggest having the VPS administrator (not the hosting provider) familiar with its configuration try to identify the cause of those emails and eliminate it.

ADDED COMMENT: The spam is originating on the VPS, if I am reading the screenshots correctly, but the frequency is not really high and the recipient gmail address looks to be the same. That would make me think it might be some web page being abused which is not sending mass spam to random recipients on the internet... that is a good thing. You might begin by looking at that domain's vhost on the server, assuming it to be a legitimate domain (must be if dkim accepts it).

Check these screen shots. Its sending to somewhere else.