Skip to main content

High SMTP traffic port 25/tcp

Comments

6 comments

  • MilesWeb

    Hello, milo695

    It seems your server got compromised and someone had a DDOS  attack on your server, 

    Refer to the below article to prevent DDOS attacks using CSF 
    https://www.supportsages.com/configure-csf-prevent-ddos-attacks/

    Also, if possible share the cat /var/log/exim_mainlog so we can check the exim logs and help you further.

    1
  • cPRex Jurassic Moderator

    I would prefer that you don't post a giant output of "cat /var/log/exim_mainlog" to the Forum.  It will be huge, and full of personal information.

    I also don't believe outgoing email is a "DDoS" type of attack.

    I would recommend working through the guide here to see if you can determine the source of the messages:

    https://support.cpanel.net/hc/en-us/articles/360052272514-How-to-find-the-source-of-spam-emails

    1
  • Andrew

    LFD is part of the ConfigServer Firewall...you either need to fix the excessive resource usage or adjust the sensitivity of these alerts in the firewall. 

    Andrew N. - cPanel Plesk VMWare Certified Professional
    Do you need immediate assistance? 20 minutes response time!*
    EmergencySupport - Professional Server Management and One-time Services

    1
  • milo695

    Thanks, I've increased the PT_USERMEM to 1024 and monitoring now

    1
  • milo695

    Thanks for this, how can I send you exim_mainlog?

    0
  • milo695

    99% of those messages are generated by the System and sent to server admin email (to my gmail), containing: 

    lfd on server.domain.com: Excessive resource usage:

    and then land to my gmail spam folder. Sorry I forgot to mention that CSF is generating them.

    In Exim I have a lot of these:
    2024-01-22 10:12:24 1rRnx8-0001Hr-0U Message is frozen
    and several these:
    2024-01-22 06:08:09 1rRCS8-00049d-31 == 73612-1150-184615-15837-username=one_of_my_domains@mail.heartburnnomore.life R=dkim_lookuphost T=dkim_remote_smtp defer (-54): retry time not reached for any host for 'mail.heartburnnomore.life'

    Can you help me recognise what those 2 are?

    heartburnnomore.life is not my domain but looks like it's trying to, well... trying something 

    0

Please sign in to leave a comment.