High SMTP traffic port 25/tcp
Hi guys,
I've just received an email from my hosting company:
The level of SMTP traffic on port 25/tcp is unusually high and at this pace you will hit the limit soon and all connections on this port will be blocked until the next day.The most common explanation of such a spike in outgoing connections is that your server was hacked. If this is the case, we recommend reinstalling your
server from scratch. If these connections are initiated by you on purpose, please reply to this email and let us know what the expected traffic volume is and we will adjust the limits accordingly.
I have 30 domains on that server and never had such notification.
Server details:
CentOS v7.9.2009 STANDARD kvm
cPanel 110.0.20
SMTP restriction is enabled.
Greylisting is Enabled.
Valid SPF & DKIM records setup for every domain
There are 2 problems:
- What I've noticed is some weird non-existant email addresses sending stuff (WHM > Greylisting), example:
from: jameshookerieych@domain.com to: jameshookerieych@domain.com
- I also receive a lot of cpanel/whm system email daily, how can I tweak/reduce system emails because today I received like 500 of Mail delivery failed: returning message to sender into my gmail spam, mail statistics says:
Messages | Bytes | Average | Sending host |
---|---|---|---|
1474 | 3163KB | 2197 | local |
Please help. Thanks in advance
-
Hello, milo695
It seems your server got compromised and someone had a DDOS attack on your server,
Refer to the below article to prevent DDOS attacks using CSF
https://www.supportsages.com/configure-csf-prevent-ddos-attacks/Also, if possible share the cat /var/log/exim_mainlog so we can check the exim logs and help you further.
1 -
I would prefer that you don't post a giant output of "cat /var/log/exim_mainlog" to the Forum. It will be huge, and full of personal information.
I also don't believe outgoing email is a "DDoS" type of attack.
I would recommend working through the guide here to see if you can determine the source of the messages:
https://support.cpanel.net/hc/en-us/articles/360052272514-How-to-find-the-source-of-spam-emails
1 -
LFD is part of the ConfigServer Firewall...you either need to fix the excessive resource usage or adjust the sensitivity of these alerts in the firewall.
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!*
EmergencySupport - Professional Server Management and One-time Services1 -
Thanks, I've increased the PT_USERMEM to 1024 and monitoring now
1 -
Thanks for this, how can I send you exim_mainlog?
0 -
99% of those messages are generated by the System and sent to server admin email (to my gmail), containing:
lfd on server.domain.com: Excessive resource usage:
and then land to my gmail spam folder. Sorry I forgot to mention that CSF is generating them.
In Exim I have a lot of these:
2024-01-22 10:12:24 1rRnx8-0001Hr-0U Message is frozen
and several these:
2024-01-22 06:08:09 1rRCS8-00049d-31 == 73612-1150-184615-15837-username=one_of_my_domains@mail.heartburnnomore.life R=dkim_lookuphost T=dkim_remote_smtp defer (-54): retry time not reached for any host for 'mail.heartburnnomore.life'
Can you help me recognise what those 2 are?
heartburnnomore.life is not my domain but looks like it's trying to, well... trying something0
Please sign in to leave a comment.
Comments
6 comments