Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Plesk - Qmail - Thousands of Failure Notice Emails

[sirrox]

I searched this forum with no luck on finding how to stop this!

I run Plesk 9.3.0 on a GoDaddy Virtual Dedicated Server. I have had this VDS since 2001. Never had a problem with emails limits.

I only have 4 email accounts setup on this domain. Three of them are simply setup to autoforward to the users normal email. I have mine setup that gmail requests the mail from the server rather than auto forward.

I have been getting the "You have Reached the SMTP Limit on your Server of 3000" daily for a couple weeks. It happens usually within 8 hours of the daily limit being reset.

I checked my plesk mail queue and continually find "Failure Notice" emails in the queue. See attched pic.

==================================
The header info on the email when clicking it in plesk is:
Received: (qmail 3568 invoked by alias); 11 Feb 2010 08:27:49 -0800
Delivered-To: postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net
Received: (qmail 3564 invoked for bounce); 11 Feb 2010 08:27:49 -0800
Date: 11 Feb 2010 08:27:49 -0800
From: MAILER-DAEMON@ip-XXX-XX-XXX-X.ip.secureserver.net
To: postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net
Subject: failure notice
==================================

I then logged in via SSH and ran "find /var/qmail/queue -name XXXX | xargs cat | less " on one of the headers and this is what I get.

==================================
Received: (qmail 3561 invoked by alias); 11 Feb 2010 08:27:49 -0800
Delivered-To: postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net
Received: (qmail 3557 invoked for bounce); 11 Feb 2010 08:27:49 -0800
Date: 11 Feb 2010 08:27:49 -0800
From: MAILER-DAEMON@ip-XXX-XX-XXX-X.ip.secureserver.net
To: postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net
Subject: failure notice

Hi. This is the qmail-send program at ip-XXX-XX-XXX-X.ip.secureserver.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<admin@domain.com>:
64.202.189.86 failed after I sent the message.
Remote host said: 554 Message refused.

--- Below this line is a copy of the message.

Return-Path: <postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net>
Received: (qmail 3553 invoked by alias); 11 Feb 2010 08:27:48 -0800
Delivered-To: postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net
Received: (qmail 3549 invoked for bounce); 11 Feb 2010 08:27:48 -0800
Date: 11 Feb 2010 08:27:48 -0800
From: MAILER-DAEMON@ip-XXX-XX-XXX-X.ip.secureserver.net
To: postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net
Subject: failure notice

Hi. This is the qmail-send program at ip-XXX-XX-XXX-X.ip.secureserver.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<admin@domain.com>:
64.202.189.86 failed after I sent the message.
Remote host said: 554 Message refused.

--- Below this line is a copy of the message.

Return-Path: <postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net>
Received: (qmail 3510 invoked by alias); 11 Feb 2010 08:27:46 -0800
Delivered-To: postmaster@ip-XXX-XX-XXX-X.ip.secureserver.net
==================================

I have the following mail settings for my domain in plesk;
Mail to non-existent user set to "Reject"

I have the following server wide mail setting set in plesk;
Relaying set to 'authorization required' with SMTP checked.
Spam protection based on dns blackhole lists in enabled.
Use of only full IMAP/POP3 accounts names is allowed.

I recently last night added a SPF entry at my domain level;
v=spf1 a mx include: spf.secureserver.net include:aspmx.googlemail.com ~all

(I intentionally added a space in the "include: spf.sercureserver.net" as it was making a smiley face)

I would like to be able to reply to mail received on this domain from my Gmail account (iphone) and have it reply from the domain email address not my Gmail address. Hopefully I got the SPF header correct. I understand it will take up to 48 hours for this to become effective. I am hoping this would stop the spoofing if that is what it is.

PLEASE... what am I missing, how are these emails getting in! Are they beginning on my server or is it originating from somewhere else and they are spoofing my domain in there from section?

I run an online store, forum and have a web form based contact us that all use the mail server. I can't afford to fight with this any longer.

HELP!!

[atomicturtle]

Are all these messages bouncing to the same address, admin@domain.com? It could be a broken application doing that. Or is this a case where its different addresses all over the place? That would indicate to me that its a spammer exploiting a vulnerable web application, or weak SMTP password.

[Drew_Parallels]

Looks like we've just published a micro-update that deals with this problem. Just update your Plesk with the autoinstaller via CLI.

[NuPixel]

I'm experiencing the same issue, did you get yours fixed sirrox?