Plesk mail queue filled full with failure notice messages to strange addresses (qmail stuck, bounce back, reject)

Plesk mail queue filled full with FAILURE NOTICE messages to strang.
http://addshit.com/15/Plesk_mail_queue_filled_full_with_FAILURE_.
Home » Unix » Plesk mail queue filled full with FAILURE NOTICE messages
to strange addresses (qmail stuck, bounce back, reject)
Not long ago we experienced a huge problem on our dedicated server hosted at
GoDaddy with Plesk 9.5 control panel installed. Please note that if you are hosted at
GoDaddy with Plesk, the server has a qMail mail daemon installed by default, running
on Plesk-specific configuration.
First we received an automated email from GoDaddy stating that our SMTP limit of
1000 outgoing emails has been reached. First thing we do is we go to Plesk control
panel -> Home -> Mail Server Settings -> Mail Queue. There we saw over 2500
emails, mostly FAILURE NOTICE emails to weird email addresses of different
countries around the world - Germany, Canada, Russia, Ukraine, Cuba, Brazil,
Thailand, etc. This had to be dealt with as soon as possible, because while the queue
was full and our SMTP was turned off by GoDaddy, the clients hosted on our server
were not able to send emails if they were using our SMTP server. To find out where
those FAILURE NOTICE emails are originating from, we need an SSH access to the
server with root priveledges. Remember the outgoing "weird" address of one of the
latest messages in your queue. As soon as you enter the server in root mode:
/var/qmail/bin/qmail-qreadThis command will list a brief information about every message currently being in yourmail queue. Now find the line with a "weird" email address, it should look like this: 8 Nov 2010 11:23:33 GMT #11928049 1600 <> remote [email protected] where #11928049 is the number of that message, by knowing that number you will beable to see full message with all headers. To do that, we have to first find that message,enter: find /var/qmail/queue/mess/ -name 11928049As a result you will get something like this:/var/qmail/queue/mess/19/11928049That's the path to the message you're looking for. Now view it by entering:cat /var/qmail/queue/mess/19/11928049 You will see the whole message in your console and what you really need though is thetop part of that message. Ours looked like this:Received: (qmail 23254 invoked for bounce); 8 Nov 2010 11:23:33 -0500Date: 8 Nov 2010 11:23:33 -0500From: [email protected]: [email protected]: failure notice Hi. This is the qmail-send program at ip-xxx-xxx-xxx-xxx.ip.secureserver.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
[email protected]:Mail quota exceeded.
--- Below this line is a copy of the message.
Below that was our favourite viagra advertisement line, I don't think I'm going toinclude it here, we only need the top part of that message. So what that top part meansis that spammer sent his spam to our client's email, and because the email box is full,the server has to bounce back with a message stating that. But wait, we have SPAM Plesk mail queue filled full with FAILURE NOTICE messages to strang.
http://addshit.com/15/Plesk_mail_queue_filled_full_with_FAILURE_.
protection on our server, aren't we? Indeed we do. The problem is, although Plesk is anexpensive product, it lacks the functionality it seems to have and for some reason isvery very buggy. Without confusing you any further, I will tell you how we solved thatproblem and please read till the very end.
Go to Mail Preferences in Plesk and make sure you have these following items the waythey are shown below: Check the passwords for mailboxes in the dictionary - put a checkmark here. Itwill prevent your clients to change their email passwords to something easy like"123123", "admin" and so on. It will prevent spammers from compromising anyparticular user account by bruteforcing or performing a dictionary attack on yourSMTP server (if you have your relay open, but read more about smtp-relay below) Relaying - closed - close the relay!!! Here is the thing with GoDaddy dedicated
servers with Plesk - even if you check authorization is required and check both POP3
(20 min) and SMTP, it will still let anyone to telnet to either port 25 (SMTP) or port 465
(Secure SSL) of your server and send email messages WITHOUT ANY
AUTHORIZATION! Anyone is going to be able to spam from your server! We have
tested it and are 100% sure that spamming will be possible from both of those ports is
you open the relay and EVEN IF you require authentication, it will not ask for it. For
some reason smtp_auth module does not work with Plesk's qMail, although it is
present on the server and supposedly is running. We have managed to sniff all TCP
packets coming through ports 25 and 465 and there was not a single authorization
while the relay was open. Close it!
Switch on SPF spam protection - put a checkmark here and from a drop-down belowselect Reject mail when SPF resolves to "fail" (deny). It will reject all incomingspam mail. In SPF Local Rules we have include:spf.trusted-forwarder.org At the very bottom select Only use of full POP3/IMAP mail accounts names isallowed - it will force the user to login with the whole [email protected] login, insteadof just user to his/her POP3. It has to be checked! Now go to White List in Plesk Mail Server Settings page. The only thing that should bein the white list is the host address of your server, nothing else! Add 127.0.0.1 (it willappear as 127.0.0.1 /32) Now last but not least, if you have SpamAssasin installed and running on your server, itdoes not mean it's actually working (thanks Plesk!). Remember the email of our clientfrom the FAILURE NOTICE message above? Well we have checked several FAILURENOTICE messages and ALL of them were bouncebacks from that same client. So wehave to check his mailbox settings. In Plesk go to Domains -> ourclient.com -> MailAccounts -> [email protected] -> Spam Filtering (where [email protected] isthe mailbox which we found out was full and was generating FAILURE NOTICES) Switch the spam protection ON, put a score of 7.00 and add a checkmark near Deletespam mail when it comes to mailbox. Note: even if SpamAssasin is enabledserver-wide, it does NOT work unless you enable it for a specific user (well it did notwork for us anyways, maybe you will have a better luck). Also, make sure that for everydomain you are hosting in Mail Accounts -> Mail Settings you select Reject nearMail to nonexistent user (it did not help our situation at all though, the mail still getsbounced back for some Plesk-weird reason).
Plesk mail queue filled full with FAILURE NOTICE messages to strang.
http://addshit.com/15/Plesk_mail_queue_filled_full_with_FAILURE_.
That is all. We removed all FAILURE NOTICE messages from the queue (you can do itwith qmHandle -Sfailure) and on the next day the queue cleared and valid messagesstarted getting through. You can also add this line into your crontab if you would like toremove FAILURE NOTICE messages from the mail queue every minute untill yousolve the situation: 0-59 * * * * qmHandle -Sfailure >/dev/null 2>&1 Such a horrible implementation of qMail by Plesk is retarded. Although we updated to
the latest version of Plesk (Plesk 9.5.3 at the moment of writing the article) and qMail
(Oct 21, 2010 version), weird problems like the one in that article are still present, so as
a next step I suggest you switch to postfix mail server. It can be done within Plesk and
all settings should get transferred from qMail to postfix. But I guess that's for you to
find out :) Next I will add more info on how to capture packets to inspect the traffic
going through the specific ports on your server.
PS: to find out the quality of Parallels technical support, visit this thread -
http://forum.parallels.com/showthread.php?p=427395 (regarding the Relay
issue)
Posted: 2010-11-08 10:38:17 [Link] [Thank you! - 10]
2001 - 2013

Source: http://knowledge.webfusion.it/wp-content/uploads/2013/10/Plesk-mail-queue-filled-full-with-FAILURE-NOTICE-messages-to-strange-addresses-qmail-stuck-bounce-back-reject.pdf