aaPanel_Kern I am getting attacks too, even causing my server to go 503 several times and filling up my drives with files as well...
Cyber Attack Mail Server, RSPAMD monitor
aaPanel_Kern
Yes that's right, They send and receive using email@domain.com with IP diferrent and not legal.
but our email rejected it.
Are they just trying to attack or have they already gained access to our SMTP Email?
Hello, can you check whether the sending record exists?
Hello, do you have more information or screenshots? Is the service running properly?
aaPanel_Kern I didn't find any related data. Is it just a test attack?
Hello, this can be checked through the logs
aaPanel_Kern Mail Log only has today's date. where is the file located?
Hello, different systems record different files.
Debian/Ubuntu:
/var/log/mail.log
CentOS:
/var/log/maillog
- Edited
aaPanel_Kern I searched for December 29 - 31 but couldn't find it. But other dates exist. I forgot to turn off the SSH and turn off the SSH port. Today I changed my SSH password, email and others. and it looks like we will upgrade the service to the PRO version
Are there no corresponding information in other files? Are you searching for an email address or something?
11 days later
aaPanel_Kern
how about this?
Hello, do you have this user on your server? How are the SPF records and DMARC records of your domain name configured?
aaPanel_Kern
What is a user's mailbox? Yes, here,
but the IP list is not from us.
Yes i hveconfigured :
Are these accounts you added?
aaPanel_Kern Yes, the account is in our mailbox.
Yes, the account is in our mailbox
It is recommended that you check whether your password has been leaked? Have you changed your password?
aaPanel_Kern Just last week we changed the password.
We tried changing the password again. Does it have an effect on the relay? Previously we used a relay and it leaked. but currently no longer using it
Hello, can you refer to DNS records to configure SPF records?
It is recommended that you change your password again
- Edited
aaPanel_Kern
there is no IP configuration there. I see, the configuration is not the same as yours
- Edited
aaPanel_Kern And i have logs
Jan 14 09:15:10 bprmajalengka postfix/cleanup[1104102]: 01E507EE58: milter-reject: END-OF-MESSAGE from unknown[45.182.215.67]: 5.7.1 Spam message rejected; from=admin@bprmajalengka.com to=admin@bprmajalengka.com proto=ESMTP helo=<ip-45-182-215-67.network.swlink.com.br>
Jan 14 09:15:11 bprmajalengka postfix/smtpd[1104098]: disconnect from unknown[45.182.215.67] ehlo=1 mail=1 rcpt=1 data=0/1 commands=3/4
Jan 14 09:15:13 bprmajalengka postfix/smtpd[1104098]: warning: hostname ip-45-182-215-67.network.swlink.com.br does not resolve to address 45.182.215.67
Jan 14 09:15:13 bprmajalengka postfix/smtpd[1104098]: connect from unknown[45.182.215.67]
Jan 14 09:15:15 bprmajalengka postfix/smtpd[1104098]: A329A7EE58: client=unknown[45.182.215.67]
Jan 14 09:15:17 bprmajalengka postfix/cleanup[1104102]: A329A7EE58: message-id=67859E63.2000703@bprmajalengka.com
Jan 14 09:15:19 bprmajalengka postfix/cleanup[1104102]: A329A7EE58: milter-reject: END-OF-MESSAGE from unknown[45.182.215.67]: 5.7.1 Spam message rejected; from=admin@bprmajalengka.com to=admin@bprmajalengka.com proto=ESMTP helo=<ip-45-182-215-67.network.swlink.com.br>
Jan 14 09:15:21 bprmajalengka postfix/smtpd[1104098]: disconnect from unknown[45.182.215.67] ehlo=1 mail=1 rcpt=1 data=0/1 commands=3/4
Jan 14 09:15:23 bprmajalengka postfix/smtpd[1104098]: warning: hostname ip-45-182-215-67.network.swlink.com.br does not resolve to address 45.182.215.67
Jan 14 09:15:23 bprmajalengka postfix/smtpd[1104098]: connect from unknown[45.182.215.67]
Jan 14 09:15:24 bprmajalengka postfix/smtpd[1104098]: 1AF3A7EE58: client=unknown[45.182.215.67]
Jan 14 09:15:25 bprmajalengka postfix/cleanup[1104102]: 1AF3A7EE58: message-id=67859E6E.4000805@bprmajalengka.com
Jan 14 09:15:27 bprmajalengka postfix/cleanup[1104102]: 1AF3A7EE58: milter-reject: END-OF-MESSAGE from unknown[45.182.215.67]: 5.7.1 Spam message rejected; from=admin@bprmajalengka.com to=admin@bprmajalengka.com proto=ESMTP helo=<ip-45-182-215-67.network.swlink.com.br>
Jan 14 09:15:28 bprmajalengka postfix/smtpd[1104098]: disconnect from unknown[45.182.215.67] ehlo=1 mail=1 rcpt=1 data=0/1 commands=3/4
Jan 14 09:15:30 bprmajalengka postfix/smtpd[1104098]: warning: hostname ip-45-182-215-67.network.swlink.com.br does not resolve to address 45.182.215.67
Jan 14 09:15:30 bprmajalengka postfix/smtpd[1104098]: connect from unknown[45.182.215.67]
Jan 14 09:15:30 bprmajalengka postfix/smtpd[1104098]: DAF647EE6A: client=unknown[45.182.215.67]
Jan 14 09:15:31 bprmajalengka postfix/cleanup[1104102]: DAF647EE6A: message-id=67859E74.8010800@bprmajalengka.com
Jan 14 09:15:34 bprmajalengka postfix/cleanup[1104102]: DAF647EE6A: milter-reject: END-OF-MESSAGE from unknown[45.182.215.67]: 5.7.1 Spam message rejected; from=admin@bprmajalengka.com to=admin@bprmajalengka.com proto=ESMTP helo=<ip-45-182-215-67.network.swlink.com.br>
Jan 14 09:15:34 bprmajalengka postfix/smtpd[1104098]: disconnect from unknown[45.182.215.67] ehlo=1 mail=1 rcpt=1 data=0/1 commands=3/4
Is it better to reinstall? Luckily this Mail Server is separate and isolated from our main system