[SOLVED] Spam Being Sent Thru Server - Help Needed!
Per another thread I started, I have found that SPAM is being sent through my Zimbra server. In the past two days two of my Zimbra accounts, both of which I personally know the account owner, have had occurances of an email being sent to 50 recipients throughout the day.
I know the account owners are not sending the SPAM. The server is a per-the-instructions Zimbra install with nothing else on the server - it is a Zimbra mail-only server. Both accounts also do not use Outlook or the Outlook connector, both accounts only utilize the web-client to access their accounts.
In trying to get a handle on the emails being sent, I have:
(1) Attempted to have the individuals change their password - the SPAM emails are still being sent.
(2) I have turned off "locked" their accounts - the SPAM emails are still being sent.
(3) I changed the postfix smtpd_recipient_limit to 49, being the emails are being sent to 50 recipients - regardless the emails are still being sent to 50 users.
These users actually SEE THE EMAILS in their Sent Folder. Further, all of the recipients to which these emails have been sent are now in the users "Emailed Contacts" list. In my mind this would show that the culprit is actually connecting to Zimbra as the user.
I have been trying to troubleshoot this or find a stop-gap for 9 hours now. I find this rather alarming and a serious issue that I want to get stopped - I hate SPAM! I have even opened a support ticket through Zimbra being I am a Network customer - I am willing to pay the cost of a support ticket for help; however, their SLA is 48 hours and I have not yet heard anything from them.
Can anyone offer any suggestions?
Here is a portion of the zimbra.log during a send from this occurance. I have removed my servername and the from email address:
Aug 23 10:01:44 postfix/smtpd: 863D638CC51F: client=localhost.localdomain[127.0.0.1]
Aug 23 10:01:46 postfix/cleanup: 863D638CC51F: message-id=<9660788.17891187881267810.JavaMail.root@SERVER NAME-HERE>
Aug 23 10:01:48 postfix/qmgr: 863D638CC51F: from=<EMAIL-ADDRESS-HERE>, size=4747, nrcpt=50 (queue active)
It would appear that the emails are coming from a process on the local machine. The server is a Redhat RHEL4 Server with all patches up to date.
Doing a ps -ef, the only "suspicious" processes I see are:
However, I am by no means an expert on the processes which should be running for a Zimbra install.
Any help is greatly appreciated.