Results 1 to 10 of 23

Thread: [SOLVED] Spam Being Sent Thru Server - Help Needed!

Hybrid View

  1. #1
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default [SOLVED] Spam Being Sent Thru Server - Help Needed!

    Per another thread I started, I have found that SPAM is being sent through my Zimbra server. In the past two days two of my Zimbra accounts, both of which I personally know the account owner, have had occurances of an email being sent to 50 recipients throughout the day.

    I know the account owners are not sending the SPAM. The server is a per-the-instructions Zimbra install with nothing else on the server - it is a Zimbra mail-only server. Both accounts also do not use Outlook or the Outlook connector, both accounts only utilize the web-client to access their accounts.

    In trying to get a handle on the emails being sent, I have:

    (1) Attempted to have the individuals change their password - the SPAM emails are still being sent.
    (2) I have turned off "locked" their accounts - the SPAM emails are still being sent.
    (3) I changed the postfix smtpd_recipient_limit to 49, being the emails are being sent to 50 recipients - regardless the emails are still being sent to 50 users.

    These users actually SEE THE EMAILS in their Sent Folder. Further, all of the recipients to which these emails have been sent are now in the users "Emailed Contacts" list. In my mind this would show that the culprit is actually connecting to Zimbra as the user.

    I have been trying to troubleshoot this or find a stop-gap for 9 hours now. I find this rather alarming and a serious issue that I want to get stopped - I hate SPAM! I have even opened a support ticket through Zimbra being I am a Network customer - I am willing to pay the cost of a support ticket for help; however, their SLA is 48 hours and I have not yet heard anything from them.

    Can anyone offer any suggestions?

    Here is a portion of the zimbra.log during a send from this occurance. I have removed my servername and the from email address:

    Aug 23 10:01:44 postfix/smtpd[30658]: 863D638CC51F: client=localhost.localdomain[127.0.0.1]
    Aug 23 10:01:46 postfix/cleanup[30814]: 863D638CC51F: message-id=<9660788.17891187881267810.JavaMail.root@SERVER NAME-HERE>
    Aug 23 10:01:48 postfix/qmgr[27904]: 863D638CC51F: from=<EMAIL-ADDRESS-HERE>, size=4747, nrcpt=50 (queue active)

    It would appear that the emails are coming from a process on the local machine. The server is a Redhat RHEL4 Server with all patches up to date.

    Doing a ps -ef, the only "suspicious" processes I see are:

    /usr/bin/perl /tmp/.swatch_script.xxxx

    However, I am by no means an expert on the processes which should be running for a Zimbra install.

    Any help is greatly appreciated.

  2. #2
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    As a bit of additional info, this server and the Zimbra license were both purchases and placed into production on Aug 6th, 2007 - so this is a new server which has not been used too long. Further, before launching it live, I had a couple of services perform port scans, and open-relay checks - nothing was found.

  3. #3
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Can you post the whole log?

    Also, you may wish to look in /opt/zimbra/log/audit.log for any logins.

  4. #4
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    Posting the whole log would be huge, it is currently at 15MB; however, here is the first instance of the SPAM being sent through one of the accounts:

    Aug 23 10:01:08 postfix/smtpd[24759]: connect from <MY-SERVERNAME-HERE>
    Aug 23 10:01:08 postfix/smtpd[24759]: 228E038CC4DF: client=<MY-SERVERNAME-HERE>
    Aug 23 10:01:09 postfix/cleanup[29784]: 228E038CC4DF: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
    Aug 23 10:01:09 postfix/qmgr[27904]: 228E038CC4DF: from=<USERNAME-HERE>, size=4108, nrcpt=503 (queue active)
    Aug 23 10:01:09 postfix/smtpd[24759]: disconnect from <MY-SERVERNAME-HERE>
    Aug 23 10:01:11 postfix/smtpd[29788]: connect from localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/smtpd[29788]: 2822638CC4EB: client=localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/smtpd[30658]: connect from localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/cleanup[29784]: 2822638CC4EB: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
    Aug 23 10:01:13 postfix/qmgr[27904]: 2822638CC4EB: from=<USERNAME-HERE>, size=4747, nrcpt=50 (queue active)
    Aug 23 10:01:13 postfix/smtpd[29788]: disconnect from localhost.localdomain[127.0.0.1]


    I replaced my actual server name with "MY-SERVERNAME-HERE" and the users account with "USERNAME-HERE".

    I will check the audit.log and post what I find there too.

    Let me know if there is more of the zimbra.log you would like to see.

  5. #5
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    I found a couple of questionable entries in the audit log. Specifically, connections showing the user agent as Opera for a user who I KNOW does not use Opera. However, as stated, I had this user change their password, then I locked their account, and I have restarted Zimbra via zmcontrol stop - zmcontrol start; and the occurances of

    Aug 23 10:23:39 postfix/smtpd[8466]: 79AFA38CC510: client=localhost.localdomain[127.0.0.1]
    Aug 23 10:23:40 postfix/cleanup[8467]: 79AFA38CC510: message-id=<14619962.18031187882614894.JavaMail.root@serve r.domain.net>
    Aug 23 10:23:41 postfix/qmgr[27904]: 79AFA38CC510: from=<user@domain.net>, size=2604, nrcpt=50 (queue active)

    Aug 23 10:23:41 amavis[30718]: (30718-04) ...user@domain.com>,<user@domain.com>,<user@domain .com>,<user@domain.com>,<user@domain.com>,<user@do main.com>,<user@domain.com>,<user@domain.com>,<use r@domain.com>,<user@domain.com>,<user@domain.com>, <user@domain.com>, BODY=8BITMIME 250 2.6.0 Ok, id=30718-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 79AFA38CC510

    Aug 23 10:23:42 amavis[30718]: (30718-04) ...<user@domain.com>,<user@domain.com>,<user@domai n.com>,<user@domain.com>,<user@domain.com>,<user@d omain.com>,<user@domain.com>, Message-ID: <14619962.18031187882614894.JavaMail.root@server.d omain.net>, mail_id: oK5FMW07jrVP, Hits: -3.252, queued_as: 79AFA38CC510, 5452 ms

    Aug 23 10:23:41 postfix/smtp[8523]: 79AFA38CC510: to=<user@domain.com>, relay=mx.mailanyone.net[208.70.128.223], delay=2, status=sent (250 OK id=1IOEbo-0000SM-6B)

    Aug 23 10:23:42 postfix/smtp[8517]: 79AFA38CC510: to=<user@domain.com>, relay=mail.xecu.net[216.127.136.211], delay=3, status=sent (250 2.0.0 Ok: queued as 8EA4576A5F3)

    .
    .
    .

    ..more...

    Keep happening; even with a locked account - AND I have changed the Postfix policy to limit recipients to 49.
    Last edited by msf004; 08-24-2007 at 12:31 AM. Reason: hide email addresses

  6. #6
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    I am seeing entries like this in the audit.log:

    2007-08-24 01:00:04,925 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
    2007-08-24 01:00:04,926 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;


    Is that normal?

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 11:27 AM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 01:42 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  4. Error 256 on Installation
    By RuinExplorer in forum Installation
    Replies: 5
    Last Post: 10-19-2006, 10:19 AM
  5. Installation Problem
    By AnilKumarYalla in forum Developers
    Replies: 4
    Last Post: 09-22-2006, 07:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •