Results 1 to 7 of 7

Thread: Spam being sent from localhost and strange domain

  1. #1
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    6

    Default Spam being sent from localhost and strange domain

    I've been watching my Mail Queues, and I have 199 messages being sent to random verizon.net addresses which are being blocked with error

    "Verizon.net refused to talk to me: 571 email from ........ is currently blocked by verizon online's anti-spam system. the email sender or email service provider may visit........ and request removal of the block."

    The messages are all coming from Sender domain of "mail.nu" with an Origin IP of "127.0.0.1" so it seems to be coming from my mail server, but "mail.nu" is not my domain.

    I'm 100% sure these messages are spam, so I'm not going to request a whitelist add from Verizon until I get it fixed...how can I figure out how it's using my mail server to send it? Thanks in advance for any help you can give.
    Last edited by alapierre; 01-21-2010 at 08:35 AM.

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Make sure you are not a open relay :- Email Server Test - Online SMTP diagnostics tool - MxToolbox plus check /var/log/zimbra.log to see exactly where the email came from. You can also check /opt/zimbra/log/audit.log and mailbox.log for potentially compromised accounts.

  3. #3
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    6

    Default

    The server passed the openrelay tests. In zimbra.log there are a bunch of lines like this...

    Code:
    Jan 25 08:33:43 mail postfix/qmgr[23711]: E489BC89567: from=<eBay@mail.nu>, size=8075, nrcpt=50 (queue active)
    Jan 25 08:33:43 mail postfix/qmgr[23711]: E02CAC896CA: from=<aw-confirm@mail.nu>, size=8059, nrcpt=50 (queue active)
    Jan 25 08:33:43 mail postfix/qmgr[23711]: E661EC89735: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:43 mail postfix/qmgr[23711]: E5735C896B5: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:43 mail postfix/qmgr[23711]: E466CC8974C: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:43 mail postfix/qmgr[23711]: E9065C892F2: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: E8FF2C8977D: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: EACA3C89502: from=<eBay@mail.nu>, size=8064, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 73E67C89257: from=<eBay@mail.nu>, size=8064, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 7F5F1C8964C: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 7274DC8929E: from=<aw-confirm@mail.nu>, size=8059, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 7C786C89694: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 7BE50C8949D: from=<eBay@mail.nu>, size=8075, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 70E68C8960E: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 7E737C8972D: from=<aw-confirm@mail.nu>, size=8055, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 77440C89686: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 71567C896B2: from=<aw-confirm@mail.nu>, size=8055, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 7DBB5C8956A: from=<eBay@mail.nu>, size=8075, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 788D2C89710: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 0D38AC896AF: from=<aw-confirm@mail.nu>, size=8059, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 0DC23C891D4: from=<eBay@mail.nu>, size=8064, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 0E5B9C897A9: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    Jan 25 08:33:44 mail postfix/smtp[24813]: connect to lycos.co.uk[209.202.254.14]: Connection refused (port 25)
    Jan 25 08:33:44 mail postfix/qmgr[23711]: 0201DC89635: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
    I'm not sure how to tell where it is coming from...

    The audit.log file seems relatively clean. There were a few authentication fails, but not many. Alot of activity, but from many different users, probably all valid. I'm not sure exactly what to look for. Thanks for your help

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    It looks like backscatter to me so search the forums for that word.

  5. #5
    Join Date
    Dec 2009
    Posts
    5
    Rep Power
    5

    Default Same Issue

    I have the same issue and can't understand why!

    I'm not an open relay.. here's my log

    Code:
    Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jstguy@aol.com>,                                                                                      relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.16/1                                                                                     .8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193] ref                                                                                     used to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/4                                                                                     21dynt1.html)
    Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jsthalman@aol.com                                                                                     >, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.1                                                                                     6/1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193]                                                                                      refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/error                                                                                     s/421dynt1.html)
    Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jstheduke@aol.com                                                                                     >, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.1                                                                                     6/1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193]                                                                                      refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/error                                                                                     s/421dynt1.html)
    Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jsthngin@aol.com>                                                                                     , relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.16                                                                                     /1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193] r                                                                                     efused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors                                                                                     /421dynt1.html)
    Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jsthomas99@aol.co                                                                                     m>, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.                                                                                     16/1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193]                                                                                      refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/erro                                                                                     rs/421dynt1.html)
    Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jsthompson@aol.co                                                                                     m>, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.                                                                                     16/1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193]                                                                                      refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/erro                                                                                     rs/421dynt1.html)

  6. #6
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    nicola if your server is passing the open relay tests, then you probably have a compromised account, or your mta trusted networks are too permissive and an infected machine on your network is using your server to relay messages.

    Try forcing a password change for all users and checking your mta trusted networks.

  7. #7
    Join Date
    Nov 2008
    Location
    Mumbai
    Posts
    193
    Rep Power
    6

    Default

    It seems that your network or system is hitted by backscatter.The same problem I faced few weeks ago.

Similar Threads

  1. Strange ClamAV shutdown in Zimbra 4.0.3
    By trapanator in forum Administrators
    Replies: 2
    Last Post: 10-31-2006, 05:49 AM
  2. Network edition - strange behavior
    By goetzi in forum Installation
    Replies: 6
    Last Post: 11-16-2005, 03:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •