Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Spam relay via Zimbra

  1. #1
    Join Date
    Nov 2008
    Posts
    7
    Rep Power
    7

    Default Spam relay via Zimbra

    Hi, since nearly one month, my zcs server send a lot of mail from yahoo.de hotmail.de to others hotmail or yahoo mail address.
    Last day there were nearly 5000 mails queued.

    Here is the log

    an 24 08:55:49 ******34 postfix/smtpd[10993]: connect from mail.pca.com[208.179.88.50]
    Jan 24 08:55:50 ******34 postfix/smtpd[10993]: lost connection after EHLO from mail.pca.com[208.179.88.50]
    Jan 24 08:55:50 ******34 postfix/smtpd[10993]: disconnect from mail.pca.com[208.179.88.50]
    Jan 24 08:55:50 ******34 postfix/smtpd[15781]: connect from mail.pca.com[208.179.88.50]
    Jan 24 08:55:50 ******34 postfix/smtpd[11002]: lost connection after EHLO from host82-159-static.184-82-b.business.telecomitalia.it[82.184.159.82]
    Jan 24 08:55:50 ******34 postfix/smtpd[11002]: disconnect from host82-159-static.184-82-b.business.telecomitalia.it[82.184.159.82]
    Jan 24 08:55:51 ******34 postfix/smtpd[15781]: setting up TLS connection from mail.pca.com[208.179.88.50]
    Jan 24 08:55:51 ******34 postfix/smtpd[15781]: Anonymous TLS connection established from mail.pca.com[208.179.88.50]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Jan 24 08:55:52 ******34 postfix/smtpd[10993]: connect from host82-159-static.184-82-b.business.telecomitalia.it[82.184.159.82]
    Jan 24 08:55:52 ******34 postfix/smtpd[15781]: 96C8FD1802A: client=mail.pca.com[208.179.88.50], sasl_method=PLAIN, sasl_username=test
    Jan 24 08:55:53 ******34 postfix/cleanup[14255]: 96C8FD1802A: message-id=<20100124075552.96C8FD1802A@******34.com>
    Jan 24 08:55:53 ******34 postfix/qmgr[5957]: 96C8FD1802A: from=<webbanke102r@cua.com.au>, size=2685, nrcpt=1 (queue active)
    Jan 24 08:55:53 ******34 postfix/smtpd[15781]: disconnect from mail.pca.com[208.179.88.50]
    Jan 24 08:55:53 ******34 postfix/smtpd[5765]: connect from localhost.localdomain[127.0.0.1]
    Jan 24 08:55:53 ******34 postfix/smtpd[5765]: 6B25ED1802E: client=localhost.localdomain[127.0.0.1]
    Jan 24 08:55:53 ******34 postfix/cleanup[14255]: 6B25ED1802E: message-id=<20100124075552.96C8FD1802A@******34.com>
    Jan 24 08:55:53 ******34 postfix/qmgr[5957]: 6B25ED1802E: from=<webbanke102r@cua.com.au>, size=3141, nrcpt=1 (queue active)
    Jan 24 08:55:53 ******34 postfix/smtp[18494]: 96C8FD1802A: to=<goldfinger737@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.73/0/0/0.35, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=08364-14, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6B25ED1802E)
    Jan 24 08:55:53 ******34 postfix/qmgr[5957]: 96C8FD1802A: removed
    Jan 24 08:55:53 ******34 postfix/smtpd[5765]: disconnect from localhost.localdomain[127.0.0.1]
    Jan 24 08:55:53 ******34 postfix/smtp[16854]: 6B25ED1802E: to=<goldfinger737@hotmail.com>, relay=smtp.free.fr[212.27.48.4]:25, delay=0.1, delays=0.01/0.01/0.07/0, dsn=4.7.0, status=deferred (host smtp.free.fr[212.27.48.4] refused to talk to me: 421 4.7.0 smtp3-g21.free.fr Error: too many connections from 78.***.***.***)

    Please help me i'm forced to delete mails manually...

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Welcome to the forums

    Please check Email Server Test - Online SMTP diagnostics tool - MxToolbox to see whether you are a open relay or not.

  3. #3
    Join Date
    Nov 2008
    Posts
    7
    Rep Power
    7

    Default

    Thanks,

    But my server is not an open spam relay...
    Do you know what else can do this ?

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    One of your accounts may have been compromised. Are you running Apache on your ZCS server aswell ?

  5. #5
    Join Date
    Nov 2008
    Posts
    7
    Rep Power
    7

    Default

    Hi, thanks, I deleted a "test" account with a simple password, I hope it is this... I'll see.
    But I'haven't an apache server running, why this question ?

  6. #6
    Join Date
    Nov 2005
    Location
    UK
    Posts
    117
    Rep Power
    10

    Default I have the same issue How can I tell which account has been compromised

    Hi

    I have a Zimbra server verion 5.0.6 on Centos.

    This has been working well for some years, however I am getting thousands of spam mails sent through the system these state they come from one hotmail.com account and in the mail.log it said the mail was from 127.0.0.1.

    How can I find which compromised mail account or of the listed IP ranges the compromise is coming from.

    Currently I run a script to constantly delete anything from the mail queue contating that email address but this is not the answer

    I have tested and it does not appear to be an open relay

    Thanks

  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    If you check the headers of one of the emails and look at X-Originating-IP you should then be able to scan /opt/zimbra/log/audit.log to see which account that IP accessed.

  8. #8
    Join Date
    Nov 2005
    Location
    UK
    Posts
    117
    Rep Power
    10

    Default

    Hi this is still a big problem for me. I am not sure how to look at the mail headers postqueue -p gives some information about deffered mail.

    Am I meant to get the ID for the mail from postqueue -p then look in the
    /opt/zimbra/data/postfix/spool/deffer folder

    Whikst I can find more info in here I can not see X-Originating-IP in any of these.

    Where should I be looking?

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by mintra View Post
    Hi this is still a big problem for me. I am not sure how to look at the mail headers postqueue -p gives some information about deffered mail.

    Am I meant to get the ID for the mail from postqueue -p then look in the
    /opt/zimbra/data/postfix/spool/deffer folder

    Whikst I can find more info in here I can not see X-Originating-IP in any of these.

    Where should I be looking?
    You can also look in your daily mail report and see who is sending the greatest number of emails.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Quote Originally Posted by mintra View Post
    Hi this is still a big problem for me. I am not sure how to look at the mail headers postqueue -p gives some information about deffered mail.

    Am I meant to get the ID for the mail from postqueue -p then look in the
    /opt/zimbra/data/postfix/spool/deffer folder

    Whikst I can find more info in here I can not see X-Originating-IP in any of these.

    Where should I be looking?
    So post the headers from one of those deferred emails so we may take a look.

Similar Threads

  1. [SOLVED] Important Mta Issue!!!!!!!!
    By borngunners in forum Migration
    Replies: 2
    Last Post: 01-05-2010, 06:44 AM
  2. Recover the mail after the crash HDD
    By MrSnaKe in forum Administrators
    Replies: 3
    Last Post: 12-02-2009, 04:38 AM
  3. zimbra install with perpetually broken logger/stats
    By jptech in forum Installation
    Replies: 8
    Last Post: 09-29-2008, 03:33 PM
  4. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 12:16 PM
  5. Mail logs
    By Rick Baker in forum Installation
    Replies: 8
    Last Post: 01-17-2006, 04:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •