Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: [SOLVED] Spam email sent out by our email server

  1. #1
    Join Date
    Aug 2007
    Location
    South Africa
    Posts
    15
    Rep Power
    8

    Default [SOLVED] Spam email sent out by our email server

    We are running Zimbra 6.01 OSE. Since yesterday we have huge amounts of outbound email that is sent by info@ups.com to bogus email accounts at yahoo, gmail and hotmail. We have now subsequently been blacklisted by these companies.

    I have checked that the server is not a relay server as it has successfully passed the relay tests done by popular sites. I keep on deleting the emails in the queues on active and deferred, but they keep on adding up more and more. Is there any way for me to know how the spammer does this and to stop this from happening? Please help as this is causing us to be blacklisted everywhere.


    Thank you.
    Hennie

    See below the header of one of the spam emails:

    Return-Path: info@ups.com
    Received: from zmail01.ourdomain.com (LHLO
    zmail01.ourdomain.com) (10.0.0.18) by zmail01.ourdomain.com
    with LMTP; Mon, 1 Mar 2010 14:47:42 +0200 (SAST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by zmail01.ourdomain.com (Postfix) with ESMTP id 1E6A82FDE16C
    for <xxxx@ourdomain.com>; Mon, 1 Mar 2010 14:47:42 +0200 (SAST)
    X-Virus-Scanned: amavisd-new at zmail01.ourdomain.com
    X-Spam-Flag: YES
    X-Spam-Score: 11.369
    X-Spam-Level: ***********
    X-Spam-Status: Yes, score=11.369 tagged_above=-10 required=6.6
    tests=[ADVANCE_FEE_2=1.234, ADVANCE_FEE_3=1.432, ALL_TRUSTED=-1.8,
    AWL=-0.121, BAYES_99=3.5, FH_DATE_PAST_20XX=3.188,
    FORGED_MUA_OUTLOOK=3.116, MSOE_MID_WRONG_CASE=0.82] autolearn=no
    Received: from zmail01.ourdomain.com ([127.0.0.1])
    by localhost (zmail01.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id ThUpEvun+3qL; Mon, 1 Mar 2010 14:47:41 +0200 (SAST)
    Received: from User (unknown [195.245.108.36])
    by zmail01.ourdomain.com (Postfix) with ESMTPA id 610E72FDE05A;
    Mon, 1 Mar 2010 14:45:47 +0200 (SAST)
    Reply-To: <ups.agent.ng1@gmail.com>
    From: "UPS COURIER SERVICES."<info@ups.com>
    Subject: Confirm Your Parcel With Us ASAP.
    Date: Mon, 1 Mar 2010 12:50:18 -0000
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Message-Id: <20100301124550.610E72FDE05A@zmail01.ourdomain.com >
    To: undisclosed-recipients:;

    Subject: Confirm Your Parcel With Us ASAP.
    From: Universal Parcel Service <info@ups.com.ng>

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Welcome to the forums

    Check /opt/zimbra/log/audit.log and look for erroneous activity. I would imagine that one of your accounts may have been compromised due to poor password complexity.

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Quote Originally Posted by Hennie View Post
    FH_DATE_PAST_20XX=3.188
    On a side note you should also fix that problem : http://www.zimbra.com/forums/adminis...-1-2010-a.html

  4. #4
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    8

    Default

    Check other system logs.

    who was using ip 195.245.109.36 at 14:45:47?

    Code:
    Received: from User (unknown [195.245.108.36])
    by zmail01.ourdomain.com (Postfix) with ESMTPA id 610E72FDE05A;
    Mon, 1 Mar 2010 14:45:47 +0200 (SAST)
    That is your problem machine/user.

    I'd hazard a guess that 192.245.109.* is in your "mynetworks"
    Last edited by jrefl5; 03-01-2010 at 11:23 AM. Reason: added mynetworks comment

  5. #5
    Join Date
    Aug 2007
    Location
    South Africa
    Posts
    15
    Rep Power
    8

    Default

    Quote Originally Posted by uxbod View Post
    Welcome to the forums

    Check /opt/zimbra/log/audit.log and look for erroneous activity. I would imagine that one of your accounts may have been compromised due to poor password complexity.
    Hi Uxbod, thank you for the advice. I have checked the audit.log files and could not find anything "strange". Could you perhaps explain a way how I could see what account has been compromised? It seems like mail gets sent randomly from 10.0.0.18, which is internal IP of the mail server.

    I have also checked auth.log, but cannot see the 195.245.108.36 anywhere? I would really appreciate your help here.

  6. #6
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    post the output of the following command

    su - zimbra
    zmprov gs `zmhostname` | grep zimbraMtaMyNetworks
    it will show your mynetworks..

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  7. #7
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    8

    Default

    Check your networks DCHP server, for the 192.245.109.36 address and where it was assigned.

    you need to track back to the source PC.

  8. #8
    Join Date
    Aug 2007
    Location
    South Africa
    Posts
    15
    Rep Power
    8

    Default

    Hi All,

    I have seen many of the following entries in the mail.log file:
    client=unknown[196.245.109.36], sasl_method=LOGIN, sasl_username=spam

    Could it be that the spam account have been compromised? If so, can I just change the password of the spam account?

  9. #9
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    change password for SPAM user asap and also if your password was same for other accounts change those too..
    this is a very common problem where simple passwords are guessed by spammers and then they can SMTP AUTH using your server and RELAY unlimited mail.

    sasl_username=spam --> means spammer is using this account with authentication using your password

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  10. #10
    Join Date
    Oct 2009
    Location
    Austin, TX
    Posts
    8
    Rep Power
    6

    Default

    All of the suggestions above are great, but we would also recommend scanning all local work stations and the mail server with Spybot Search & Destory, Ad-Aware and Malwarebytes Anti-Malware; these are all free from Cnet Downloads (download.cnet.com). This group of software is specifically designed to find virus/trojan activity that your typical anti-virus program misses.

    Also if you are listed on any Blacklists we would recommend finding the source of the spam before you try to remove yourself. If you attempt to remove yourself before the issue is resolved Blacklists may re-list you and each time you delist it is more difficult to actually get removed. To check if you are Blacklisted, we would recommend using our Blacklist Tool.

    Please let us know if you have any other problems and we will be glad to assist.

    Thank you,
    @MxToolBox

Similar Threads

  1. Mail sent from Zimbra server going to spam on yahoo
    By sundru in forum Administrators
    Replies: 16
    Last Post: 05-30-2009, 01:02 PM
  2. [SOLVED] Spam Filter Blocking Proper Email
    By ingmarfreyz in forum Administrators
    Replies: 4
    Last Post: 10-23-2008, 06:56 AM
  3. Zimbra using another email server
    By jrramon in forum Administrators
    Replies: 2
    Last Post: 03-20-2007, 09:39 AM
  4. Error 256 on Installation
    By RuinExplorer in forum Installation
    Replies: 5
    Last Post: 10-19-2006, 10:19 AM
  5. Is my server being used to forward spam?
    By sgb in forum Administrators
    Replies: 11
    Last Post: 03-07-2006, 12:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •