Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: Need urgent help on spamming issue

  1. #1
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Angry Need urgent help on spamming issue

    Hi Guys,

    We are facing very serious issue ...we are having example.com domain and
    multiple <invalid>@example.com emails IDs are using our mail server to send mails to other valid / invalid email IDs.....

    Our mail server is behind firewall and not open relay ....

    Right now more than 30000 mails are in queue and our customer's mails are getting stuck in MTA from last more tahn 2 hours....

    So here someone is using valid domain name with invalid local part ( left side of @) and sending mail through our server.....


    Please suggest and help .....

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Check /opt/zimbra/log/mailbox.log and look for a IP address you do not know; you may have a account that has been compromised.

  3. #3
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    Hi Uxbod...thanks for your reply..

    Our customer domain which got used to send SPAM is example.com..

    all users of this domain are internet users. So everytime IP is getting changed..i suspect one of the ID is keep changing IP from last 2 days..i put that account in Maintenance mode..

    But the main issue is i am getting request from DIFFERENT public IPs ..( which are belong to diff countries) and its using example.com as domain but non exist email ID and receipeint is also invalid .....and all these getting stuck in my MTA ....

    i couldnt understand logic behind it...how can use our mail server like this...wht kind of sender restriction I can put...or where should I check ...

    Thanks

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Are you sure they are being sent from your server; and you are actually seeing backscatter ?

  5. #5
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    Yes I am sure ...just have alook at logs :
    everything is getting stuck in MTA ....


    pr 12 21:24:03 mail postfix/qmgr[22523]: 77A47133219A: from=<bftantamount@example.com>, status=expired, returned to sender
    Apr 12 21:24:03 mail postfix/qmgr[22523]: 73FAC13392E6: from=<vqboarder@example.com>, status=expired, returned to sender
    Apr 12 21:24:03 mail postfix/qmgr[22523]: 7239813322D0: from=<pporacle@example.com>, size=1464, nrcpt=1 (queue active)
    Apr 12 21:24:03 mail postfix/qmgr[22523]: CCD5E1332EB1: from=<mglsatanic@example.com>, size=980, nrcpt=1 (queue active)
    Apr 12 21:24:03 mail postfix/qmgr[22523]: 7FF1C133923A: from=<vieaglassware@example.com>, size=1491, nrcpt=1 (queue active)
    Apr 12 21:24:03 mail postfix/qmgr[22523]: 7076D133BB84: from=<sueofalls@example.com>, size=1457, nrcpt=1 (queue active)
    Apr 12 21:24:03 mail postfix/error[424]: B591ED4F46: to=<upcoutclass@example.com>, relay=none, delay=473, delays=473/0.01/0/0.01, dsn=5.0.0, status=bounced (example.com)
    Apr 12 21:24:03 mail postfix/qmgr[22523]: CD442D54EF: from=<exoverdo@example.com>, size=1448, nrcpt=1 (queue active)
    Apr 12 21:24:03 mail amavis[6316]: (06316-02) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20100412T212226-06316: <mglsatanic@example.com> -> <Richard-aka-tricky@hotmail.co.uk> SIZE=980 Received: from example.com ([127.0.0.1]) by localhost (example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <Richard-aka-tricky@hotmail.co.uk>; Mon, 12 Apr 2010 21:24:03 +0530 (IST)
    Apr 12 21:24:03 mail postfix/error[874]: 99658D6708: to=<kiftatting@example.com>, relay=none, delay=10633, delays=10633/0.01/0/0, dsn=5.0.0, status=bounced (example.com)
    Apr 12 21:24:06 mail amavis[6316]: (06316-02) Checking: Kl0F88qPmKx2 [190.255.169.238] <mglsatanic@example.com> -> <Richard-aka-tricky@hotmail.co.uk>
    Apr 12 21:24:06 mail postfix/qmgr[22523]: 7D53F1331283: from=<bjlepiscopacy@example.com>, size=1488, nrcpt=1 (queue active)
    Apr 12 21:24:07 mail postfix/qmgr[22523]: 752DD13329E1: from=<yoseriocomic@example.com>, status=expired, returned to sender
    Apr 12 21:24:07 mail postfix/qmgr[22523]: 74FA3133357B: from=<pbsvibration@example.com>, size=1430, nrcpt=1 (queue active)
    Apr 12 21:24:07 mail postfix/smtpd[4762]: NOQUEUE: reject: RCPT from unknown[114.69.249.212]: 550 5.1.0 <parvinder@example.com>: Sender address rejected: example.com; from=<parvinder@example.com> to=<parvinder@example.com> proto=SMTP helo=<alppilux.fi>
    Apr 12 21:24:07 mail postfix/qmgr[22523]: 242B5D49E4: from=<xhvddrowsy@example.com>, size=1401, nrcpt=1 (queue active)
    Apr 12 21:24:07 mail postfix/qmgr[22523]: 7371413386CE: from=<xzjufascism@example.com>, size=1584, nrcpt=1 (queue active)

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    If somebody is doing this from a client then you could track down who is signing in often using
    Code:
    cat mailbox.log | sed -n "s/.*btpool.*name=\(.*\);mid=.*;ip=.*;ua=ZimbraWebClient.*/\1/p" | sort | uniq -c

  7. #7
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    I checked Uxbod...i m getting all geniune mail IDs in output...our all client using webmail + outlook...
    My server got blacklisted at yahoo

  8. #8
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    Do you need any specfic details regarding this issue ?

  9. #9
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Yes you may be getting genuine IDs but does one appear a lot higher than the rest ? if you users are using Outlook then it is possible one of them has a virus.

  10. #10
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    No there is no huge mail communication from geninue ID....Yes I accept there is 100 % possibility that cleint desktop might get affected by virus ...and this particular domain users are accesing from internet and data card ..and hardware is not managed by us ..so cant control the desktop level and client network level security...bu from the server end how we restrict it ...as it is affecting all other customer domains and mail server got blacklisted ...

    I am googling from last few hours I reading on all sender and recipient level restrictions ..at least to stop / reject this mail communication...but still no luck ... :-(

Similar Threads

  1. ZCO sync issue
    By btsang in forum Zimbra Connector for Outlook
    Replies: 10
    Last Post: 09-22-2009, 11:19 AM
  2. Local mail issue or setup issue?
    By FlyingFish in forum Administrators
    Replies: 0
    Last Post: 09-22-2009, 09:04 AM
  3. Urgent system issue, please help!
    By iway in forum Administrators
    Replies: 10
    Last Post: 08-20-2009, 10:40 AM
  4. Urgent Connector Issue Data missing / unsynched on Server
    By hchchchc in forum Zimbra Connector for Outlook
    Replies: 3
    Last Post: 06-18-2008, 01:32 AM
  5. Intermittent issue (issue# 5852) ?
    By nick20 in forum Installation
    Replies: 1
    Last Post: 02-08-2006, 01:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •