Results 1 to 10 of 12

Thread: Spam comming from 127.0.0.1 getting to deffered messages.

Hybrid View

  1. #1
    Join Date
    Feb 2009
    Location
    Manila, Philippines
    Posts
    66
    Rep Power
    6

    Default Spam comming from 127.0.0.1 getting to deffered messages.

    Hi,

    Recently installed ZCS 6.07 in our internal LAN behind firewall using split DNS. Everything seems to be working well, except for thousands of spam originating from Zimbra localhost 127.0.0.1.

    Though our users doesn't get too much of it, our problem lies with the deferred messages increasing up to 1000+ messages per day. Last time we've checked we have 15,000 messages. How can we make Zimbra delete spam messages in the deferred que.

    Since the spam originates from 127.0.0.1 does it pass through spam assassin? And if so why it is not deleted? Here is our current SA config:

    -------------------------------------------------------------------------------------
    rewrite_header Subject *****SPAM*****
    # report_safe 1
    # trusted_networks 212.17.35.
    # lock_method flock

    header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
    describe DSPAM_SPAM DSPAM claims it is spam
    score DSPAM_SPAM 5.0

    header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
    describe DSPAM_HAM DSPAM claims it is ham
    score DSPAM_HAM -0.5

    %%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
    %%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%

    rewrite_header Subject *SPAM* _STARS(*)_
    bayes_auto_learn 1
    bayes_min_spam_num 60
    bayes_min_ham_num 30
    clear_headers
    add_header spam Flag _YESNOCAPS_
    add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
    add_header all Level _STARS(*)_
    add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

    # Enabled BAYES filter
    use_bayes 1
    skip_rbl_checks 0

    # Added SPF checking
    score SPF_FAIL 10.000
    score SPF_HELO_FAIL 10.000

    # Added score increase
    score BAYES_99 4.300
    score BAYES_90 3.500
    score BAYES_80 3.000

    # Blacklist (* is a wildcard)
    blacklist_from *@yahoo.com.tw
    blacklist_from *@*.hinet.net
    blacklist_from *@pchome.com.tw
    blacklist_from *@xuite.net
    blacklist_from *@*.ca
    blacklist_from *@*.ro
    blacklist_from *@*.gr
    blacklist_from *@*.ru
    blacklist_from *@*.cz
    blacklist_from *@*.ee
    blacklist_from *@*.fr
    blacklist_from *@*.in
    blacklist_from *@juno.com
    blacklist_from *@guevos.com
    blacklist_from *@aol.com
    blacklist_from *@*-host-219-90-92-18.tri.ph
    blacklist_ftom *@host-219-90-92-18.tri.ph
    blacklist_from *@yahoo.com.*
    blacklist_from *@qq.com
    blacklist_from *@vdc.vn
    blacklist_from *@sina.com
    blacklist_from *@163.*
    blacklist_from *@126.*
    blacklist_from *163.*
    blacklist_from *163.*
    # Blacklist all domain that starts with number
    blacklist_from *@0*.*
    blacklist_from *@1*.*
    blacklist_from *@2*.*
    blacklist_from *@3*.*
    blacklist_from *@4*.*
    blacklist_from *@5*.*
    blacklist_from *@6*.*
    blacklist_from *@7*.*
    blacklist_from *@8*.*
    blacklist_from *@9*.*

    # Keywords for spam
    body LOCAL_****** /******/i
    score LOCAL_****** 3.000

    body LOCAL_*** /***/i
    score LOCAL_*** 2.000

    body LOCAL_ERECTION /erection/i
    score LOCAL_ERECTION 1.500
    ------------------------------------------------------------------------------
    Attached Images Attached Images

  2. #2
    Join Date
    Feb 2009
    Location
    Manila, Philippines
    Posts
    66
    Rep Power
    6

    Default

    I forgot to send my postfix log. Just figure out lately how to get it. Our Zimbra server is inside DMZ with IP 10.10.10.0/29. Our firewall forward only ports needed by Zimbra from WAN->DMZ and from LAN->DMZ as what I've learned from the wiki, others were blocked.

    Also to add, why is it that when we first installed Zimbra using live IP we haven't encountered this problem. I've just add RBL checks and do not have to tinker with salocal.cf.in. It's only when we have a new installation of Zimbra behind NAT, (first on LAN then we later move it to DMZ) that it becomes a spam sender server. Were afraid that our IP would be eventually block by RBLs if we don't fix this.

    We're using ZCS 6.0.7 Open Source Ed. running on Ubuntu 8.04 on a virtual machine.

    Please help. Thanks

  3. #3
    Join Date
    Feb 2009
    Location
    Manila, Philippines
    Posts
    66
    Rep Power
    6

    Default

    Jul 18 05:44:02 mail postfix/qmgr[32190]: 55646D202B: from=<nrwb@host-219-90-92-18.tri.ph>, size=1991, nrcpt=1 (queue active)
    Jul 18 05:44:02 mail postfix/smtp[25067]: D55A7D201D: to=<dahui@sxdahui.cn>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.86, delays=0.29/0/0.01/0.57, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25530-03 - SPAM)
    Jul 18 05:44:02 mail postfix/qmgr[32190]: D55A7D201D: removed
    Jul 18 05:44:03 mail postfix/smtpd[11962]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:03 mail postfix/smtp[24449]: 55646D202B: to=<seasons0109@126.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.92, delays=0.33/0/0/0.59, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25501-03 - SPAM)
    Jul 18 05:44:03 mail postfix/qmgr[32190]: 55646D202B: removed
    Jul 18 05:44:03 mail postfix/smtpd[21590]: 77AF7D201D: client=unknown[10.10.10.1]
    Jul 18 05:44:04 mail postfix/cleanup[24875]: 77AF7D201D: message-id=<20100717214403.77AF7D201D@mail.aurotech.com>
    Jul 18 05:44:04 mail postfix/qmgr[32190]: 77AF7D201D: from=<onicomedes7@aurotech.com>, size=3534, nrcpt=1 (queue active)
    Jul 18 05:44:05 mail postfix/smtpd[21590]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:07 mail postfix/qmgr[32190]: 7CF90D203A: from=<>, size=3271, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: 7F714D2019: from=<>, size=3625, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: 79932D2018: from=<>, size=3672, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: 71C4DD2003: from=<>, size=3592, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: 42E55D2029: from=<>, size=4797, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: 4B3A3D2006: from=<>, size=3627, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: 92E40D2015: from=<>, size=6113, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: C7C40D2162: from=<>, size=5994, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: BBD7AD2002: from=<>, size=15796, nrcpt=1 (queue active)
    Jul 18 05:44:07 mail postfix/qmgr[32190]: 26D10D2026: from=<>, size=37879, nrcpt=1 (queue active)
    Jul 18 05:44:08 mail postfix/smtp[26271]: 4B3A3D2006: to=<uyupokay6841@charter.com>, relay=ib1.charter.net[216.33.127.20]:25, delay=1088, delays=1088/0.17/0.56/0, dsn=4.0.0, status=deferred (host ib1.charter.net[216.33.127.20] refused to talk to me: 554 imp06 charter.net ?? IP: 124.105.236.74, You are not allowed to send mail. Please see CSI IP Reputation Remediation Portal if you feel this is in error. E1310)
    Jul 18 05:44:09 mail postfix/smtp[26263]: connect to veloxzone.com.br[200.223.8.81]:25: Connection refused
    Jul 18 05:44:09 mail postfix/smtp[26263]: 79932D2018: to=<emupuw3762@veloxzone.com.br>, relay=none, delay=1047, delays=1045/0.12/1.1/0, dsn=4.4.1, status=deferred (connect to veloxzone.com.br[200.223.8.81]:25: Connection refused)
    Jul 18 05:44:09 mail postfix/smtp[26278]: connect to gallery-09ujizwbu1eqp.usercash.com[79.170.89.9]:25: Connection refused
    Jul 18 05:44:09 mail postfix/smtp[26278]: 26D10D2026: to=<allapa@gallery-09ujizwbu1eqp.usercash.com>, relay=none, delay=1076, delays=1075/0.24/1/0, dsn=4.4.1, status=deferred (connect to gallery-09ujizwbu1eqp.usercash.com[79.170.89.9]:25: Connection refused)
    Jul 18 05:44:09 mail postfix/smtpd[20427]: connect from unknown[10.10.10.1]
    Jul 18 05:44:09 mail postfix/smtp[24106]: connect to mail.goedge.com[64.72.118.174]:25: Connection refused
    Jul 18 05:44:09 mail postfix/smtpd[20427]: C1EDED202B: client=unknown[10.10.10.1]
    Jul 18 05:44:09 mail postfix/smtp[24106]: 7CF90D203A: to=<bushingrf869@rosebush.com>, relay=none, delay=21508, delays=21506/0.04/1.8/0, dsn=4.4.1, status=deferred (connect to mail.goedge.com[64.72.118.174]:25: Connection refused)
    Jul 18 05:44:09 mail postfix/smtpd[24988]: connect from localhost[127.0.0.1]
    Jul 18 05:44:09 mail postfix/smtpd[24988]: D9254D202C: client=localhost[127.0.0.1]
    Jul 18 05:44:09 mail postfix/cleanup[15965]: D9254D202C: message-id=<20100717214403.77AF7D201D@mail.aurotech.com>
    Jul 18 05:44:09 mail postfix/qmgr[32190]: D9254D202C: from=<onicomedes7@aurotech.com>, size=3982, nrcpt=1 (queue active)
    Jul 18 05:44:09 mail postfix/smtp[24311]: 77AF7D201D: to=<onicomedes7@aurotech.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.9, delays=1.7/0/0.01/5.1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25414-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as D9254D202C)
    Jul 18 05:44:09 mail postfix/qmgr[32190]: 77AF7D201D: removed
    Jul 18 05:44:09 mail postfix/cleanup[15950]: C1EDED202B: message-id=<20100717214409.C1EDED202B@mail.aurotech.com>
    Jul 18 05:44:10 mail postfix/error[24079]: D9254D202C: to=<onicomedes7@aurotech.com>, relay=none, delay=0.18, delays=0.07/0.01/0/0.09, dsn=5.0.0, status=bounced (aurotech.com)
    Jul 18 05:44:10 mail postfix/qmgr[32190]: C1EDED202B: from=<ejo@host-219-90-92-18.tri.ph>, size=1651, nrcpt=1 (queue active)
    Jul 18 05:44:10 mail postfix/cleanup[24877]: 1020DD201D: message-id=<20100717214410.1020DD201D@mail.aurotech.com>
    Jul 18 05:44:10 mail postfix/bounce[24080]: D9254D202C: sender non-delivery notification: 1020DD201D
    Jul 18 05:44:10 mail postfix/qmgr[32190]: 1020DD201D: from=<>, size=5774, nrcpt=1 (queue active)
    Jul 18 05:44:10 mail postfix/qmgr[32190]: D9254D202C: removed
    Jul 18 05:44:10 mail postfix/error[24079]: 1020DD201D: to=<onicomedes7@aurotech.com>, relay=none, delay=0.19, delays=0.1/0/0/0.09, dsn=5.0.0, status=bounced (aurotech.com)
    Jul 18 05:44:10 mail postfix/qmgr[32190]: 1020DD201D: removed
    Jul 18 05:44:10 mail postfix/smtpd[20427]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:11 mail postfix/smtpd[18441]: connect from unknown[10.10.10.1]
    Jul 18 05:44:11 mail postfix/smtp[25100]: C1EDED202B: to=<jhnie@jjhy.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.3/0/0.01/1.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=23275-12 - SPAM)
    Jul 18 05:44:11 mail postfix/qmgr[32190]: C1EDED202B: removed
    Jul 18 05:44:11 mail postfix/smtpd[29260]: connect from unknown[10.10.10.1]
    Jul 18 05:44:11 mail postfix/smtpd[18441]: 9E05FD201D: client=unknown[10.10.10.1]
    Jul 18 05:44:11 mail postfix/smtpd[29260]: BB1E0D202B: client=unknown[10.10.10.1]
    Jul 18 05:44:11 mail postfix/cleanup[24875]: 9E05FD201D: message-id=<20100717214411.9E05FD201D@mail.aurotech.com>
    Jul 18 05:44:11 mail postfix/qmgr[32190]: 9E05FD201D: from=<sxcgm@host-219-90-92-18.tri.ph>, size=4008, nrcpt=1 (queue active)
    Jul 18 05:44:11 mail postfix/cleanup[24422]: BB1E0D202B: message-id=<20100717214411.BB1E0D202B@mail.aurotech.com>
    Jul 18 05:44:12 mail postfix/qmgr[32190]: BB1E0D202B: from=<sxchm@host-219-90-92-18.tri.ph>, size=4018, nrcpt=1 (queue active)
    Jul 18 05:44:12 mail postfix/smtp[24325]: 9E05FD201D: to=<jswjg516@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.74, delays=0.26/0/0/0.47, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25530-04 - SPAM)
    Jul 18 05:44:12 mail postfix/qmgr[32190]: 9E05FD201D: removed
    Jul 18 05:44:12 mail postfix/smtpd[18441]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:12 mail postfix/smtpd[29260]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:14 mail postfix/smtpd[24707]: connect from unknown[10.10.10.1]
    Jul 18 05:44:14 mail postfix/smtp[24449]: BB1E0D202B: to=<jswjgjyxgs@3158.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.7, delays=0.27/0/0.01/2.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25168-06 - SPAM)
    Jul 18 05:44:14 mail postfix/qmgr[32190]: BB1E0D202B: removed
    Jul 18 05:44:14 mail postfix/smtpd[24707]: 74076D201D: client=unknown[10.10.10.1]
    Jul 18 05:44:14 mail postfix/cleanup[15965]: 74076D201D: message-id=<20100717214414.74076D201D@mail.aurotech.com>
    Jul 18 05:44:14 mail postfix/qmgr[32190]: 74076D201D: from=<wbglrw@host-219-90-92-18.tri.ph>, size=955, nrcpt=1 (queue active)
    Jul 18 05:44:14 mail postfix/smtp[24311]: 74076D201D: to=<da-huyou@163.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.42, delays=0.27/0/0.01/0.14, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=23275-13 - SPAM)
    Jul 18 05:44:14 mail postfix/qmgr[32190]: 74076D201D: removed
    Jul 18 05:44:15 mail postfix/smtpd[24707]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:15 mail postfix/smtpd[1240]: connect from unknown[10.10.10.1]
    Jul 18 05:44:15 mail postfix/smtpd[1240]: B1A93D201D: client=unknown[10.10.10.1]
    Jul 18 05:44:15 mail postfix/cleanup[24875]: B1A93D201D: message-id=<20100717214415.B1A93D201D@mail.aurotech.com>
    Jul 18 05:44:15 mail postfix/qmgr[32190]: B1A93D201D: from=<hmr@host-219-90-92-18.tri.ph>, size=1497, nrcpt=1 (queue active)
    Jul 18 05:44:16 mail postfix/smtp[24328]: B1A93D201D: to=<wwq830626@sina.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.63, delays=0.28/0/0.01/0.34, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25494-05 - SPAM)
    Jul 18 05:44:16 mail postfix/qmgr[32190]: B1A93D201D: removed
    Jul 18 05:44:16 mail postfix/smtpd[25269]: disconnect from localhost[127.0.0.1]
    Jul 18 05:44:16 mail postfix/smtpd[1240]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:16 mail postfix/smtpd[20418]: connect from unknown[10.10.10.1]
    Jul 18 05:44:16 mail postfix/smtpd[20418]: B4AB8D201D: client=unknown[10.10.10.1]
    Jul 18 05:44:16 mail postfix/smtpd[1255]: connect from unknown[10.10.10.1]
    Jul 18 05:44:16 mail postfix/cleanup[24422]: B4AB8D201D: message-id=<20100717214416.B4AB8D201D@mail.aurotech.com>
    Jul 18 05:44:16 mail postfix/smtpd[1255]: F0C29D202B: client=unknown[10.10.10.1]
    Jul 18 05:44:17 mail postfix/qmgr[32190]: B4AB8D201D: from=<tydio@host-219-90-92-18.tri.ph>, size=1521, nrcpt=1 (queue active)
    Jul 18 05:44:17 mail postfix/cleanup[15950]: F0C29D202B: message-id=<20100717214416.F0C29D202B@mail.aurotech.com>
    Jul 18 05:44:17 mail postfix/qmgr[32190]: F0C29D202B: from=<tydiot@host-219-90-92-18.tri.ph>, size=1516, nrcpt=1 (queue active)
    Jul 18 05:44:17 mail postfix/smtp[24325]: B4AB8D201D: to=<handsomeallan@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.67, delays=0.34/0/0/0.33, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25530-05 - SPAM)
    Jul 18 05:44:17 mail postfix/qmgr[32190]: B4AB8D201D: removed
    Jul 18 05:44:17 mail postfix/smtpd[20418]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:17 mail postfix/smtp[24449]: F0C29D202B: to=<handsomebay1028@163.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.67, delays=0.3/0/0.01/0.37, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=23275-14 - SPAM)
    Jul 18 05:44:17 mail postfix/qmgr[32190]: F0C29D202B: removed
    Jul 18 05:44:17 mail postfix/smtpd[1255]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:23 mail postfix/smtpd[24076]: connect from unknown[10.10.10.1]
    Jul 18 05:44:23 mail postfix/smtpd[24076]: D0582D201D: client=unknown[10.10.10.1]
    Jul 18 05:44:23 mail postfix/smtpd[18440]: connect from unknown[10.10.10.1]
    Jul 18 05:44:24 mail postfix/cleanup[15965]: D0582D201D: message-id=<20100717214423.D0582D201D@mail.aurotech.com>
    Jul 18 05:44:24 mail postfix/smtpd[18440]: 0CB91D202B: client=unknown[10.10.10.1]
    Jul 18 05:44:24 mail postfix/qmgr[32190]: D0582D201D: from=<xbglrw@host-219-90-92-18.tri.ph>, size=950, nrcpt=1 (queue active)
    Jul 18 05:44:24 mail postfix/cleanup[24422]: 0CB91D202B: message-id=<20100717214424.0CB91D202B@mail.aurotech.com>
    Jul 18 05:44:24 mail postfix/qmgr[32190]: 0CB91D202B: from=<xchmrw@host-219-90-92-18.tri.ph>, size=941, nrcpt=1 (queue active)
    Jul 18 05:44:24 mail postfix/smtp[24328]: D0582D201D: to=<dai@atunicorn.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.83, delays=0.43/0.01/0.01/0.38, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25168-07 - SPAM)
    Jul 18 05:44:24 mail postfix/qmgr[32190]: D0582D201D: removed
    Jul 18 05:44:24 mail postfix/smtpd[24076]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:24 mail postfix/smtp[24311]: 0CB91D202B: to=<dai@aandb.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.67, delays=0.46/0/0.02/0.19, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25530-06 - SPAM)
    Jul 18 05:44:24 mail postfix/qmgr[32190]: 0CB91D202B: removed
    Jul 18 05:44:25 mail postfix/smtpd[18440]: disconnect from unknown[10.10.10.1]
    Jul 18 05:44:29 mail postfix/smtp[26275]: connect to mxin1.gvt.com.br[200.139.127.5]:25: No route to host
    Jul 18 05:44:29 mail postfix/smtp[26275]: BBD7AD2002: to=<jegukuviey9556@gvt.net.br>, relay=none, delay=30593, delays=30571/0.19/21/0, dsn=4.4.1, status=deferred (connect to mxin1.gvt.com.br[200.139.127.5]:25: No route to host)
    Jul 18 05:44:30 mail postfix/smtpd[1254]: connect from unknown[10.10.10.1]
    Jul 18 05:44:30 mail postfix/smtpd[18441]: connect from unknown[10.10.10.1]
    Jul 18 05:44:30 mail postfix/smtpd[1255]: connect from unknown[10.10.10.1]
    Jul 18 05:44:30 mail postfix/smtpd[1254]: EB846D201D: client=unknown[10.10.10.1]
    Jul 18 05:44:31 mail postfix/smtpd[18441]: 029D6D202B: client=unknown[10.10.10.1]
    Jul 18 05:44:31 mail postfix/cleanup[24875]: EB846D201D: message-id=<20100717214430.EB846D201D@mail.aurotech.com>
    Jul 18 05:44:31 mail postfix/cleanup[24877]: 029D6D202B: message-id=<20100717214431.029D6D202B@mail.aurotech.com>
    Jul 18 05:44:31 mail postfix/smtpd[1255]: 3590CD202C: client=unknown[10.10.10.1]
    Jul 18 05:44:31 mail postfix/qmgr[32190]: EB846D201D: from=<tydio@host-219-90-92-18.tri.ph>, size=3994, nrcpt=1 (queue active)
    Jul 18 05:44:31 mail postfix/qmgr[32190]: 029D6D202B: from=<tydiot@host-219-90-92-18.tri.ph>, size=3992, nrcpt=1 (queue active)
    Jul 18 05:44:31 mail postfix/cleanup[15950]: 3590CD202C: message-id=<20100717214431.3590CD202C@mail.aurotech.com>
    Jul 18 05:44:31 mail postfix/qmgr[32190]: 3590CD202C: from=<afkpuze@host-219-90-92-18.tri.ph>, size=1537, nrcpt=1 (queue active)

  4. #4
    Join Date
    Feb 2009
    Location
    Manila, Philippines
    Posts
    66
    Rep Power
    6

    Default

    I have blacklisted the domain host-219-90-92-18.tri.ph by editing amavisd.conf.in but it doesn't stop my server from sending other spam
    messages. How do I know if a local user account has been compromised?
    And if so, does changing password can solve this?

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by aldennis View Post
    I have blacklisted the domain host-219-90-92-18.tri.ph by editing amavisd.conf.in but it doesn't stop my server from sending other spam
    messages. How do I know if a local user account has been compromised?
    You can check some of these threads for details on how to check who's sending high volumes of mail: site:zimbra.com +spam +compromised +account - Yahoo! Search Results

    Quote Originally Posted by aldennis View Post
    And if so, does changing password can solve this?
    Yes and you should enforce strong password security via the Admin UI.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Feb 2009
    Location
    Manila, Philippines
    Posts
    66
    Rep Power
    6

    Default

    Another this, here is a copy of a spam message sent to an account from his own account.
    --------------------------------------------------------------------------------------
    Return-Path: rgalvan@aurotech.com
    Received: from mail.aurotech.com (LHLO mail.aurotech.com) (10.10.10.2) by
    mail.aurotech.com with LMTP; Mon, 19 Jul 2010 09:13:36 +0800 (PHT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.aurotech.com (Postfix) with ESMTP id 10918D2014;
    Mon, 19 Jul 2010 09:13:36 +0800 (PHT)
    X-Quarantine-ID: <ShRQYvxCA2c2>
    X-Virus-Scanned: amavisd-new at aurotech.com
    X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char AE hex):
    Subject: rgalvan@aurotech.com ****** \256 Official Site -18%
    Received: from mail.aurotech.com ([127.0.0.1])
    by localhost (mail.aurotech.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id ShRQYvxCA2c2; Mon, 19 Jul 2010 09:13:23 +0800 (PHT)
    Received: from net98.78.95-230.chelny.ertelecom.ru (unknown [10.10.10.1])
    by mail.aurotech.com (Postfix) with SMTP id 0B138D2020
    for <rgalvan@aurotech.com>; Mon, 19 Jul 2010 09:13:21 +0800 (PHT)
    From: rgalvan@aurotech.com
    To: rgalvan@aurotech.com
    Subject: rgalvan@aurotech.com ****** � Official Site -18%
    MIME-Version: 1.0
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: 7bit
    Message-Id: <20100719011322.0B138D2020@mail.aurotech.com>
    Date: Mon, 19 Jul 2010 09:13:21 +0800 (PHT)

    <!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
    </head>
    <body>
    <table border="0" cellpadding="0" cellspacing="0" style="width: 896px">
    <tr><td align="center" style="font: normal 11px Verdana, sans-serif; color: #333;"><a href="http://hvb.autdrug.ru?ewsd=rgalvan@aurotech.com" style="text-decoration: none; color: #0099ff;">Click here. </td></tr>
    <tr><td align="center">
    <br />
    <a href="http://gzn.autdrug.ru?zrjm=rgalvan@aurotech.com"><img alt="Dear rgalvan@aurotech.com" src="http://kms.autdrug.ru/m.gif" style="border-width: 0px" /></a></td></tr>
    </table>
    </body>
    </html>
    -------------------------------------------------------------------------------------

    ZCS seems unable to extract dns info for the domain net98.78.95-230.chelny.ertelecom.ru from the DMZ gateway 10.10.10.1. since it indicate "unknown". I have set ZCS to reject_unknown_hostname via Admin GUI->Global Settings->MTA->DNS Checks. In my understanding a valid hostname should have a valid MX and A records? Is that how zimbra checks it or am I wrong?

    Coz it could be either Zimbra was unable to perform DNS checks or it doesnt do DNS checks on trusted IP.

    Do mail which comes from the trusted IP (127.0.0.0/8 10.10.10.0/29 in our case) never get scanned by spamassasin?

  7. #7
    Join Date
    Feb 2009
    Location
    Manila, Philippines
    Posts
    66
    Rep Power
    6

    Default

    We're running our server now on WAN and so far no spam had been made its way to our users mailbox Inbox. I have used ip tables on the Zimbra server to close all ports other than the ports required by Zimbra as seen in the Wiki.

    I still don't know if I can add another NIC on the Zimbra server and have its IP inside the DMZ. Does it have an effect in Zimbra if I use two NIC's with different gateway?

  8. #8
    Join Date
    Mar 2010
    Posts
    10
    Rep Power
    5

    Default

    Here is our set up for reference:

    Code:
    Multiple WAN IPs -> Switch --> Firewall 1 (LAN) --> Workstations
                               --> Firewall 2 (DMZ) --> Zimbra with firewall on server also
    This puts a good firewall between you and the internet for both the LAN and DMZ. Then only open the ports you need for Firewall 2 and also on Zimbra. pfSense has worked for everything I've tried on it. And then figure out why your LAN machines are sending spam.

    If you only have one external IP address:
    Code:
    WAN IP --> Firewall 1 (WAN) --> Switch (DMZ) (Zimbra with firewall on server also) --> Firewall 2 (LAN) --> Workstations

  9. #9
    Join Date
    Feb 2009
    Location
    Manila, Philippines
    Posts
    66
    Rep Power
    6

    Default

    Thanks for the inputs.
    I will use the DMZ for syncing with our standby Zimbra server.

Similar Threads

  1. Sending test spam messages
    By undertoe in forum Administrators
    Replies: 1
    Last Post: 05-10-2010, 08:17 PM
  2. Spam messages from mailer-daemon
    By plastilin in forum Administrators
    Replies: 1
    Last Post: 04-08-2010, 04:41 PM
  3. Spam Assasin Questions
    By Almfg in forum Administrators
    Replies: 1
    Last Post: 05-13-2009, 02:17 PM
  4. messages marked as spam not training filter?
    By xtremetoonz in forum Installation
    Replies: 1
    Last Post: 11-08-2008, 06:21 AM
  5. Spam assassain not traiing properly!
    By Mike T in forum Administrators
    Replies: 1
    Last Post: 10-09-2006, 02:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •