Results 1 to 7 of 7

Thread: Problem: server being used for sending spam

  1. #1
    Join Date
    Jul 2010
    Posts
    13
    Rep Power
    5

    Default Problem: server being used for sending spam

    Hello,
    First sorry for my English, is the first time that I participate in the forum.

    I have a serious problem with my mail server, it is being used for sending a large amount of spam. Everything has already been verified, they can be sure. What happens is that an external IP can somehow generate messages that are sent from localhost and send to multiple recipients. But there is no authentication whatsoever, it is as if the server had been hacked, just that even tools rootkit detect anything.
    The server is a Debian with version 5 6.0.4_GA_2038.DEBIAN5 DEBIAN5 FOSS edition, is there any bug that allows it?

    Thanks!

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by darlanart View Post
    Hello,
    First sorry for my English, is the first time that I participate in the forum.

    I have a serious problem with my mail server, it is being used for sending a large amount of spam. Everything has already been verified, they can be sure. What happens is that an external IP can somehow generate messages that are sent from localhost and send to multiple recipients. But there is no authentication whatsoever, it is as if the server had been hacked, just that even tools rootkit detect anything.
    The server is a Debian with version 5 6.0.4_GA_2038.DEBIAN5 DEBIAN5 FOSS edition, is there any bug that allows it?

    Thanks!
    Have you verified that your server is not an open relay by using one of the internet test sites? When you've done that you need to post some information about what exactly is happening and some headers from a spam email. You might also want to search the forums for some other posts on this topic.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Jul 2010
    Posts
    13
    Rep Power
    5

    Default

    Quote Originally Posted by phoenix View Post
    Have you verified that your server is not an open relay by using one of the internet test sites? When you've done that you need to post some information about what exactly is happening and some headers from a spam email. You might also want to search the forums for some other posts on this topic.
    Thanks for your reply Bill.

    Yes, I tested the openrelay, but is not the problem. You can see the problem here:
    PSBL spamtrap mail for 201.22.249.72

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by darlanart View Post
    Thanks for your reply Bill.

    Yes, I tested the openrelay, but is not the problem. You can see the problem here:
    PSBL spamtrap mail for 201.22.249.72
    Then you should check the log files (and check your daily admin mail report) to see if any of the accounts on your server are sending large numbers of email as you might have a compromised account. You could also take a look at some of these threads.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Jul 2010
    Posts
    13
    Rep Power
    5

    Default

    Quote Originally Posted by phoenix View Post
    Then you should check the log files (and check your daily admin mail report) to see if any of the accounts on your server are sending large numbers of email as you might have a compromised account. You could also take a look at some of these threads.
    Bill,

    The first of senders is "Atendimento@bradesco.com.br", a user does not exist on my server, my server does not belong to this domain, and logs everything appears as if you were sending localhost.

  6. #6
    Join Date
    Jul 2010
    Posts
    13
    Rep Power
    5

    Default

    Any ideia?

  7. #7
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    hi..spammer has compromised the password of one of your account and is using SMTP AUTH to login and then REALY as many as email they want.
    the actual address used to AUTH will not show up in the MAIL HEADER..you need to research the maillogs or zimbra.log to see what user is connecting a lot and other log information.

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

Similar Threads

  1. zmmailboxdctl is not running !!!!!!
    By olibite in forum Administrators
    Replies: 14
    Last Post: 04-28-2011, 06:50 AM
  2. MTA problem on new server
    By stich86 in forum Migration
    Replies: 3
    Last Post: 03-08-2008, 02:44 PM
  3. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  4. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 11:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •