Results 1 to 6 of 6

Thread: Email Server Sending Spam

Hybrid View

  1. #1
    Join Date
    Jan 2010
    Location
    Costa Rica
    Posts
    9
    Rep Power
    5

    Default Email Server Sending Spam

    Hi,
    My zimbra mail server is spamming. I know because of the reports, from daily reports.

    The thing is, its an outside account of my domain, a gmail account, i already modify zmmta.cf so it only accept sending emails from my domain, but the spam continue to go out.

    I try following the logs, zimbra.log, audit.log and mail.log, but i cant see which is the user account that has been compromised.

    Could somebody point me in the rigth direction to determine which user account is being used to spam, any help would be apreciate it.

    regards.

  2. #2
    Join Date
    Dec 2006
    Location
    Minneapolis MN
    Posts
    777
    Rep Power
    10

    Default

    In your spam reports, are you being provided with a message-id header that you can search /var/log/zimbra.log for?
    01 Networks, LLC / Cybernetik.net
    Zimbra NE and OSS Cloud Hosting
    Shared Web Hosting
    Consulting Services

  3. #3
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    generally a compromised account's SMTP AUTH is used to relay email (unless your internal network in infected which is in trusted network)

    run the following which will spit out all the SMTP AUTH logins
    tail -n 100000 /var/log/maillog | grep "sasl_username=" > /tmp/smtpauthlogins.txt
    A smapmmer's patters will be a lots of logins you can easily see it repeating many times..that account or accounts is your problem.

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  4. #4
    Join Date
    Jan 2010
    Location
    Costa Rica
    Posts
    9
    Rep Power
    5

    Default

    Hi,
    Thanks raj and Krishopper, i was able to determined the user account compromised.

    I already implemented new rules about passwords and how often should the user have to change it.

    thanks a lot

    regards.

  5. #5
    Join Date
    Feb 2008
    Posts
    54
    Rep Power
    7

    Default Unable to locate any entries per your post

    I do not have any entries for "sasl_username=" in mail.log

    I have the same issue with spamming. I can stop it from the queue, but our server contiues to send 1,000's of emails every night around 10pm and 6am local time.
    Bill Rowland MCDST MCSA MCSE

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by browland View Post
    I do not have any entries for "sasl_username=" in mail.log

    I have the same issue with spamming. I can stop it from the queue, but our server contiues to send 1,000's of emails every night around 10pm and 6am local time.
    You can also look at the daily mail report and determine which account is sending the most mail. You should also consider implementing a more secure password policy.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 11:27 AM
  2. Zimbra server cant email my domain
    By help_needed_z in forum Administrators
    Replies: 1
    Last Post: 10-20-2010, 12:38 AM
  3. email sending and management
    By bins in forum Installation
    Replies: 0
    Last Post: 02-14-2008, 04:10 AM
  4. Error with sending email from web interface
    By Max Ma in forum Administrators
    Replies: 3
    Last Post: 07-26-2007, 11:44 PM
  5. Error 256 on Installation
    By RuinExplorer in forum Installation
    Replies: 5
    Last Post: 10-19-2006, 10:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •