Results 1 to 6 of 6

Thread: Outgoing spam

  1. #1
    Join Date
    Mar 2010
    Rep Power

    Default Outgoing spam

    Hello all,

    I've got a few abuse reports recently and while checking those reports it seems that someone is using my Zimbra (7 open source) installation to spam the world.

    I can't figure out how to prevent this as from the report all I can see is a few addresses (not mine). Example (I've replace my up with myip and my domain with

    Return-Path: <>
    Received: from ( [myip])
    by (Spamtrap) with ESMTP
    for; Mon, 04 Apr 2011 08:25:17 +0200 (CEST)
    Received: from localhost (localhost [])
    by (Postfix) with ESMTP id AA8162103B73
    for <>; Sun, 3 Apr 2011 20:35:13 +0300 (EEST)
    X-Virus-Scanned: amavisd-new at
    Received: from ([])
    by localhost ( []) (amavisd-new, port 10024)
    with ESMTP id 9I4ky1axFAvx for <>;
    Sun, 3 Apr 2011 20:35:13 +0300 (EEST)
    Received: from Milkyway ( [])
    by (Postfix) with ESMTPA id 9AD2F20F6B82
    for <>; Sun, 3 Apr 2011 19:05:58 +0300 (EEST)
    From: "Frank P M" <>
    Subject: Sehr dringend
    MIME-Version: 1.0

    Any help is much appreciated.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Vannes, France
    Rep Power


    Have you checked to see if you have a compromised account on the server?


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Mar 2010
    Rep Power


    The output doesn't show any account with large number


    Quote Originally Posted by phoenix View Post
    Have you checked to see if you have a compromised account on the server?

  4. #4
    Join Date
    Mar 2010
    Rep Power


    But if I run the same command and use a domain that has nothing to do with me (the spammed domain) then I'm getting:

    cat /var/log/zimbra.log | sed -n "s/.*from=<\(.*\)>.*/\1/p" | uniq -c

    125138 gfrankpm

    but there is no such a user (gfrankpm) into my db.

    How can I prevent this from sending spams?

    Thanks in advance

  5. #5
    Join Date
    Dec 2007
    Rep Power


    Have you found it yet?
    I have had a similar problem, and it turned out to be a compromised account - a user responded to a phishing email and gave out their password...
    have you looked at your daily mail report (auto-sent to admin@yourdomain every night)? It will show who's account is sending out the emails...

    If it simply shows the emails come from "localhost", it probably means that the emails are originating from your web-client. Many times the perpetrator will alter the "from" field, to make it harder for you to figure out which user's account it is...

    In my case, they had dorked with the signature, so it was easy to confirm that I had found the account...

  6. #6
    Join Date
    Nov 2008
    Rep Power


    but then, what will you do to the account, is it simply close the account?

    Actually i have similar case "western union" spam currently infecting one of email account, so i would like to block any western union subject from that account to be sent to do that ??
    Last edited by Saaidi; 06-25-2011 at 07:38 AM.
    A man under a table ....

Similar Threads

  1. Help mail server broadcast spam
    By sh1n_b3 in forum Administrators
    Replies: 0
    Last Post: 01-19-2011, 06:44 PM
  2. [SOLVED] Outgoing spam scanning. AWL giving high numbers
    By sleepkreep in forum Administrators
    Replies: 4
    Last Post: 03-11-2008, 10:13 AM
  3. Outgoing messages marked as spam
    By jimramsey in forum Administrators
    Replies: 5
    Last Post: 01-10-2008, 02:18 PM
  4. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 02:39 PM
  5. outgoing spam marking??
    By zagman76 in forum Administrators
    Replies: 0
    Last Post: 10-26-2006, 02:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts