Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: My Mailserver is spamming.

  1. #1
    Join Date
    May 2010
    Posts
    2
    Rep Power
    5

    Default My Mailserver is spamming.

    Hello Friends,

    Can someone help me figure out a way to stop emails going from php scripts.

    All emails which are triggered from local machine need to be stopped urgently since there seems to be some kind of a script which is being triggered either through php or pl which starts sending about 10000 emails an hour.

    I need to first block emails from

    localhost.localdomain so that we can keep our mail server working and just allow users created from zimbra to send emails.

    Please help.

  2. #2
    Join Date
    May 2010
    Posts
    2
    Rep Power
    5

    Default Need Help.. Anyone listening

    Quote Originally Posted by amolchawathe View Post
    Hello Friends,

    Can someone help me figure out a way to stop emails going from php scripts.

    All emails which are triggered from local machine need to be stopped urgently since there seems to be some kind of a script which is being triggered either through php or pl which starts sending about 10000 emails an hour.

    I need to first block emails from

    localhost.localdomain so that we can keep our mail server working and just allow users created from zimbra to send emails.

    Please help.
    Please can someone help

  3. #3
    Join Date
    Oct 2007
    Posts
    33
    Rep Power
    8

    Default

    I'm not sure what you want to achieve and why you can't stop your local server (localhost) to send emails.

    Some solutions:
    1. Login in Admin console and in MTA config, there should be one config for Local network IP addresses. Remove the local IPs (but not only 127.0.0.1 because you don't know if the script is using 127.0.0.1 or other local IP on the machine). Doing that means that the script should not be able to send emails without authentication. Bear in mind that it might affect other ZCS functionality.
    2. Use local firewall to block SMTP port 25 (which I believe is used by the script). You should block it for all connections coming from 127.0.0.1 and other local IPs (because you don't know which IP is used by the script).

    Hope it helps.

    Cheers,
    first

  4. #4
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    6

    Default

    I'd first require all users to authenticate SMTP for sending, so you will have control over who sends how much (daily report sent to admin@yourzimbraserver)

  5. #5
    Join Date
    Jun 2011
    Posts
    52
    Rep Power
    4

    Default

    probably a virus/bot sending massive emails

    use:

    watch --interval=1 'tail -n1000 /var/log/auth.log | grep 'auth_zimbra:''

    to see which account is compromised

  6. #6
    Join Date
    Aug 2011
    Posts
    3
    Rep Power
    4

    Default

    Can someone help me to stop local.domail from sending spams.

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by wndege View Post
    Can someone help me to stop local.domail from sending spams.
    Not really, you haven't given any information or examples of your problem. A default installation of Zimbra does not send spam and is not an open relay - you need to describe exactly what your problem is.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Join Date
    Aug 2011
    Posts
    3
    Rep Power
    4

    Default Mail Server Spamming

    My mail server is sending out over 10000 mails using ip address 127.0.0.1. Is there away that any mail coming from 127.0.0.1 can be dropped automatically.

    Regards,
    Walter

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by wndege View Post
    My mail server is sending out over 10000 mails using ip address 127.0.0.1. Is there away that any mail coming from 127.0.0.1 can be dropped automatically.
    That's not really much of a description nor any evidence. If, however, there really is spam being sent from your server then you either have a compromised mail account or a user on your LAN has an infected machine. Search the forums for further details of those two problems or start here: site:zimbra.com +"compromised account" - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    Join Date
    Jul 2011
    Posts
    146
    Rep Power
    4

    Default

    ZCS is the default MTA postfix OpenRelay server.

    Telnet from outside the network:

    Half OpenRelay sample:
    TELNET myzimbrahost.foo.bar 25
    EHLO helo.com
    MAIL FROM:<user@mydomain.foo.bar>
    RCPT TO:<user2@mydomain.foo.bar>
    DATA.

    FullOpenRelay sample - default zimbra config.
    TELNET myzimbrahost.foo.bar 25
    EHLO helo.com
    MAIL FROM:<user@notmydomain.foo.bar>
    RCPT TO:<user2@notmydomain2foo.bar>
    DATA.

    FullOpenRelay sample - default zimbra config.
    TELNET myzimbrahost.foo.bar 25
    EHLO helo.com
    MAIL FROM:<user@notmydomain.foo.bar>
    RCPT TO:<user@mydomain.foo.bar>
    DATA.

    Solution:

    Modify (zimbra user) postconf -e restriction (eg. sender, reciptioen, helo and data) and zmprov mc default postfix restrition paremeters. See also /opt/zimbra/postfix/conf/master.cf.in

    Default postfix restrictions (sample):
    smtpd_client_restrictions = permit_sasl_authenticated, permit
    smtpd_data_restrictions =
    smtpd_end_of_data_restrictions =
    smtpd_etrn_restrictions =
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, permit
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access dbm:/opt/csw/etc/postfix/sender_checks_my, reject_non_fqdn_sender, reject_unknown_recipient_domain, permit
    smtpd_restriction_classes =
    smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unverified_sender, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, reject_sender_login_mismatch, reject_unauth_pipelining, reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org=127.0.0.2, reject_rbl_client xbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org=127.0.0.4, reject_rbl_client xbl.spamhaus.org=127.0.0.5, reject_rbl_client xbl.spamhaus.org=127.0.0.6, reject_rbl_client pbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org=127.0.0.10, reject_rbl_client pbl.spamhaus.org=127.0.0.11, reject_rbl_client zen.spamhaus.org, reject_rbl_client zen.spamhaus.org=127.0.0.2, reject_rbl_client zen.spamhaus.org=127.0.0.4, reject_rbl_client zen.spamhaus.org=127.0.0.5, reject_rbl_client zen.spamhaus.org=127.0.0.6, reject_rbl_client zen.spamhaus.org=127.0.0.7, reject_rbl_client zen.spamhaus.org=127.0.0.8, reject_rbl_client zen.spamhaus.org=127.0.0.10, reject_rbl_client zen.spamhaus.org=127.0.0.11, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client dnsbl.sorbs.net=127.0.0.2, permit

    RBL is too restrictive.
    Last edited by soba@ukw.edu.pl; 08-10-2011 at 09:40 AM.

Similar Threads

  1. Disclaimer message problems
    By andyfeys in forum Administrators
    Replies: 8
    Last Post: 12-09-2010, 12:50 PM
  2. Replies: 12
    Last Post: 03-26-2010, 02:13 AM
  3. Detecting spammers spamming from zimbra accts
    By ronnyek in forum Administrators
    Replies: 2
    Last Post: 02-22-2008, 11:00 AM
  4. [SOLVED] Major slapd problem
    By sbutterfield in forum Administrators
    Replies: 14
    Last Post: 01-15-2008, 03:27 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •