Results 1 to 2 of 2

Thread: Zimbra server sends out spam messages

Hybrid View

  1. #1
    Join Date
    Jan 2010
    Posts
    8
    Rep Power
    5

    Default Zimbra server sends out spam messages

    Hi Zimbra lovers,

    I have an odd problem which started some while ago. My domain has around 1300 e-mail users but few of them are online concurrently.

    I often check /var/log/maillog for abnormal e-mail activity. Yesterday I noticed that the maillog file had 2 million lines which is too many for a rather small number of active e-mail users. Also there was too much smtp activity on the server which is not normal. I found more than 1500 e-mails in the defered queue meaning spam messages were being sent from the e-mail server. Spam messages were being sent from a valid user to a dictionary list of emails, as shown in the below log. The log shows that the smtp connection is originated from localhost.

    --- Does it mean that the server is compromised? The user had a weak password, but still I know that the user have no local shell access.

    --- Why doesn't Zimbra bypass local mail spam check? I tested to send e-mail ot my yahoo account and saw that the mail bypasses spam check.

    --- Does "relay=127.0.0.1[127.0.0.1]:10024" mean that e-mail is sent locally?

    Also the log shows the mail flow from [127.0.0.1]:10025 to [127.0.0.1]:10024 which i think it is forwarded to amavisd but not spam checked ???

    How do you think I can stop further spam mania problems?


    Thanks for your help.


    #su - zimbra -c "zmcontrol -v"
    Release 6.0.7_GA_2473.F11_64_20100616200802 F11_64 FOSS edition.




    /var/log/maillog
    ================================================== ================================================== ================================================== ================================================== ======================

    Sep 19 07:11:47 host postfix/smtpd[21828]: CF2AD2C2006: client=localhost[127.0.0.1]
    Sep 19 07:11:48 host postfix/smtpd[21832]: connect from localhost[127.0.0.1]
    Sep 19 07:11:48 host postfix/cleanup[21831]: CF2AD2C2006: message-id=<2008561551.2.1316405500902.JavaMail.root@host. mydomain.org>

    Sep 19 07:11:48 host postfix/qmgr[11782]: CF2AD2C2006: from=<validuser@mydomain.org>, size=1339, nrcpt=50 (queue active)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_cowboy63@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_de_la_muerte@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_heaven@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_klaha_@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_lidia@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_loose_e@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_lou_albert@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_love18@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_lover_fj@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifergodoy@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
    Sep 19 07:11:51 host postfix/smtp[21846]: CF2AD2C2006: to=<lucifer_heaven@hotmail.com>, relay=mx2.hotmail.com[65.55.92.168]:25, delay=3.2, delays=0.74/1.1/0.9/0.43, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.168] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
    Sep 19 07:11:51 host postfix/smtp[21846]: CF2AD2C2006: to=<lucifer_lover_fj@hotmail.com>, relay=mx2.hotmail.com[65.55.92.168]:25, delay=3.3, delays=0.74/1.1/0.9/0.55, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.168] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
    Sep 19 07:11:51 host postfix/smtp[21846]: CF2AD2C2006: to=<lucifer_lutxi@hotmail.com>, relay=mx2.hotmail.com[65.55.92.168]:25, delay=3.3, delays=0.74/1.1/0.9/0.59, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.168] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
    Sep 19 07:11:51 host postfix/smtp[21846]: CF2AD2C2006: to=<lucifer_orhun@hotmail.com>, relay=mx2.hotmail.com[65.55.92.168]:25, delay=3.4, delays=0.74/1.1/0.9/0.62, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.168] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
    Sep 19 07:11:51 host postfix/smtp[21850]: 86ADD2C2004: to=<lucierodoz@hotmail.com>, relay=mx4.hotmail.com[65.55.92.184]:25, delay=3.7, delays=2.1/0.62/0.63/0.37, dsn=5.0.0, status=bounced (host mx4.hotmail.com[65.55.92.184] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))


    /opt/zimbra/conf/salocal.cf
    ================================================== ================================================== =======================

    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    ################################################## #########################
    #
    # rewrite_header Subject *****SPAM*****
    # report_safe 1
    # trusted_networks 212.17.35.
    # lock_method flock

    header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
    describe DSPAM_SPAM DSPAM claims it is spam
    score DSPAM_SPAM 1.5

    header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
    describe DSPAM_HAM DSPAM claims it is ham
    score DSPAM_HAM -0.5

    trusted_networks 127.0.0.0/8 10.0.0.0/24 192.168.1.0/24
    lock_method flock

    rewrite_header Subject *SPAM* _STARS(*)_
    bayes_auto_learn 1
    bayes_min_spam_num 60
    bayes_min_ham_num 60
    clear_headers
    add_header spam Flag _YESNOCAPS_
    add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
    add_header all Level _STARS(*)_
    add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

  2. #2
    Join Date
    Jan 2010
    Posts
    8
    Rep Power
    5

    Default

    Hi all,

    It turned out a weak password was the reason to spam messages. Although /var/log/maillog does not give any info about the client IP, Zimbra audit.log gives detailed info about the smtp connection. And rootkit checks returned clean.

    But still I can't find a way to spam check 'trusted' networks.

Similar Threads

  1. Issues after upgrading from 6.0.10 to 7
    By rhorist in forum Administrators
    Replies: 8
    Last Post: 02-25-2011, 08:38 AM
  2. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 09:56 PM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  4. huge log size
    By rmvg in forum Administrators
    Replies: 5
    Last Post: 01-02-2007, 10:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •