Results 1 to 7 of 7

Thread: Flood of bounce-backs - possible relay/virus problem - need help!

  1. #1
    Join Date
    Dec 2005
    Posts
    25
    Rep Power
    10

    Default Flood of bounce-backs - possible relay/virus problem - need help!

    Hi all. Thanks in advance for any advice...

    I set up an account on my server to act as a catch-all account. Over the last 3 days, this account has been bombarded with over 2000 bounce-backs each day. They are all coming from random domains at a rate of about 1 every 8 minutes. When I checked my zimbra daily mail report, it says the most active sender on my server is postmaster, with 2113 sends yesterday!

    Do I have some sort of virus? Or have I left my server open as a relay allowing this activity?

    I'm not sure which log files or config settings to share to help diagnose this. Any help would be greatly appreciated.

    Thanks as always!

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    No, Zimbra is not an open relay. You can test it with some of the open-relay test sites - search google for some.

    Bounced email is just a method of getting spam into your machine, if you have a catch-all account for catching the spam (not a wise choice) then why don't you just set-up a filter to delete it? Catch-all accounts are a spammers dream for this very reason.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Dec 2005
    Posts
    25
    Rep Power
    10

    Default

    What about the fact that my daily Zimbra mail report (delivered to admin) shows that the "postmaster" -- who doesn't even have an "account" -- has sent over 2000 messages? It doesn't appear to be random spam delivered to a catch-all account.

    BTW -- all the incoming bounce-backs are directly to a single email address (which is being caught by the catch-all).

  4. #4
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    two possibilities here:

    1) your postmaster account is open for relaying somehow - possibly by a web form or incorrect postfix setup. check your /var/log/zimbra.log for masses of outbound mail. zimbra used to allow relaying from class C - i'm not sure if this was tightened up, if not then it is open as a relay to anyone else on your subnet.

    2) someone has chosen your postmaster email as a 'From:' email address in a spam run. this could be sent out from anywhere, most likely a distributed botnet. backscatter is then delivering the bounces to your postmaster account. the send counter for the postmaster account might be high if the zimbra scripts that crunch the mail logs count this as 'sent' by postmaster, even if it's not physically from your server.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Take my word for it, it's spam. The fact that postmaster doesn't have an account means nothing, who are the bounce messages sent to? Is postmaster in those headers? It doesn't really matter who they're addressed to they're still spam. This isn't an open relay and you don't have a virus. it's SPAM. If you want a complete explanation then do a google search.

    The fact you have that many messages in the catch-all account is the very reason you shouldn't have one, spammers love them. What you should be doing with messages that arrive for a non-existent address is bouncing them or losing them (losing them bieing the better of the two).+ If you just bounce them you are contributing to the mail problem.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Dec 2005
    Posts
    25
    Rep Power
    10

    Default

    Thanks for the explanations. I appreciate the help and really want to correct this problem the right way.

    It was almost a year ago that I set up the catch-all using a Zimbra command-line function. As far as I can tell, I can't correct this via the admin interface. How do I:

    a) remove the catch-all?
    b) "lose" the messages not addressed to a known account?

  7. #7
    Join Date
    Dec 2005
    Posts
    25
    Rep Power
    10

    Default

    Also -- I accidentally deleted my /var/log/zimbra.log file. Don't ask how -- it was late last night. I expected the file to be recreated when I restarted the zimbra server. No luck there. How do I recreate that file?

Similar Threads

  1. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •