Results 1 to 10 of 15

Thread: People spamming via my zimbra server

Hybrid View

  1. #1
    Join Date
    Oct 2008
    Posts
    11
    Rep Power
    7

    Default People spamming via my zimbra server

    I am having so much spam going through my server I cannot keep up with deblacklisting.

    I dont understand how this is happening. I have access restricted to sending email via registered account logins and not MTA trusted networks.

    Here is the most recent spam sent via my zimbra server today:

    Jan 8 04:22:11 newmail postfix/qmgr[29990]: 98E4E1120431: from=<office@massory.lv>, size=2474, nrcpt=3 (queue active)
    Jan 8 06:49:01 newmail postfix/qmgr[29990]: 0C96011204D8: from=<office@massory.lv>, size=1818, nrcpt=3 (queue active)

    Jan 8 06:49:01 newmail amavis[8211]: (08211-16) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20120108T060644-08211: <office@massory.lv> -> <sgtkmitth@aol.com>,<serviicess@live.com>,<fiasalg ill@yahoo.com> SIZE=1818

    Received: from mail.edited.com ([127.0.0.1]) by localhost (mail.edited.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Sun, 8 Jan 2012 06:49:01 -0500 (EST)
    Jan 8 06:49:01 newmail amavis[8211]: (08211-16) Checking: weSXnkG5+Lwk [38.99.171.107] <office@massory.lv> -> <edited@aol.com>,<edited@live.com>,<edited@yahoo.c om>

    Jan 8 06:49:06 newmail amavis[8211]: (08211-16) FWD via SMTP: <office@massory.lv> -> <edited@aol.com>,<edited@live.com>,<edited@yahoo.c om>,BODY=7BIT 250 2.6.0 Ok, id=08211-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4B3F411204D9

    Does anyone know what is happening here? I have to stop it and I do not have this issue with my non zimbra servers?

    Thanks
    John

  2. #2
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    looks like one or more of your account password is compromised and someone is relaying SPAM using SMTP-AUTH, soyou need to find out which account(s).
    Most of the time SPAMMER lot in as many as times possible to you will see lots of login attempts
    run the following and see which account repeat itself a lot..chances are that is the account..all you need to do is change password to something strong.

    tail -n 100000 /var/log/maillog | grep "sasl_username=" > /tmp/smtpauthlogins.txt
    if your want to find out in older maillog.gz then you can use zgrep
    * /tmp/smtpauthlogins.txt file will have your output


    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  3. #3
    Join Date
    Oct 2008
    Posts
    11
    Rep Power
    7

    Default

    Quote Originally Posted by raj View Post
    looks like one or more of your account password is compromised and someone is relaying SPAM using SMTP-AUTH, soyou need to find out which account(s).
    Most of the time SPAMMER lot in as many as times possible to you will see lots of login attempts
    run the following and see which account repeat itself a lot..chances are that is the account..all you need to do is change password to something strong.


    if your want to find out in older maillog.gz then you can use zgrep
    * /tmp/smtpauthlogins.txt file will have your output


    Raj
    If the account was authenticated prior to sending why wouldn't zimbra log the account that sent the messages? Why would you have to guess based on login attempts ? If they have the login userids and passwords there wouldn't be that many attempts.

  4. #4
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    Quote Originally Posted by jbuwa View Post
    If the account was authenticated prior to sending why wouldn't zimbra log the account.
    it does..those are the lines my command will extract for you
    PS: once SPAMMER is Authenticated then they can use ANY "FROM" Address to send email..those are the lines you mentioned in your orignal post
    You need to FIND the actual SMTP-AUTH user using my command

    Why would you have to guess based on login attempts
    not guessing..once you see a HUGE list of logins..you will KNOW

    If they have the login userids and passwords there wouldn't be that many attempts.
    YES there will be these are not the "failed" logins..thease will be reall sucess login which they using to RELAY email..once they have access thy will try to login AS MANY AS time till you dont stop them.
    PS: generally they use many logins coz they send email outs in busts of 10-12mails

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  5. #5
    Join Date
    Jul 2012
    Posts
    1
    Rep Power
    3

    Thumbs up

    Quote Originally Posted by raj View Post
    not guessing..once you see a HUGE list of logins..you will KNOW
    Just wanted to say BIG thanks to Raj - you made my day, after getting into RBLs for three times in the first day of running new Zimbra install.

    I was picking my hair out trying to find how it was possible to relay through my server. Your grep suggestion (through google) made things clear, simple yet very effective - some account was really compromised, what I couldn't imagine as the old server didn't have sasl authentication.

    Thanks again, I owe you a beer

  6. #6
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    Glad to help

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

Similar Threads

  1. ZCS7 Beta only Listens on IPv6
    By tobru in forum Installation
    Replies: 2
    Last Post: 03-25-2011, 04:31 AM
  2. Zimbra 6 on Ubuntu 8.04 x64 reverting to IPv6
    By nimble7 in forum Installation
    Replies: 1
    Last Post: 11-30-2010, 12:03 AM
  3. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 03:30 PM
  4. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 12:16 PM
  5. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 01:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •