Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Spam storm on my ZCS... ideas welcome!

  1. #11
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    hmm..then you have machine internal to your network relaying.
    post the output of zimbraMtaMyNetworks
    su - zimbra
    zmprov gs `zmhostname` | grep zimbraMtaMyNetworks
    if you see your firewalls ip connecting that means your firewall is a GATEWAY of your network and when any internal machine uses your mailservers public hostname its routed internaly from firewall, apearing to come from your firewall.
    so looks like one of your internal server which is in your "zimbraMtaMyNetworks" is openly relaying mail that is why you dont see any "sasl_username"

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  2. #12
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    6

    Default

    Quote Originally Posted by raj View Post
    if you see your firewalls ip connecting that means your firewall is a GATEWAY of your network and when any internal machine uses your mailservers public hostname its routed internaly from firewall, apearing to come from your firewall.
    Excellent!

    As soon as I changed SERVER SETTINGS --> MTA --> MTA Trusted Networks
    from 127.0.0.1 123.456.789.0/24 (my public C-class network)
    to 127.0.0.1 123.456.789.126/32 (my ZIMBRA IP)
    ...most of spam/deferred queue went back to normal.

    Now all I need to do is to find source of open contact forms and such in my web hosting environment.

    Thank you very much, Raj, for excellent tip!

  3. #13
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    glad you figured it out..you should never ever open the public ip's as that makes your server open relay on internet
    i am still not sure what your network topology is.
    can you tell me if your mailserver is behind firewall NATED as i dont see LOCAL_IP of this machine in your answer?..or this machine is in DMZ on public ip?
    whats the output of ifconfig and are you running any SPLIT DNS?

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  4. #14
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    6

    Default

    Hi Raj,

    thank you for interest

    Well, my topology is quite simple, still maybe non standard:
    - have 3 ranges of public IP addresses (2 subnets of 16 IP, and one C-class of public IP addresses)
    - these public IP ranges and servers are NOT opened directly to public, but are behind firewall...
    - ...with STATIC mapping and 1-to-1 port forwarding and ports opened

    So it is kind of protected DMZ, without NAT.

    Since I also host my own DNS inside this plant, all my servers are configured to use my "internal" DNS, which are also "public" DNS.
    So there is no need for SplitDNS (local IP = public IP)

    REGARDING PROBLEM
    I have many WEB servers behind FIREWALL, whose IP is 123.456.789.1
    Well, I only know that at least one of those web servers hosts at least one web form, which is sending out SPAM. Or is somehow compromised with spamming code.
    So there I face the problem - how to find traces of spamming activity among hundreds of log files, located each inside of web space of hundreds of web sites, on dozens of web servers... which are some Windows, some Linux, some 10 yrs odl, some new, hehe

    I blocked them by closing "trusted network" mask in Zimbra server from /24 down to /32, and I run scanners on all web servers right now, to find the malicious code.
    But I am afraid that those are not viruses, but rather open web forms, or PHP scripts, which AV and Anti* scanners won't detect.

    It's out of topic this discussion now, but hey, it's interesting, dynamic...and I am stuck

    *** EDIT ***
    Hey, wait...maybe I have an idea!
    Since I also host my own AntiSpam mail filtering cluster, I might redirect PHP SendMail on global level to use my own mail servers?
    I'll dig on this, and report back. Maybe someone would find this usefull.
    Last edited by Labsy; 02-02-2012 at 11:49 AM.

Similar Threads

  1. Help mail server broadcast spam
    By sh1n_b3 in forum Administrators
    Replies: 0
    Last Post: 01-19-2011, 07:44 PM
  2. Trouble Sending mail - All Messages deferred!
    By SiteDiscovery in forum Administrators
    Replies: 7
    Last Post: 09-03-2009, 05:52 AM
  3. Replies: 3
    Last Post: 03-21-2008, 10:47 AM
  4. Replies: 41
    Last Post: 10-29-2007, 03:36 PM
  5. ZCS 3.2 Beta Available
    By KevinH in forum Announcements
    Replies: 31
    Last Post: 07-07-2006, 04:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •