Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Server is sending spam

Hybrid View

  1. #1
    Join Date
    Mar 2012
    Posts
    16
    Rep Power
    3

    Default Server is sending spam

    Hello,
    I'm here again because I have a complicated problem which is that the zimbra server is sending spam despite still not being used by users, and I have already been blacklisted, plus the service is being consumed zimbra all the RAM.
    How I can fix this?
    This is the zimbra MTA log:
    Code:
    May  8 03:40:01 mail zimbramon[26961]: 26961:info: 2012-05-08 03:40:01, QUEUE: 0 0
    May  8 03:40:01 mail postfix/sendmail[27023]: warning: the Postfix sendmail command has set-uid root file permissions
    May  8 03:40:01 mail postfix/sendmail[27023]: warning: or the command is run from a set-uid root process
    May  8 03:40:01 mail postfix/sendmail[27023]: warning: the Postfix sendmail command must be installed without set-uid root file permissions
    May  8 03:50:01 mail postfix/postqueue[28207]: fatal: Queue report unavailable - mail system is down
    May  8 03:50:01 mail zimbramon[28126]: 28126:info: 2012-05-08 03:50:01, QUEUE: 0 0
    May  8 03:50:02 mail postfix/sendmail[28208]: warning: the Postfix sendmail command has set-uid root file permissions
    May  8 03:50:02 mail postfix/sendmail[28208]: warning: or the command is run from a set-uid root process
    May  8 03:50:02 mail postfix/sendmail[28208]: warning: the Postfix sendmail command must be installed without set-uid root file permissions
    mailbox log:
    Code:
    2012-05-02 00:00:16,928 INFO  [MailboxPurge] [name=ham.lzcjyuucz@mydomain.com;mid=4;] purge - Purging messages.
    2012-05-02 00:00:26,471 INFO  [btpool0-9://localhost:7071/service/admin/soap/AuthRequest] [ip=127.0.0.1;ua=zmprov/7.1.4_GA_2568;] soap - AuthRequest
    2012-05-02 00:00:30,062 INFO  [btpool0-9://localhost:7071/service/admin/soap/GetAllServersRequest] [name=zimbra;ip=127.0.0.1;ua=zmprov/7.1.4_GA_2568;] soap - GetAllServersRequest
    2012-05-02 00:01:26,161 INFO  [MailboxPurge] [name=spam.regjsfrgja@mydomain.com;mid=3;] purge - Purging messages.
    2012-05-02 00:02:30,158 INFO  [MailboxPurge] [name=ham.lzcjyuucz@mydomain.com;mid=4;] purge - Purging messages.
    2012-05-02 00:03:36,694 INFO  [MailboxPurge] [name=spam.regjsfrgja@mydomain.com;mid=3;] purge - Purging messages.
    2012-05-02 00:04:38,254 INFO  [MailboxPurge] [name=ham.lzcjyuucz@mydomain.com;mid=4;] purge - Purging messages.
    2012-05-02 00:05:38,960 INFO  [MailboxPurge] [name=spam.regjsfrgja@mydomain.com;mid=3;] purge - Purging messages.
    2012-05-02 00:06:40,201 INFO  [MailboxPurge] [name=ham.lzcjyuucz@mydomain.com;mid=4;] purge - Purging messages.
    2012-05-02 00:07:51,092 INFO  [MailboxPurge] [name=spam.regjsfrgja@mydomain.com;mid=3;] purge - Purging messages.
    2012-05-02 00:08:51,701 INFO  [MailboxPurge] [name=ham.lzcjyuucz@mydomain.com;mid=4;] purge - Purging messages.
    2012-05-02 00:09:52,345 INFO  [MailboxPurge] [name=spam.regjsfrgja@mydomain.com;mid=3;] purge - Purging messages.
    2012-05-02 00:10:54,722 INFO  [MailboxPurge] [name=ham.lzcjyuucz@mydomain.com;mid=4;] purge - Purging messages.
    2012-05-02 00:10:55,967 INFO  [btpool0-5://localhost:7071/service/admin/soap/AuthRequest] [ip=127.0.0.1;ua=zmprov/7.1.4_GA_2568;] soap - AuthRequest
    Mail server emitting "Digital Photo/Video Editing" spam and other spam, very probably an open relay.

    mail.mydomain.com. 4H IN A my.IP.public.static

    *SPAM EVIDENCE IS IN THE MAIL LOG FILE OF THE SERVER* (and possibly in the mail queue). Spam messages can be located by looking for the following forged sender(s) (but not necessarily the only ones):
    letelaioa54igaso@msn.com

    Note that removing virus/malware, even if generally helpful, is *NOT* the way to solve this problem. This is an open relay problem.

    I appreciate any help.

    Note: The email account listed in the log of mailbox does not exist, or at least we have not created us. example lzcjyuucz@mydomain.com and / or spam.regjsfrgja @ mydomain.com

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by arunn17817 View Post
    Note that removing virus/malware, even if generally helpful, is *NOT* the way to solve this problem. This is an open relay problem.
    That's not likely as ZCS is not an open relay by default unless you've configured it as such.

    Have you checked to see which 'account(s)' on your server are sending the mail (check the log files)? Have you also checked the forum thread on 'Compromised Account'? Have you also set-up more secure password requirements in the Admin UI/COS? For starters, take a look at some of these threads: site:zimbra.com +passwords +account +compromised - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Mar 2012
    Posts
    16
    Rep Power
    3

    Smile

    Quote Originally Posted by phoenix View Post
    That's not likely as ZCS is not an open relay by default unless you've configured it as such.

    Have you checked to see which 'account(s)' on your server are sending the mail (check the log files)? Have you also checked the forum thread on 'Compromised Account'? Have you also set-up more secure password requirements in the Admin UI/COS? For starters, take a look at some of these threads: site:zimbra.com +passwords +account +compromised - Yahoo! Search Results
    Hi phoenix thanks for taking my problem,
    I am reviewing what I have suggested uqe but while I do that I would like you to help me understand the logs that you post on the first post, because according to what I have seen these could be the key. For example, the log from / var / log / zimbra.log, that shows me is that normal? and that means the line [MailboxPurge] [name = spam.regjsfrgja @ mydomain.com; mid = 3;] purge - Purging log messages Mailbox.log.
    It would be very helpful for me to coax me with this information.
    From already thank you very much for your time!

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    There's nothing wrong with the first log entries, that's just a scheduled job that removes old mail from accounts. In this case it's the anti-spam ham & spam accounts.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Mar 2012
    Posts
    16
    Rep Power
    3

    Default

    Quote Originally Posted by phoenix View Post
    There's nothing wrong with the first log entries, that's just a scheduled job that removes old mail from accounts. In this case it's the anti-spam ham & spam accounts.
    Ok thanks, I'll keep working on it and any developments will be here with you.

  6. #6
    Join Date
    Mar 2012
    Posts
    16
    Rep Power
    3

    Default

    Quote Originally Posted by arunn17817 View Post
    Ok thanks, I'll keep working on it and any developments will be here with you.
    Hello!
    I have been reviewing different post about my problem and I found two things that seem common.
    The first is that by default the zimbra does not act as open relay, and the second is that two people who have the same problem happened to me, zimbra works as open relay, they have the ip of the MTA in a DMZ.
    So I set out clearly the structure of my system to get me to understand:

    ZIMBRA ------------ SWITCH----------ROUTER DMZ---------INTERNET

    The router is set up a DMZ to the zimbra, using one of two Internet connections.
    In the zimbra server is set up a local dns server to resolve this public ip as the server on the network interface using a local ip in the router is masked with the public.
    This was working perfectly, until we came upon some spam blacklists.
    Then notice that the server was very slow and would not let me connect with him, to review the processes I realized that the process of zimbra I was consuming 70% of the RAM.
    I decided to turn the issue zimbra to stop spam and that the server will work normally while I find the solution, I have also deleted accounts were only 4.
    Again the question is how do I stop zimbra be used as open relay?
    A that was due to zimbra you were consuming too much RAM?
    Here is some logs to support what I am saying:
    /var/log/zimbra.log
    Code:
    May 14 12:10:01 mail postfix/postqueue[24347]: fatal: Queue report unavailable - mail system is down
    May 14 12:10:01 mail postfix/sendmail[24349]: warning: the Postfix sendmail command has set-uid root file permissions
    May 14 12:10:01 mail zimbramon[24218]: 24218:info: 2012-05-14 12:10:01, QUEUE: 0 0
    May 14 12:10:01 mail postfix/sendmail[24349]: warning: or the command is run from a set-uid root process
    May 14 12:10:01 mail postfix/sendmail[24349]: warning: the
    /var /log/mailog
    Code:
    May 10 22:52:40 mail postfix/smtp[3516]: 2D5DC1C91A9: to=<drift_0902@yahoo.com.tw>, relay=mx1.mail.tw.yahoo.com[203.188.197.119]:25, delay=891892, delays=891891/0.27/0.49/0, dsn=4.7.1, status=deferred (host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.1 [TS03] All messages from myip-public-static will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
    May 10 22:52:40 mail postfix/smtp[3609]: 2D6AE208841: to=<bell641212@yahoo.com.tw>, relay=mx1.mail.tw.yahoo.com[203.188.197.119]:25, delay=867782, delays=867781/0.3/0.5/0, dsn=4.7.1, status=deferred (host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.1 [TS03] All messages from myip-public-static will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
    May 10 22:52:40 mail postfix/qmgr[28196]: CA19E261A: from=<nmwwmeys@ms31.hinet.net>, size=2162, nrcpt=36 (queue active)
    May 10 22:52:40 mail postfix/smtp[3609]: 2D6AE208841: to=<cmrry.tw@yahoo.com.tw>, relay=mx1.mail.tw.yahoo.com[203.188.197.119]:25, delay=867782, delays=867781/0.3/0.5/0, dsn=4.7.1, status=deferred (host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.1 [TS03] All messages from myip-public-static will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
    And check mx toolbox, they would suggest this:
    Mail server emitting "Digital Photo/Video Editing" spam and other spam, very probably an open relay.

    mail.ejimenez.com.co. 4H IN A myip-public-static

    *SPAM EVIDENCE IS IN THE MAIL LOG FILE OF THE SERVER* (and possibly in the mail queue). Spam messages can be located by looking for the following forged sender(s) (but not necessarily the only ones):
    letelaioa54igaso@msn.com

    Note that removing virus/malware, even if generally helpful, is *NOT* the way to solve this problem. This is an open relay problem.
    from now Thanks for your help.

  7. #7
    Join Date
    May 2012
    Posts
    20
    Rep Power
    3

    Default

    Igot same ISSUE spammers sending from my zimbra server.

    let me explaind.

    Network configuration:
    ISP--->fotigate (public ip)---->[all ports are closed except the zimbra needs]---->zimbra server (internal ip)

    MTA config GLOBAL and SERVER settings are: "127.0.0.1/32 internal.ip.adress.xxx/32"

    REAL SPAM message from my server
    Return-Path: a.dastan@localhost.???.org.mx
    Received: from 192.168.254.1 (LHLO zmail.???.org.mx) (192.168.254.1)
    by zmail.???.org.mx with LMTP; Mon, 28 May 2012 21:15:42 -0500 (CDT)
    Received: from localhost (localhost [127.0.0.1])
    by zmail.???.org.mx (Postfix) with ESMTP id 4625834A20C
    for <foruiza@???.com.mx>; Mon, 28 May 2012 21:15:42 -0500
    (CDT)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Flag: NO
    X-Spam-Score: 6.098
    X-Spam-Level: ******
    X-Spam-Status: No, score=6.098 tagged_above=-10 required=6.6
    tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082, NO_DNS_FOR_FROM=0.001,
    RCVD_IN_BL_SPAMCOP_NET=1.347, T_SURBL_MULTI1=0.01,
    URIBL_JP_SURBL=1.25, URIBL_WS_SURBL=1.608] autolearn=no
    Received: from zmail.???.org.mx ([127.0.0.1])
    by localhost (zmail.???.org.mx [127.0.0.1]) (amavisd-new, port
    10024)
    with ESMTP id hgdtuadNiEdC for <foruiza@???.com.mx>;
    Mon, 28 May 2012 21:15:40 -0500 (CDT)
    Received: from mail.ehsan-jv.com (mail.ehsan-jv.com [38.117.64.95])
    by zmail.???.org.mx (Postfix) with ESMTP id 4321034A203
    for <foruiza@???.com.mx>; Mon, 28 May 2012 21:15:40 -0500
    (CDT)
    Received: from localhost [37.59.210.46] by ehsan-jv.com with ESMTP
    (SMTPD-9.10) id ABA402FC; Tue, 29 May 2012 06:29:48 +0330
    From: a.dastan@zmail.???.org.mx
    To: foruiza@???.com.mx
    Subject: Make a good gift for your loved one
    Message-Id: <201205290629828.SM01768@localhost>
    Date: Tue, 29 May 2012 06:30:06 +0330




    ------ Mensaje reenviado
    De: <a.dastan@zmail.???.org.mx>
    Fecha: Tue, 29 May 2012 06:30:06 +0330
    Para: <foruiza@???.com.mx>
    Asunto: Make a good gift for your loved one

    Simple steps to become ideal lover Redirecting
    ------------------------
    ------------------------

    Is using a user that i dont have on my accounts.

    a.dastan@zmail.???.org.mx <--- these user dont exist on my server

    Open relay test
    220 zmail.???.org.mx ESMTP Postfix
    Status Result
    OK - 187.157.140.149 resolves to 187.157.140.149.????.com.mx
    Warning - Reverse DNS does not match SMTP Banner
    OK - Supports TLS.
    0 seconds - Good on Connection time
    OK - Not an open relay.
    0.998 seconds - Good on Transaction Time
    Session Transcript:
    EHLO please-read-policy.mxtoolbox.com
    250-zmail.???.org.mx
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN [109 ms]
    MAIL FROM: <supertool@mxtoolbox.com>
    250 2.1.0 Ok [109 ms]
    RCPT TO: <test@example.com>
    554 5.7.1 <test@example.com>: Relay access denied [109 ms]

    Ports

    all blocked exept the wiki ones say for outside Ports - Zimbra :: Wiki

    and for last check my pike for these morning


    Any help please i apreciate , and sorry for my english.
    Attached Images Attached Images

  8. #8
    Join Date
    Mar 2012
    Posts
    16
    Rep Power
    3

    Default

    Quote Originally Posted by fraferj View Post
    Igot same ISSUE spammers sending from my zimbra server.

    let me explaind.

    Network configuration:
    ISP--->fotigate (public ip)---->[all ports are closed except the zimbra needs]---->zimbra server (internal ip)

    MTA config GLOBAL and SERVER settings are: "127.0.0.1/32 internal.ip.adress.xxx/32"

    REAL SPAM message from my server
    Return-Path: a.dastan@localhost.???.org.mx
    Received: from 192.168.254.1 (LHLO zmail.???.org.mx) (192.168.254.1)
    by zmail.???.org.mx with LMTP; Mon, 28 May 2012 21:15:42 -0500 (CDT)
    Received: from localhost (localhost [127.0.0.1])
    by zmail.???.org.mx (Postfix) with ESMTP id 4625834A20C
    for <foruiza@???.com.mx>; Mon, 28 May 2012 21:15:42 -0500
    (CDT)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Flag: NO
    X-Spam-Score: 6.098
    X-Spam-Level: ******
    X-Spam-Status: No, score=6.098 tagged_above=-10 required=6.6
    tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082, NO_DNS_FOR_FROM=0.001,
    RCVD_IN_BL_SPAMCOP_NET=1.347, T_SURBL_MULTI1=0.01,
    URIBL_JP_SURBL=1.25, URIBL_WS_SURBL=1.608] autolearn=no
    Received: from zmail.???.org.mx ([127.0.0.1])
    by localhost (zmail.???.org.mx [127.0.0.1]) (amavisd-new, port
    10024)
    with ESMTP id hgdtuadNiEdC for <foruiza@???.com.mx>;
    Mon, 28 May 2012 21:15:40 -0500 (CDT)
    Received: from mail.ehsan-jv.com (mail.ehsan-jv.com [38.117.64.95])
    by zmail.???.org.mx (Postfix) with ESMTP id 4321034A203
    for <foruiza@???.com.mx>; Mon, 28 May 2012 21:15:40 -0500
    (CDT)
    Received: from localhost [37.59.210.46] by ehsan-jv.com with ESMTP
    (SMTPD-9.10) id ABA402FC; Tue, 29 May 2012 06:29:48 +0330
    From: a.dastan@zmail.???.org.mx
    To: foruiza@???.com.mx
    Subject: Make a good gift for your loved one
    Message-Id: <201205290629828.SM01768@localhost>
    Date: Tue, 29 May 2012 06:30:06 +0330




    ------ Mensaje reenviado
    De: <a.dastan@zmail.???.org.mx>
    Fecha: Tue, 29 May 2012 06:30:06 +0330
    Para: <foruiza@???.com.mx>
    Asunto: Make a good gift for your loved one

    Simple steps to become ideal lover Redirecting
    ------------------------
    ------------------------

    Is using a user that i dont have on my accounts.

    a.dastan@zmail.???.org.mx <--- these user dont exist on my server

    Open relay test
    220 zmail.???.org.mx ESMTP Postfix
    Status Result
    OK - 187.157.140.149 resolves to 187.157.140.149.????.com.mx
    Warning - Reverse DNS does not match SMTP Banner
    OK - Supports TLS.
    0 seconds - Good on Connection time
    OK - Not an open relay.
    0.998 seconds - Good on Transaction Time
    Session Transcript:
    EHLO please-read-policy.mxtoolbox.com
    250-zmail.???.org.mx
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN [109 ms]
    MAIL FROM: <supertool@mxtoolbox.com>
    250 2.1.0 Ok [109 ms]
    RCPT TO: <test@example.com>
    554 5.7.1 <test@example.com>: Relay access denied [109 ms]

    Ports

    all blocked exept the wiki ones say for outside Ports - Zimbra :: Wiki

    and for last check my pike for these morning


    Any help please i apreciate , and sorry for my english.
    Hola, me parece que hablas español asi que comentare en español que es mi lengua.
    Tu problema es parecido al que yo tuve sin embargo no se si sea el mismo, te dire como soluciones yo este tema.
    1. Apague el servidor zimbra
    2. Instale el clamv antivirus por fuera de la suite de zimbra y escanee todo el sistema, me detecto unos virus, algunos en los directorios de zimbra /opt/zimbra/…, elimine todos los archivos infectados.
    3. Deshabilite el relay local de zimbra (solo por si cualquier cosa)
    4. Instale el mailscaner y lo configure para que trabajara con el postfix de zimbra.
    5. Antes de todo esto bloque en el firewall (dispositivo independiente del servidor) todas las conexiones desde y hacia el puerto 25 del servidor
    6. Luego apague el clamv antivirus (importante esto porque zimbra ya lo tiene) y encendí de nuevo el servidor.
    Con todo esto logre eliminar unos virus y malwares que me habían afectado y estaban realizando estas conexiones fraudulentas, todas hacia ip´s de Taiwán.
    Al iniciar de nuevo el zimbra tuve un error con el postfix y el antivirus pero fue porque estos dos servicios estaban iniciados también por fuera de la suite de zimbra, los apague y listo.
    Luego para probar que el antivirus y el anti spam de zimbra funcionaran correctamente utilicé esta guía.
    Cómo prevenir el spam con sendmail | EcuaLUG

  9. #9
    Join Date
    May 2012
    Posts
    20
    Rep Power
    3

    Default

    arunn muchas gracias deja lo pruebo en la noche para sacarlo de produccion

  10. #10
    Join Date
    May 2012
    Posts
    20
    Rep Power
    3

    Default

    Quote Originally Posted by arunn17817 View Post
    Hola, me parece que hablas español asi que comentare en español que es mi lengua.
    Tu problema es parecido al que yo tuve sin embargo no se si sea el mismo, te dire como soluciones yo este tema.
    1. Apague el servidor zimbra
    2. Instale el clamv antivirus por fuera de la suite de zimbra y escanee todo el sistema, me detecto unos virus, algunos en los directorios de zimbra /opt/zimbra/…, elimine todos los archivos infectados.
    3. Deshabilite el relay local de zimbra (solo por si cualquier cosa)
    4. Instale el mailscaner y lo configure para que trabajara con el postfix de zimbra.
    5. Antes de todo esto bloque en el firewall (dispositivo independiente del servidor) todas las conexiones desde y hacia el puerto 25 del servidor
    6. Luego apague el clamv antivirus (importante esto porque zimbra ya lo tiene) y encendí de nuevo el servidor.
    Con todo esto logre eliminar unos virus y malwares que me habían afectado y estaban realizando estas conexiones fraudulentas, todas hacia ip´s de Taiwán.
    Al iniciar de nuevo el zimbra tuve un error con el postfix y el antivirus pero fue porque estos dos servicios estaban iniciados también por fuera de la suite de zimbra, los apague y listo.
    Luego para probar que el antivirus y el anti spam de zimbra funcionaran correctamente utilicé esta guía.
    Cómo prevenir el spam con sendmail | EcuaLUG
    arunn ya realize exactamente todo lo que me describiste y sigo con el problema :S
    ya neta ya ando desesperadon sobre este asunto ya hice y deshice todo lo que hay de seguridad para zimbra y nada

    saludos y gracias

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 10:27 AM
  2. Zimbra cannot access via Web Interface
    By troya in forum Administrators
    Replies: 8
    Last Post: 03-21-2012, 11:54 PM
  3. Server marking own email as spam
    By Abzstrak in forum Administrators
    Replies: 3
    Last Post: 08-08-2011, 06:01 AM
  4. Replies: 3
    Last Post: 04-15-2008, 06:38 AM
  5. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •