Results 1 to 10 of 15

Thread: Trying to track down spammer using my Zimbra server

Hybrid View

  1. #1
    Join Date
    May 2007
    Location
    Rhinebeck, NY
    Posts
    62
    Rep Power
    8

    Default Trying to track down spammer using my Zimbra server

    Hello everyone,

    I'm trying to track down how emails are being sent from my server when the following is setup

    (Version = Release 7.1.4_GA_2555.RHEL5_64_20120105094627 RHEL5_64 FOSS edition)

    For Global Settings->MTA I have:
    • (Authentication) Enable Authentication: TRUE
    • (Protocol Checks) Sender Address must be fully qualified: TRUE
    • (DNS Checks) Client's IP Address (reject_invalid_hostname): TRUE
    • (DNS Checks) Hostname in greeting (reject_unknown_hostname): TRUE
    • (DNS Checks) Sender's Domain (reject_unknown_sender_domain): TRUE


    I am seeing the following in my daily reports:
    Code:
    Host/Domain Summary: Messages Received (top 50) msg cnt   bytes   host/domain
     -------- -------  -----------
       4536      902m  mydomain.org
       1352    29082k  localhost.localdomain
        396    27273k  gmail.com
        166     3560k  bounce.mkt1808.com
        160      888k  discoveralltech.info
        143     5057k  in.constantcontact.com
        136    66435k  whalebacksystems.net
        116      670k  skyisthelimitnow.com
         98     2834k  bounce.linkedin.com
         96      534k  deathmon-days.biz
         94      519k  marchmon-days.biz
         93   520101   ordermon-days.biz
         92   515172   electmon-days.biz
         91   507529   oasismon-days.biz
         88   501119   rumormon-days.biz
         88   500550   painsmon-days.biz
         88   500008   shapemon-days.biz
         87   492443   scopemon-days.biz
         86     2263k  yahoo.com
         84   486637   mommymon-days.biz
         80   450814   lobbymon-days.biz
         80   276130   newandgentlyloved.com
         77   433870   geniemon-days.biz
         74   423276   aislemon-days.biz
         69   384931   linenmon-days.biz
         68   397523   milanmon-days.biz
         67      604k  barbayer.com
         66   376441   checkmon-days.biz
         64   370025   rivalmon-days.biz
         63      892k  hotmail.com
         60   343059   widthmon-days.biz
         57   339448   tokenmon-days.biz
         56   351030   larchmon-days.biz
         55   318755   spainmon-days.biz
         55   308054   swissmon-days.biz
         54      525k  alerts.bounces.google.com
         51   199152   ragdebreem.com
         46      872k  aol.com
         44   287495   grindmon-days.biz
         44   255922   hatchmon-days.biz
         44   254535   bravamon-days.biz
         44   250260   juicemon-days.biz
         44   249802   dandymon-days.biz
         44   249429   faithmon-days.biz
         44   249307   benchmon-days.biz
         44   249254   spermmon-days.biz
         44   249096   deucemon-days.biz
         44   248869   capermon-days.biz
         44   248610   flamemon-days.biz
         43   250699   shademon-days.biz
    Now, some of these senders are legit.. but all those mon-days.biz ones are not. I'm trying to figure out HOW they are sending their emails through my server. I've gone through the following logs:
    mailbox.log (GREP'ing on LmtpServer-15915)
    Code:
    2013-07-15 06:42:05,912 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6100 bytes, nrcpts=1, sender=Info@deathmon-days.biz, msgid=<4264608701283242647144240385@cbd7f.deathmon-days.biz>
    2013-07-15 06:42:05,913 INFO  [LmtpServer-15915] [name=ramdasslibrary@mydomain.com;mid=400;ip=192.168.1.54;] mailop - Adding Message: id=38122, Message-ID=<4264608701283242647144240385@cbd7f.deathmon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:42:05,936 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:42:09,730 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6018 bytes, nrcpts=1, sender=Info@deathmon-days.biz, msgid=<4264608451029642647144240385@cbd7f.deathmon-days.biz>
    2013-07-15 06:42:09,732 INFO  [LmtpServer-15915] [name=jeanl@mydomain.com;mid=404;ip=192.168.1.54;] mailop - Adding Message: id=195326, Message-ID=<4264608451029642647144240385@cbd7f.deathmon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:42:09,773 INFO  [LmtpServer-15915] [name=jeanl@mydomain.com;mid=404;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=195326 rcpt='jeanl@mydomain.com'
    2013-07-15 06:42:09,774 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:42:09,820 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6069 bytes, nrcpts=1, sender=Info@hatchmon-days.biz, msgid=<4265608741342442657144240385@r4ys8pe.hatchmon-days.biz>
    2013-07-15 06:42:09,821 INFO  [LmtpServer-15915] [name=roseh@mydomain.com;mid=417;ip=192.168.1.54;] mailop - Adding Message: id=120948, Message-ID=<4265608741342442657144240385@r4ys8pe.hatchmon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:42:09,844 INFO  [LmtpServer-15915] [name=roseh@mydomain.com;mid=417;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=120948 rcpt='roseh@mydomain.com'
    2013-07-15 06:42:11,900 INFO  [LmtpServer-15915] [name=roseh@mydomain.com;mid=417;ip=192.168.1.54;] lmtp - disconnected without quit
    2013-07-15 06:42:11,900 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:42:13,696 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6043 bytes, nrcpts=1, sender=Info@hatchmon-days.biz, msgid=<42656010600424042657144240385@r4ys8pe.hatchmon-days.biz>
    2013-07-15 06:42:13,698 INFO  [LmtpServer-15915] [name=adams@mydomain.com;mid=408;ip=192.168.1.54;] mailop - Adding Message: id=246345, Message-ID=<42656010600424042657144240385@r4ys8pe.hatchmon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:42:13,706 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:42:13,750 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=9396 bytes, nrcpts=1, sender=Info@hatchmon-days.biz, msgid=<4265608569622342657144240385@r4ys8pe.hatchmon-days.biz>
    2013-07-15 06:42:13,752 INFO  [LmtpServer-15915] [name=brettb@mydomain.com;mid=419;ip=192.168.1.54;] mailop - Adding Message: id=152187, Message-ID=<4265608569622342657144240385@r4ys8pe.hatchmon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:42:13,757 INFO  [LmtpServer-15915] [name=brettb@mydomain.com;mid=419;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=152187 rcpt='brettb@mydomain.com'
    2013-07-15 06:42:15,791 INFO  [LmtpServer-15915] [name=brettb@mydomain.com;mid=419;ip=192.168.1.54;] lmtp - disconnected without quit
    2013-07-15 06:42:15,791 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:42:26,202 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6018 bytes, nrcpts=1, sender=bounce-40795-16093795799-michaelc=mydomain.com@fambas.com, msgid=<20130715104222.2356922A0002@zimbra.mydomain.com>
    2013-07-15 06:42:26,204 INFO  [LmtpServer-15915] [name=michaelc@mydomain.com;mid=364;ip=192.168.1.54;] mailop - Adding Message: id=927129, Message-ID=<20130715104222.2356922A0002@zimbra.mydomain.com>, parentId=-1, folderId=2, folderName=Inbox.
    2013-07-15 06:42:26,218 INFO  [LmtpServer-15915] [name=michaelc@mydomain.com;mid=364;ip=192.168.1.54;] mailbox - outofoffice not sent (until date reached) mid=927129 rcpt='michaelc@mydomain.com'
    2013-07-15 06:42:26,218 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:42:28,808 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6133 bytes, nrcpts=1, sender=Info@hatchmon-days.biz, msgid=<4265608457992242657144240385@r4ys8pe.hatchmon-days.biz>
    2013-07-15 06:42:28,809 INFO  [LmtpServer-15915] [name=rcbackus@mydomain.com;mid=361;ip=192.168.1.54;] mailop - Adding Message: id=635124, Message-ID=<4265608457992242657144240385@r4ys8pe.hatchmon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:42:28,825 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:42:59,365 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=7279 bytes, nrcpts=1, sender=vremechkoforfistface@mail.ru, msgid=<480269725.20130715572510@mail.ru>
    2013-07-15 06:42:59,388 INFO  [LmtpServer-15915] [name=pac@mydomain.com;mid=365;ip=192.168.1.54;] index - IndexDeferredItems(null, 302281): Deferred count out of sync - found=18 in progress=0 (deferred count=20)
    2013-07-15 06:42:59,738 INFO  [LmtpServer-15915] [name=pac@mydomain.com;mid=365;ip=192.168.1.54;] index - Deferred Indexing: submitted 18 items in 372ms (48.39/sec). (0 items failed to index). IndexDeferredCount now at 18 NumNotSubmitted= 0
    2013-07-15 06:42:59,742 INFO  [LmtpServer-15915] [name=pac@mydomain.com;mid=365;ip=192.168.1.54;] mailop - Adding Message: id=166581, Message-ID=<480269725.20130715572510@mail.ru>, parentId=-1, folderId=2, folderName=Inbox.
    2013-07-15 06:42:59,750 INFO  [LmtpServer-15915] [name=pac@mydomain.com;mid=365;ip=192.168.1.54;] mailbox - outofoffice not sent (until date reached) mid=166581 rcpt='pac@mydomain.com'
    2013-07-15 06:42:59,750 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:43:22,130 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6004 bytes, nrcpts=1, sender=Info@shapemon-days.biz, msgid=<4262608652816242627144240385@6n7mwi.shapemon-days.biz>
    2013-07-15 06:43:22,131 INFO  [LmtpServer-15915] [name=georgek@mydomain.com;mid=450;ip=192.168.1.54;] mailop - Adding Message: id=253856, Message-ID=<4262608652816242627144240385@6n7mwi.shapemon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:43:22,155 INFO  [LmtpServer-15915] [name=georgek@mydomain.com;mid=450;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=253856 rcpt='georgek@mydomain.com'
    2013-07-15 06:43:22,156 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:43:26,088 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6037 bytes, nrcpts=1, sender=Info@shapemon-days.biz, msgid=<4262608469920442627144240385@6n7mwi.shapemon-days.biz>
    2013-07-15 06:43:26,088 INFO  [LmtpServer-15915] [name=randim@mydomain.com;mid=462;ip=192.168.1.54;] mailop - Adding Message: id=895525, Message-ID=<4262608469920442627144240385@6n7mwi.shapemon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:43:26,097 INFO  [LmtpServer-15915] [name=randim@mydomain.com;mid=462;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=895525 rcpt='randim@mydomain.com'
    2013-07-15 06:43:26,097 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:43:41,330 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=5957 bytes, nrcpts=1, sender=Info@marchmon-days.biz, msgid=<4261608609712342617144240385@7gdm1qtfz.marchmon-days.biz>
    2013-07-15 06:43:41,331 INFO  [LmtpServer-15915] [name=jr@mydomain.com;mid=355;ip=192.168.1.54;] mailop - Adding Message: id=77655, Message-ID=<4261608609712342617144240385@7gdm1qtfz.marchmon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:43:41,341 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    2013-07-15 06:43:45,260 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6041 bytes, nrcpts=1, sender=Info@marchmon-days.biz, msgid=<4261608451029642617144240385@7gdm1qtfz.marchmon-days.biz>
    2013-07-15 06:43:45,261 INFO  [LmtpServer-15915] [name=jeanl@mydomain.com;mid=404;ip=192.168.1.54;] mailop - Adding Message: id=195329, Message-ID=<4261608451029642617144240385@7gdm1qtfz.marchmon-days.biz>, parentId=-1, folderId=4, folderName=Junk.
    2013-07-15 06:43:45,285 INFO  [LmtpServer-15915] [name=jeanl@mydomain.com;mid=404;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=195329 rcpt='jeanl@mydomain.com'
    2013-07-15 06:43:45,285 INFO  [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally
    (* Continuation in next message due to size limits *)

  2. #2
    Join Date
    May 2007
    Location
    Rhinebeck, NY
    Posts
    62
    Rep Power
    8

    Default

    Taking one of the message ID's (B897C2690016) and GREP'ing the logs for it I came up with:
    Code:
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16114]: B897C2690016: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/cleanup[16154]: B897C2690016: message-id=<4265608451029642657144240385@r4ys8pe.hatchmon-days.biz>
    maillog:Jul 15 06:42:04 zimbra postfix/qmgr[30659]: B897C2690016: from=<Info@hatchmon-days.biz>, size=5273, nrcpt=1 (queue active)
    maillog:Jul 15 06:42:13 zimbra postfix/smtp[16548]: B897C2690016: to=<jeanl@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=29, delays=20/4.8/0/3.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9BA9C22A000C)
    maillog:Jul 15 06:42:13 zimbra postfix/qmgr[30659]: B897C2690016: removed
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16114]: B897C2690016: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/cleanup[16154]: B897C2690016: message-id=<4265608451029642657144240385@r4ys8pe.hatchmon-days.biz>
    zimbra.log:Jul 15 06:42:04 zimbra postfix/qmgr[30659]: B897C2690016: from=<Info@hatchmon-days.biz>, size=5273, nrcpt=1 (queue active)
    zimbra.log:Jul 15 06:42:13 zimbra postfix/smtp[16548]: B897C2690016: to=<jeanl@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=29, delays=20/4.8/0/3.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9BA9C22A000C)
    zimbra.log:Jul 15 06:42:13 zimbra postfix/qmgr[30659]: B897C2690016: removed
    Notice the client=unknown[173.44.183.38]. If I have my MTA settings to not allow unknown, why am I seeing this? Anyways.. Investigating what the IP has done I came up with the following:
    Code:
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16114]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16116]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16115]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16117]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16118]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16119]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16120]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16121]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16122]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16123]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16117]: B892E2690015: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16123]: B89C62690017: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16114]: B897C2690016: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16121]: B8AC62690018: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16119]: B8C0F2690019: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16115]: B8CE0269001A: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16118]: B8D8B269001B: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16122]: B929A269001C: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16116]: B96A2269001D: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16120]: B9706269001E: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16114]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16117]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16119]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16120]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16118]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16123]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16116]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16121]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16122]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16115]: disconnect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16107]: connect from unknown[173.44.183.38]
    maillog:Jul 15 06:42:24 zimbra postfix/smtpd[16107]: AC75922A000A: client=unknown[173.44.183.38]
    maillog:Jul 15 06:42:24 zimbra postfix/smtpd[16107]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16114]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16116]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16115]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16117]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16118]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16119]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16120]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16121]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16122]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16123]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16117]: B892E2690015: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16123]: B89C62690017: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16114]: B897C2690016: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16121]: B8AC62690018: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16119]: B8C0F2690019: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16115]: B8CE0269001A: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16118]: B8D8B269001B: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16122]: B929A269001C: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16116]: B96A2269001D: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16120]: B9706269001E: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16114]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16117]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16119]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16120]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16118]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16123]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16116]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16121]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16122]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16115]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16107]: connect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:05 zimbra amavis[963]: (00963-08) Checking: dyivrrJmFhhF [173.44.183.38] <Info@hatchmon-days.biz> -> <roseh@mydomain.com>
    zimbra.log:Jul 15 06:42:05 zimbra amavis[32753]: (32753-06) Checking: bgD1yGH1b3eU [173.44.183.38] <Info@hatchmon-days.biz> -> <ramdasslibrary@mydomain.com>
    zimbra.log:Jul 15 06:42:05 zimbra amavis[24478]: (24478-17) Checking: hGNmuaLeCbiP [173.44.183.38] <Info@hatchmon-days.biz> -> <housekeeping@mydomain.com>
    zimbra.log:Jul 15 06:42:05 zimbra amavis[13155]: (13155-19) Checking: Tm4YCcQ37yQB [173.44.183.38] <Info@hatchmon-days.biz> -> <randim@mydomain.com>
    zimbra.log:Jul 15 06:42:09 zimbra amavis[9704]: (09704-04-2) Checking: hmEyL0A+KXaa [173.44.183.38] <Info@hatchmon-days.biz> -> <adamh@mydomain.com>
    zimbra.log:Jul 15 06:42:09 zimbra amavis[1698]: (01698-03-2) Checking: O9BAxRnHx-kd [173.44.183.38] <Info@hatchmon-days.biz> -> <georgek@mydomain.com>
    zimbra.log:Jul 15 06:42:09 zimbra amavis[963]: (00963-08) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <roseh@mydomain.com>, Message-ID: <4265608741342442657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: dyivrrJmFhhF, Hits: 10.931, size: 5246, queued_as: B038922A000A, 3948 ms
    zimbra.log:Jul 15 06:42:09 zimbra amavis[18186]: (18186-15-2) Checking: 3P9ZIyt5o+Jz [173.44.183.38] <Info@hatchmon-days.biz> -> <adams@mydomain.com>
    zimbra.log:Jul 15 06:42:09 zimbra amavis[955]: (00955-05-2) Checking: sOunQMj3wYL3 [173.44.183.38] <Info@hatchmon-days.biz> -> <jeanl@mydomain.com>
    zimbra.log:Jul 15 06:42:09 zimbra amavis[24478]: (24478-17) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <housekeeping@mydomain.com>, Message-ID: <4265608445352142657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: hGNmuaLeCbiP, Hits: 10.376, size: 5383, queued_as: B9E9122A000C, 3984 ms
    zimbra.log:Jul 15 06:42:09 zimbra amavis[963]: (00963-08-2) Checking: AU6RH5pjmD58 [173.44.183.38] <Info@hatchmon-days.biz> -> <jr@mydomain.com>
    zimbra.log:Jul 15 06:42:09 zimbra amavis[32463]: (32463-13-2) Checking: YRT9Br4rlBOS [173.44.183.38] <Info@hatchmon-days.biz> -> <brettb@mydomain.com>
    zimbra.log:Jul 15 06:42:09 zimbra amavis[32753]: (32753-06) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <ramdasslibrary@mydomain.com>, Message-ID: <4265608701283242657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: bgD1yGH1b3eU, Hits: 10.366, size: 4830, queued_as: BBB3C22A000D, 4008 ms
    zimbra.log:Jul 15 06:42:09 zimbra amavis[13155]: (13155-19) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <randim@mydomain.com>, Message-ID: <4265608469920442657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: Tm4YCcQ37yQB, Hits: 10.931, size: 5184, queued_as: C961522A0002, 4025 ms
    zimbra.log:Jul 15 06:42:13 zimbra amavis[9704]: (09704-04-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <adamh@mydomain.com>, Message-ID: <4265608581605442657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: hmEyL0A+KXaa, Hits: 10.376, size: 5473, queued_as: 936A622A0002, 3930 ms
    zimbra.log:Jul 15 06:42:13 zimbra amavis[955]: (00955-05-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <jeanl@mydomain.com>, Message-ID: <4265608451029642657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: sOunQMj3wYL3, Hits: 10.931, size: 5269, queued_as: 9BA9C22A000C, 3936 ms
    zimbra.log:Jul 15 06:42:13 zimbra amavis[18186]: (18186-15-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <adams@mydomain.com>, Message-ID: <42656010600424042657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: 3P9ZIyt5o+Jz, Hits: 10.931, size: 5220, queued_as: 9B29B22A000A, 3936 ms
    zimbra.log:Jul 15 06:42:13 zimbra amavis[963]: (00963-08-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <jr@mydomain.com>, Message-ID: <4265608609712342657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: AU6RH5pjmD58, Hits: 10.931, size: 5187, queued_as: A33F022A000D, 3927 ms
    zimbra.log:Jul 15 06:42:13 zimbra amavis[1698]: (01698-03-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <georgek@mydomain.com>, Message-ID: <4265608652816242657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: O9BAxRnHx-kd, Hits: 11.918, size: 5231, queued_as: A3C7922A000E, 3997 ms
    zimbra.log:Jul 15 06:42:13 zimbra amavis[32463]: (32463-13-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <brettb@mydomain.com>, Message-ID: <4265608569622342657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: YRT9Br4rlBOS, Hits: 10.802, size: 8585, queued_as: A90F722A000F, 3944 ms
    zimbra.log:Jul 15 06:42:24 zimbra postfix/smtpd[16107]: AC75922A000A: client=unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:24 zimbra amavis[32463]: (32463-14) Checking: sexcGzPRtiPX [173.44.183.38] <Info@hatchmon-days.biz> -> <rcbackus@mydomain.com>
    zimbra.log:Jul 15 06:42:24 zimbra postfix/smtpd[16107]: disconnect from unknown[173.44.183.38]
    zimbra.log:Jul 15 06:42:28 zimbra amavis[32463]: (32463-14) Passed SPAMMY, [173.44.183.38] [173.44.183.38] <Info@hatchmon-days.biz> -> <rcbackus@mydomain.com>, Message-ID: <4265608457992242657144240385@r4ys8pe.hatchmon-days.biz>, mail_id: sexcGzPRtiPX, Hits: 10.931, size: 5304, queued_as: B974722A0002, 3917 ms
    What am I missing in identifying HOW they are getting in and using my server?

    Any help would be GREATLY appreciated... Thank you for taking the time to go over this thread.

    - Rob

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Is this a new problem or has it been happening for a while? What's in your Trusted Networks configuration? Have you made any recent configuration changes to your server and/or network? Are you behind a NAT router (I guess so from the log output)? Do you have any RBLs configured and if so, which ones? Have you checked to see if you're an open relay?

    [EDIT]In addition, I've just checked your DNS records and they appear to have no A record. Is there another server (anti-spam?) in front of ZCS?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Join Date
    May 2007
    Location
    Rhinebeck, NY
    Posts
    62
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    Is this a new problem or has it been happening for a while?
    This is a problem that has persisted for a couple of months now. I've been so busy I haven't had time to properly address it, but I also do not want to get our IP shutdown, as emails going out are vital.

    Quote Originally Posted by phoenix View Post
    What's in your Trusted Networks configuration?
    127.0.0.0/8
    192.168.0.0/21
    204.14.232.65/32
    204.14.234.65/32
    202.129.242.65/32
    66.152.98.96/32
    These entries are mostly to allow for trusted EMailing companies (SilverPop, etc.) to send on our behalf.

    Quote Originally Posted by phoenix View Post
    Have you made any recent configuration changes to your server and/or network?
    No we have not. We've been rather stable with our configuration at this moment.

    Quote Originally Posted by phoenix View Post
    Are you behind a NAT router (I guess so from the log output)?
    Yes. We have a Sonicwall NSA2400 handling our firewall needs (NAT and filtering)

    Quote Originally Posted by phoenix View Post
    Do you have any RBLs configured and if so, which ones?
    dnsbl.njabl.org
    bl.spamcop.net
    sbl.spamhaus.org
    relays.mail-abuse.org
    cbl.abuseat.org

    Quote Originally Posted by phoenix View Post
    Have you checked to see if you're an open relay?
    According to: Open Relay Test (Open Relay Test) Our mail server is NOT a relay

    Quote Originally Posted by phoenix View Post
    In addition, I've just checked your DNS records and they appear to have no A record. Is there another server (anti-spam?) in front of ZCS?
    Which DNS record did you check? PM me with the DNS Name and I'll verify it for you.

    Thank you so much for your help Phoenix!!!

    - Rob

  5. #5
    Join Date
    May 2007
    Location
    Rhinebeck, NY
    Posts
    62
    Rep Power
    8

    Default

    Nobody has any ideas?

  6. #6
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    By grepping, you are likely missing whatever account they are authenticating as. Zimbra does not run as an open relay, so (a) the person who is sending the mail is located in your network (not the case based on your mynetworks posting), (b) they are authenticating as one of your users over ports 587/465, or (c) they are sending email out through some other MTA, which is then delivering to your domain.

    For (a), you would fix mynetworks
    For (b), you would identify the compromised account and shut it down by looking at who they are authenticating as
    For (c), you may wish to also enable cbpolicyd greylisting and DSPAM

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Similar Threads

  1. Zimbra is a SPAMMER again
    By warcries in forum Administrators
    Replies: 1
    Last Post: 09-06-2011, 02:43 AM
  2. Zimbra is a SPAMMER
    By warcries in forum Administrators
    Replies: 2
    Last Post: 07-19-2011, 12:03 AM
  3. mailbox log -indicate ip spammer how to
    By alherman in forum Administrators
    Replies: 6
    Last Post: 06-23-2010, 12:07 AM
  4. Blacklisting spammer IP
    By apnatek in forum Administrators
    Replies: 2
    Last Post: 08-08-2007, 05:47 PM
  5. I'm a spammer ????
    By rmvg in forum Users
    Replies: 4
    Last Post: 03-31-2006, 09:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •