Results 1 to 7 of 7

Thread: Zimbra server sending out lots of spam

Threaded View

  1. #1
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default Zimbra server sending out lots of spam

    Hey Folks,

    I awoke this morning to a phone call from one of our techs telling me that people weren't receiving mail. I logged into Zimbra, and between the 'deferred', 'active', and 'incoming' queues, there were over 100,000 messages tied up in our server. All of the sender addresses were non-existent accounts such as du@mydomain.com, rc@mydomain.com, bosib@mydomain.com, etc. I doublechecked mxtoolbox.com, and the mail server is not set for open relay, which I verified by trying to send mail on 25 from my machine at home. Here is a sampling of zimbra.log: [I have changed references to our domain to 'mydomain.com']

    Code:
    Aug 29 06:46:57 mail postfix/smtps/smtpd[16241]: 7CE51AC4DC4: filter: RCPT from catv-176-63-242-182.catv.broadband.hu[176.63.242.182]: <doxyn@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<doxyn@mydomain.com> to=<wayne_bernard13@yahoo.com> proto=ESMTP helo=<igfurxsxvp>
    Aug 29 06:46:57 mail opendkim[17668]: 32333AC4DD9: no signing table match for 'dyqyp@mydomain.com'
    Aug 29 06:46:57 mail postfix/error[11878]: DCE74AA2FD3: to=<bella_flaky@yahoo.com>, relay=none, delay=1331, delays=1331/0.05/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta7.am0.yahoodns.net[98.138.112.37]:25: Connection timed out)
    Aug 29 06:46:57 mail amavis[16220]: (16220-02-5) Checking: xSLg0CnThemb ORIGINATING [142.217.3.4] <sijed@mydomain.com> -> <jaimebarbosa82@gmail.com>,<qehwkj2@jnwrwerj.com>,<lovely_boy271@yahoo.com>,<ricewilliams75@yahoo.com>
    Aug 29 06:46:57 mail postfix/smtps/smtpd[19139]: AF5FDAC4DC9: filter: RCPT from 142-217-3-4.telebecinternet.net[142.217.3.4]: <raco@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<raco@mydomain.com> to=<gatornick22@yahoo.com> proto=ESMTP helo=<wukujrnj>
    Aug 29 06:46:57 mail amavis[16330]: (16330-01-12) FWD from <dyqyp@mydomain.com> -> <ajitchaudhari07@gmail.com>,<dochennis@gmail.com>,<umer987@hotmail.com>,<www.kriangkrai_s@hotmail.com>,<asa_collier_04@yahoo.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9
    Aug 29 06:46:57 mail postfix/cleanup[15873]: F204BAC3ABF: message-id=<20130829114649.F204BAC3ABF@mail.mydomain.com>
    Aug 29 06:46:57 mail amavis[16334]: (16334-02-6) ESMTP::10026 /opt/zimbra/data/amavisd/tmp/amavis-20130829T064652-16334-eCxJSNDy: <micyte@mydomain.com> -> <mitchmonster@comcast.ne>,<bopulichev@gmail.com>,<dirtyrolex@gmail.com>,<reissp@gmail.com>,<luisperes1998@hotmail.com>,<hoodi-40@outlook.com>,<mbaker727783@yahoo.com> Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP; Thu, 29 Aug 2013 06:46:57 -0500 (CDT)
    Aug 29 06:46:57 mail postfix/smtps/smtpd[647]: NOQUEUE: filter: RCPT from unknown[176.15.166.111]: <didu@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<didu@mydomain.com> to=<juanmoreno_49@yahoo.com> proto=ESMTP helo=<yhtojprbhm>
    Aug 29 06:46:57 mail postfix/smtps/smtpd[647]: 42FB9AC4DDA: client=unknown[176.15.166.111], sasl_method=LOGIN, sasl_username=asampson
    Aug 29 06:46:57 mail amavis[16330]: (16330-01-12) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [88.245.52.143]:51672 [88.245.52.143] <dyqyp@mydomain.com> -> <ajitchaudhari07@gmail.com>,<dochennis@gmail.com>,<umer987@hotmail.com>,<www.kriangkrai_s@hotmail.com>,<asa_collier_04@yahoo.com>, Queue-ID: 17F9BA67F04, Message-ID: <20130829100149.17F9BA67F04@mail.mydomain.com>, mail_id: 6vuHgIIWjLhs, Hits: -, size: 594, queued_as: 32333AC4DD9, 171 ms
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<ajitchaudhari07@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<dochennis@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<umer987@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<www.kriangkrai_s@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<asa_collier_04@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/qmgr[17648]: 53864AA3E70: from=<du@mydomain.com>, size=1012, nrcpt=3 (queue active)
    Aug 29 06:46:57 mail postfix/qmgr[17648]: 17F9BA67F04: removed
    Aug 29 06:46:57 mail amavis[16333]: (16333-01-13) ESMTP::10026 /opt/zimbra/data/amavisd/tmp/amavis-20130829T064652-16333-f2erIBw_: <piwyba@mydomain.com> -> <joey1974@comcast.net>,<pradip.sarkar1979@gmail.com>,<ulli.meissner@gmx.de>,<johncarlson123@hotmail.com>,<johnboy926@msn.com>,<ayyup_x@yahoo.com>,<chibab4lyf@yahoo.com>,<ionakiddo@yahoo.com> Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP; Thu, 29 Aug 2013 06:46:57 -0500 (CDT)
    Aug 29 06:46:57 mail postfix/error[11863]: 058A3AA3A86: to=<dambreaks@yahoo.com>, relay=none, delay=351, delays=351/0.03/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta7.am0.yahoodns.net[98.138.112.37]:25: Connection timed out)
    Aug 29 06:46:57 mail amavis[16334]: (16334-02-6) Checking: SExjRDsJzodb ORIGINATING [146.255.140.127] <micyte@mydomain.com> -> <mitchmonster@comcast.ne>,<bopulichev@gmail.com>,<dirtyrolex@gmail.com>,<reissp@gmail.com>,<luisperes1998@hotmail.com>,<hoodi-40@outlook.com>,<mbaker727783@yahoo.com>
    Aug 29 06:46:57 mail postfix/qmgr[17648]: 92CCCA89B22: from=<fuhax@mydomain.com>, size=1428, nrcpt=6 (queue active)
    Aug 29 06:46:57 mail opendkim[17668]: 635B1AC4DE1: no signing table match for 'su@mydomain.com'
    Aug 29 06:46:57 mail amavis[15790]: (15790-02-16) Checking: 6gWevoKA4XXu ORIGINATING_POST/MYNETS [127.0.0.1] <se@mydomain.com> -> <fmgregobrwn@aol.com>,<garysentez@aol.com>,<darlox@free.fr>,<aposyl@hotmail.com>,<cnc00@hotmail.com>,<dodo2010@yahoo.com>
    Aug 29 06:46:57 mail postfix/smtp[15160]: C6EA4AC256E: to=<andrew04walker@sympatico.ca>, relay=mxmta.sympatico.ca[67.69.240.23]:25, delay=845, delays=727/115/2/0.14, dsn=2.0.0, status=sent (250 ok:  Message 325277331 accepted)
    Aug 29 06:46:57 mail postfix/error[11847]: 92CCCA89B22: to=<michaeladinero@yahoo.com>, relay=none, delay=4386, delays=4386/0.04/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta7.am0.yahoodns.net[98.138.112.37]:25: Connection timed out)
    Aug 29 06:46:57 mail postfix/qmgr[17648]: DE793A62381: from=<zoc@mydomain.com>, size=1361, nrcpt=5 (queue active)
    Aug 29 06:46:57 mail amavis[16220]: (16220-02-6) Checking: RzKIqo_YKQfY ORIGINATING [84.198.12.130] <noh@mydomain.com> -> <sdffggdfg@aol.com>,<dhagi66@gmail.com>,<evansarthur@hotmail.com>,<brothers.kevin44@yahoo.com>,<infineon_01@yahoo.com>,<wadewolf22@yahoo.com>
    Aug 29 06:46:57 mail amavis[16406]: (16406-01-4) ESMTP::10032 /opt/zimbra/data/amavisd/tmp/amavis-20130829T064655-16406-snZPTJCx: <hys@mydomain.com> -> <harikrishnanedm@gmail.com>,<phillipsr88@gmail.com>,<astro_insomniac@hotmail.com>,<ccsjsimonian@yahoo.com>,<vicmack777@yahoo.com> SIZE=1049 Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP; Thu, 29 Aug 2013 06:46:57 -0500 (CDT)
    Aug 29 06:46:57 mail postfix/error[11969]: D16ECA84A49: to=<iusman4178@yahoo.com>, relay=none, delay=20258, delays=20258/0.04/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta7.am0.yahoodns.net[98.138.112.37]:25: Connection timed out)
    Aug 29 06:46:57 mail postfix/smtps/smtpd[21953]: BF2B1AC4DB7: filter: RCPT from d54c60c82.access.telenet.be[84.198.12.130]: <hygi@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hygi@mydomain.com> to=<warrington79@tahoo.com> proto=ESMTP helo=<wpipjvp>
    Aug 29 06:46:57 mail amavis[15867]: (15867-02-9) Checking: hgNkA205u4EL ORIGINATING_POST/MYNETS [127.0.0.1] <wipi@mydomain.com> -> <aaronvanmann@aim.com>,<apoindex1337@comcast.net>,<c.ohara388@gmail.com>,<arguellesrandy@hotmail.com>,<sergioa1176@yahoo.com>
    Aug 29 06:46:57 mail postfix/qmgr[17648]: D08ECA8984C: from=<fiq@mydomain.com>, size=1351, nrcpt=5 (queue active)
    Aug 29 06:46:57 mail postfix/smtp[15699]: 15CC4A86D25: to=<deepanshugoel.goel4@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[173.194.74.27]:25, delay=15946, delays=1660/14261/24/0.85, dsn=4.7.0, status=deferred (host alt2.gmail-smtp-in.l.google.com[173.194.74.27] said: 421-4.7.0 [198.209.243.122      10] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. b4si1371892qar.65 - gsmtp (in reply to end of DATA command))
    Aug 29 06:46:57 mail amavis[16330]: (16330-01-13) FWD from <su@mydomain.com> -> <brawnarama85@gmail.com>,<da132y4n@gmail.com>,<kyen3026@gmail.com>,<prokslove@gmail.com>,<patatecool@msn.com>,<gazerbo@tiscali.co.uk>,<antwonlawrence@yahoo.com>,<j.cabales@yahoo.com>,<kelvin.kesley@yahoo.com>,<t_espino@yahoo.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 635B1AC4DE1
    Aug 29 06:46:57 mail postfix/smtps/smtpd[19139]: AF5FDAC4DC9: filter: RCPT from 142-217-3-4.telebecinternet.net[142.217.3.4]: <raco@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<raco@mydomain.com> to=<waldron2014@hotmail.com> proto=ESMTP helo=<wukujrnj>
    Aug 29 06:46:57 mail postfix/smtp[8177]: 2760EA87AC2: to=<jaisahani1212@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.77.27]:25, delay=15384, delays=1107/14266/4.6/7.2, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.77.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 g7si1879492oez.116 - gsmtp (in reply to RCPT TO command))
    Aug 29 06:46:57 mail postfix/smtp[15699]: 15CC4A86D25: to=<jegvva@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[173.194.74.27]:25, delay=15946, delays=1660/14261/24/0.85, dsn=4.7.0, status=deferred (host alt2.gmail-smtp-in.l.google.com[173.194.74.27] said: 421-4.7.0 [198.209.243.122      10] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. b4si1371892qar.65 - gsmtp (in reply to end of DATA command))
    Aug 29 06:46:57 mail amavis[16330]: (16330-01-13) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [212.91.169.114]:4113 [212.91.169.114] <su@mydomain.com> -> <brawnarama85@gmail.com>,<da132y4n@gmail.com>,<kyen3026@gmail.com>,<prokslove@gmail.com>,<patatecool@msn.com>,<gazerbo@tiscali.co.uk>,<antwonlawrence@yahoo.com>,<j.cabales@yahoo.com>,<kelvin.kesley@yahoo.com>,<t_espino@yahoo.com>, Queue-ID: 705F9AC36EF, Message-ID: <20130829113641.705F9AC36EF@mail.mydomain.com>, mail_id: NhH2fo2kRWhp, Hits: -, size: 690, queued_as: 635B1AC4DE1, 205 ms
    Aug 29 06:46:57 mail postfix/smtp[16223]: 705F9AC36EF: to=<brawnarama85@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=13, delay=617, delays=245/372/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 635B1AC4DE1)
    The logs almost make it look like it is relaying mail, even though it says that it isn't. I have disabled 25 outbound on our firewall for the moment, until I can get this cleared up... So far, I am not a member of any blacklists, just temporarily suspended from many of the major mail providers.

    Any help would be greatly appreciated! If you need any additional info/logs from me, please let me know.

    Thanks,

    Weston




    edit: adding more logs

    Code:
    Aug 29 14:06:40 mail postfix/qmgr[28128]: 567199A3E02: from=<go@mydomain.com>, size=1075, nrcpt=4 (queue active)
    Aug 29 14:06:40 mail postfix/smtp[7256]: D06108E683E: to=<kircks@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=141, delays=3.1/138/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 567199A3E02)
    Aug 29 14:06:40 mail postfix/smtp[7256]: D06108E683E: to=<cozine5b@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=141, delays=3.1/138/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 567199A3E02)
    Aug 29 14:06:40 mail postfix/smtp[7256]: D06108E683E: to=<dprice131313@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=141, delays=3.1/138/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 567199A3E02)
    Aug 29 14:06:40 mail postfix/smtp[7256]: D06108E683E: to=<hong.kong63@ymail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=141, delays=3.1/138/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 567199A3E02)
    Aug 29 14:06:40 mail postfix/qmgr[28128]: D06108E683E: removed
    Aug 29 14:06:40 mail postfix/smtps/smtpd[14695]: 06DE79A3BB4: filter: RCPT from unknown[93.84.18.254]: <sogo@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<sogo@mydomain.com> to=<mossivan@yahoo.com> proto=ESMTP helo=<yrvonjdoq>
    Last edited by nitsew; 08-29-2013 at 12:09 PM.

Similar Threads

  1. Replies: 8
    Last Post: 10-01-2013, 12:28 AM
  2. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 09:26 AM
  3. Mac OS X Install and LOTS of Spam
    By BarefootPanda in forum Administrators
    Replies: 0
    Last Post: 06-30-2008, 11:32 AM
  4. Lots of spam. Ideas?
    By fernandoflorez in forum Administrators
    Replies: 5
    Last Post: 01-25-2007, 08:41 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •