Page 1 of 1

Zimbra is sending a Spam

Posted: Wed Jul 09, 2014 4:32 pm
by essential_mix
Hello Everyone!

First of all i already read topic with "open relay" and "compromised account"

So our server not opened for relay and i dont see anything strange here:



tail -n 100000 /var/log/mail.log | grep "sasl_username=" > smtpauthlogins.txt




zmcontrol -v

Release 8.0.3.GA.5664.UBUNTU12.64 UBUNTU12_64 FOSS edition.


This is from dailyreport:



zmdailyreport from 2014-07-08 00:00:00 to 2014-07-09 00:00:00
492 messages found for 628 total recipients (628 unique)

........

Most active senders

7 kelly_campos@ourdomain.com

5 rosalinda_ramsey@ourdomain.com

5 mayra_fox@ourdomain.com

5 delia_ferguson@ourdomain.com

4 imelda_dunlap@ourdomain.com

4 debora_hubbard@ourdomain.com

4 glenna_stafford@ourdomain.com

4 britney_randall@ourdomain.com

4 irene_coleman@ourdomain.com

4 kasey_dillard@ourdomain.com

4 bernice_calhoun@ourdomain.com

4 georgette_howard@ourdomain.com

4 tanisha_gamble@ourdomain.com

3 gracie_floyd@ourdomain.com

3 betty_schwartz@ourdomain.com

3 ernestine_pittman@ourdomain.com

3 freida_avila@ourdomain.com

3 glenna_guy@ourdomain.com

3 connie_underwood@ourdomain.com

3 robert_hess@ourdomain.com

3 jolene_alvarado@ourdomain.com

.......



Problem that all of this accounts does not exist. And what this report gives? Because sometime it say:

zmdailyreport from 2014-07-03 00:00:00 to 2014-07-04 00:00:00

No messages found


Is any other way to find what's going on? Appreciate for any help.

Zimbra is sending a Spam

Posted: Tue Jul 15, 2014 10:38 am
by essential_mix
What i have done so far:

1) Zimbra updated to 8.0.7

2) Passwords for users accounts was changed

3) port 7071 was blocked for internet
[QUOTE]

zmcontrol -v

Release 8.0.7.GA.6021.UBUNTU12.64 UBUNTU12_64 FOSS edition.

[/QUOTE]
Still cant identify compromised account. Used solutions from this topic. But without success.

From which logs coming this "Most active senders" that i mentioned in my original post.

Zimbra is sending a Spam

Posted: Tue Jul 15, 2014 11:05 am
by phoenix
[quote user="essential_mix"]Problem that all of this accounts does not exist. And what this report gives?[/quote]That list is a list of address that are sending to you not being sent by you - this has been mentioned in the forums before although I seem to remember it was a long time ago.

Zimbra is sending a Spam

Posted: Tue Jul 15, 2014 12:28 pm
by essential_mix
[quote user="10330phoenix"]That list is a list of address that are sending to you not being sent by you - this has been mentioned in the forums before although I seem to remember it was a long time ago.[/QUOTE]
Thank you for your reply. In this case why this address in logs used with FROM statement

This errors from the same dailyreport:



2014-07-14 00:07:01 bounced (Host or domain name not found. Name service error for name=nokiamail.cow type=A: Host not found)

from=tracie_rollins@ourdomain.com to=felix.lebethe@nokiamail.cow

2014-07-14 00:07:28 bounced (Host or domain name not found. Name service error for name=ve.nettuno type=A: Host not found)

from=elnora_reyes@ourdomain.com to=fortuny@ve.nettuno

2014-07-14 00:07:37 bounced (Host or domain name not found. Name service error for name=gmail.com.fr type=A: Host not found)

from=janelle_hopkins@ourdomain.com to=honore7923@gmail.com.fr

2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.53]: Connection timed out)

from=<> to=johnville@gmail.ie

2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.53]: Connection timed out)

from=arline_barrett@ourdomain.com to=johnville@gmail.ie

2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.54]: Connection timed out)

from=<> to=johnville@gmail.ie

2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.54]: Connection timed out)

from=arline_barrett@ourdomain.com to=johnville@gmail.ie

2014-07-14 00:09:28 bounced (Name service error for name=myspace.com type=MX: Malformed or unexpected name server reply)

from=shelby_whitfield@ourdomain.com to=johnvmiller1@myspace.com


Zimbra is sending a Spam

Posted: Tue Jul 15, 2014 12:38 pm
by phoenix
[quote user="essential_mix"]Thank you for your reply. In this case why this address in logs used with FROM statement[/QUOTE]Again, this has been answered previously and is all over the internet. It's because you are the target not the sender of that spam. It's called NDR Spam or backscatter spam - if you search the forums or the internet for those phrases you'll get more information on the subject than you really want. :)

Zimbra is sending a Spam

Posted: Mon Jul 28, 2014 12:05 pm
by essential_mix
Hello again!
I have made 2 changes:

1) Rejecting false "mail from" addresses

2) Discarding Emails Sent to Invalid Addresses
But we are still going to blacklists.
What else i can check?

Zimbra is sending a Spam

Posted: Mon Jul 28, 2014 2:13 pm
by chauvetp
If the only issue is that your server was passing along mail from backscatters, how long since you made those changes? Have you been re-added to a blacklist since then or have you just not been removed yet?
Also, make sure you do not have users that are compromised. It doesn't matter what changes you make with postfix, if a user gives out their password in response to a phishing email, then the spammers are going to go in and use accounts on your system to send spam.

Zimbra is sending a Spam

Posted: Tue Jul 29, 2014 2:36 am
by phoenix
[quote user="essential_mix"]But we are still going to blacklists. [/quote]You won't get off a blacklist immediately, you'll have to wait a while.
[quote user="essential_mix"]What else i can check?[/QUOTE]Do you use any RBLs on your server and if you do, which ones?

Zimbra is sending a Spam

Posted: Wed Jul 30, 2014 1:41 am
by quanah
I strongly advise reading over SpamAssassin Customizations - Zimbra :: Wiki as well.