i'm in a big spam trouble ! pls help me !

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
lananhbin
Advanced member
Advanced member
Posts: 64
Joined: Sat Sep 13, 2014 12:37 am

i'm in a big spam trouble ! pls help me !

Postby lananhbin » Fri Mar 29, 2013 5:33 am

my domain is abc.cd.ef

my FQDN of mail server is z.abc.cd.ef
in my system, there is a user fedexexpressdelivery@z.abc.cd.ef is sending spam. but i cant find that user to disable it. pls tell me how !
thanks in advance !


phoenix
Ambassador
Ambassador
Posts: 26625
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

i'm in a big spam trouble ! pls help me !

Postby phoenix » Fri Mar 29, 2013 5:51 am

Did you look at any of the forum threads on this topic? How do you know that's the 'user' that's sending spam? The information you've posted doesn't actually give any details about the problem, you're going to have to look at the log files to determine what the problem actually is.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
lananhbin
Advanced member
Advanced member
Posts: 64
Joined: Sat Sep 13, 2014 12:37 am

i'm in a big spam trouble ! pls help me !

Postby lananhbin » Fri Mar 29, 2013 6:07 am

i log in web mail of zimbra and that user is sending randomly thousand of emails. thats emails make my system crash !

ex : my domain is abc.cd.ef so my user email is : lananh@abc.cd.ef

but the email sending spam is fedexexpressdeliverry@z.abc.cd.ef . and z.abc.cd.ef is the FQDN of my mail server.

i cant find that user !

p.s: i searched but i cant find any solution
[quote user="10330phoenix"]Did you look at any of the forum threads on this topic? How do you know that's the 'user' that's sending spam? The information you've posted doesn't actually give any details about the problem, you're going to have to look at the log files to determine what the problem actually is.[/QUOTE]
phoenix
Ambassador
Ambassador
Posts: 26625
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

i'm in a big spam trouble ! pls help me !

Postby phoenix » Fri Mar 29, 2013 6:49 am

[quote user="lananhbin"]i log in web mail of zimbra and that user is sending randomly thousand of emails. thats emails make my system crash !

ex : my domain is abc.cd.ef so my user email is : lananh@abc.cd.ef[/QUOTE]I understand that.
[quote user="lananhbin"]but the email sending spam is fedexexpressdeliverry@z.abc.cd.ef . and z.abc.cd.ef is the FQDN of my mail server.

i cant find that user ![/QUOTE]You still haven't said how you know this 'user' is sending spam, where did you get that email address from? If you got this from the log files then you should see the IP address of the client that's submitting the email. If you have no user with that name on your ser then you've either got a compromised account or a spam bot on your network that's submitting mail through your server.
[quote user="lananhbin"]p.s: i searched but i cant find any solution[/QUOTE]There are plenty of solutions in the forums, I'd suggest you look at some of those threads that discuss 'compromised accounts' and try some of the suggestions you'll find. You will additionally need to look at your log files to find the source of this problem, merely repeating the suspected user name does not give enough information anyone to advise you - you're going to have to do some digging in the log files.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
lananhbin
Advanced member
Advanced member
Posts: 64
Joined: Sat Sep 13, 2014 12:37 am

i'm in a big spam trouble ! pls help me !

Postby lananhbin » Fri Mar 29, 2013 9:32 am

i disconnect the network then i loged in my admin page. i can see the user send emails most. i cant find that user on my system. i didnt
i have some information.
there are few email from the ip : 101.221.201.127 send to my system.with:

sender : fedexexpressdeliverry@z.abc.cd.ef . it's the same name with the account sending spam on my system.

from host : unknown

origin domain : smtp-amavis:[127.0.0.1]:10024
that's all i have now. i cant find the local ip or user on my system sending mail !
if i'm under "spam bot" attract, what should i do ? i searched with keyword you gave but i still cant find any solution ! pls help me ! thanks
1215vavai
Advanced member
Advanced member
Posts: 142
Joined: Fri Sep 12, 2014 10:36 pm

i'm in a big spam trouble ! pls help me !

Postby 1215vavai » Fri Mar 29, 2013 2:49 pm

Hi,
The simple temporary solution (or call it a first aid :) ), just tell Zimbra to banned all mail sending from your FQDN instead of from your domain.
su - zimbra

vi /opt/zimbra/conf/salocal.cf.in


add the following line :
blacklist_from *@z.abc.cd.ef
and then save it (with :wq!, because this file is read-only) follow by :
zmmtactl restart && zmamavisdctl restart

The permanent solution : investigate your logs (start from /var/log/zimbra.log) and find out the origin (IP, sender, SASL login) of spam messages
lananhbin
Advanced member
Advanced member
Posts: 64
Joined: Sat Sep 13, 2014 12:37 am

i'm in a big spam trouble ! pls help me !

Postby lananhbin » Sat Mar 30, 2013 11:30 pm

thanks vavai ! althrough i did the other way. I blocked the 101.221.201.127 , add more rules to my MTA ...and now (maybe) i solved my trouble . but i still cant find the compromised accounts :(
p.s: thanks phoenix so much :D
7310pyperdown
Posts: 31
Joined: Fri Sep 12, 2014 10:02 pm

i'm in a big spam trouble ! pls help me !

Postby 7310pyperdown » Thu Jun 27, 2013 6:05 pm

You need to look at your zimbra.log files, possibly going back a couple of days. If it's not in the current log you may need to look at zimbra.log.0, or zimbra.log.[1-4].gz
This fragment checks the log file, and counts the number of connections in each recorded timestamp minute ie


5 12:48 ignorant_user

32 12:53 ignorant_user


And so on.
zgrep -i "auth ok" /var/log/zimbra.log | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -nr

Return to “Administrators”

Who is online

Users browsing this forum: Baidu [Spider] and 13 guests