Thread: Large volume of spam messages; see the log
View Single Post
  #1 (permalink)  
Old 12-31-2008, 03:43 AM
snake_eyes snake_eyes is offline
Advanced Member
  
Posts: 220
Angry Large volume of spam messages; see the log
Hello,

I'm receiving a large volume of spam messages, one of them it sent from it@mydomain.com to it@mydomain.com although the it is alias name contain the I.T. Department stuff.

I copied the log from /var/log/zimbra.log and I found this:

Code:
Dec 31 11:48:32 mail zmmailboxdmgr[2333]: status requested
Dec 31 11:48:32 mail zmmailboxdmgr[2333]: status OK
Dec 31 11:48:33 mail zmmailboxdmgr[2396]: status requested
Dec 31 11:48:33 mail zmmailboxdmgr[2396]: status OK
Dec 31 11:49:42 mail zmmailboxdmgr[2731]: status requested
Dec 31 11:49:42 mail zmmailboxdmgr[2731]: status OK
Dec 31 11:49:43 mail zmmailboxdmgr[2792]: status requested
Dec 31 11:49:43 mail zmmailboxdmgr[2792]: status OK
Dec 31 11:49:44 mail postfix/smtpd[1762]: connect from unknown[212.70.50.179]
Dec 31 11:49:44 mail postfix/smtpd[1762]: 95FE3AA02B6: client=unknown[212.70.50.179]
Dec 31 11:49:44 mail postfix/cleanup[1766]: 95FE3AA02B6: message-id=<0KCQ00HPAGH6WL@ling.atheer.net.sa>
Dec 31 11:49:44 mail postfix/qmgr[19037]: 95FE3AA02B6: from=<it@myomain.com>, size=2314, nrcpt=9 (queue active)
Dec 31 11:49:44 mail amavis[12859]: (12859-16) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20081230T115440-12859: <it@myomain.com> -> <d.nakouzi@myomain.com>,<dawood@myomain.com>,<h.kawass@myomain.com>,<hilal@myomain.com>,<k.jubeily@myomain.com>,<m.othman@myomain.com>,<r.baba@myomain.com>,<r.nawam@myomain.com>,<wafik@myomain.com> SIZE=2314 BODY=8BITMIME Received: from mail.myomain.com ([127.0.0.1]) by localhost (mail.myomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Wed, 31 Dec 2008 11:49:44 +0300 (AST)
Dec 31 11:49:44 mail amavis[12859]: (12859-16) Checking: EkJj7vpmdfLW [212.70.50.179] <it@myomain.com> -> <d.nakouzi@myomain.com>,<dawood@myomain.com>,<h.kawass@myomain.com>,<hilal@myomain.com>,<k.jubeily@myomain.com>,<m.othman@myomain.com>,<r.baba@myomain.com>,<r.nawam@myomain.com>,<wafik@myomain.com>
Dec 31 11:49:44 mail postfix/smtpd[1762]: disconnect from unknown[212.70.50.179]
Dec 31 11:49:46 mail postfix/smtpd[1777]: connect from localhost.localdomain[127.0.0.1]
Dec 31 11:49:46 mail postfix/smtpd[1777]: D0190AA02B7: client=localhost.localdomain[127.0.0.1]
Dec 31 11:49:46 mail postfix/cleanup[1766]: D0190AA02B7: message-id=<0KCQ00HPAGH6WL@ling.atheer.net.sa>
Dec 31 11:49:46 mail postfix/qmgr[19037]: D0190AA02B7: from=<it@myomain.com>, size=3072, nrcpt=9 (queue active)
Dec 31 11:49:46 mail postfix/smtpd[1777]: disconnect from localhost.localdomain[127.0.0.1]
Dec 31 11:49:46 mail amavis[12859]: (12859-16) FWD via SMTP: <it@myomain.com> -> <d.nakouzi@myomain.com>,<dawood@myomain.com>,<h.kawass@myomain.com>,<hilal@myomain.com>,<k.jubeily@myomain.com>,<m.othman@myomain.com>,<r.baba@myomain.com>,<r.nawam@myomain.com>,<wafik@myomain.com>,BODY=8BITMIME 250 2.6.0 Ok, id=12859-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as D0190AA02B7
Dec 31 11:49:46 mail amavis[12859]: (12859-16) Passed SPAMMY, [212.70.50.179] [98.209.154.224] <it@myomain.com> -> <d.nakouzi@myomain.com>,<dawood@myomain.com>,<h.kawass@myomain.com>,<hilal@myomain.com>,<k.jubeily@myomain.com>,<m.othman@myomain.com>,<r.baba@myomain.com>,<r.nawam@myomain.com>,<wafik@myomain.com>, Message-ID: <0KCQ00HPAGH6WL@ling.atheer.net.sa>, mail_id: EkJj7vpmdfLW, Hits: 11.999, size: 2313, queued_as: D0190AA02B7, 2253 ms
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<d.nakouzi@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<dawood@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<h.kawass@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<hilal@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<k.jubeily@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<m.othman@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<r.baba@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<r.nawam@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<wafik@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/qmgr[19037]: 95FE3AA02B6: removed
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<d.nakouzi@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<dawood@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<h.kawass@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<hilal@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<k.jubeily@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<m.othman@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<r.baba@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<r.nawam@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<wafik@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/qmgr[19037]: D0190AA02B7: removed
Dec 31 11:50:01 mail zimbramon[2847]: 2847:info: 2008-12-31 11:50:01, QUEUE: 0 0 
Dec 31 11:50:02 mail zimbramon[2858]: 2858:info: 2008-12-31 11:50:01, DISK: mail.myomain.com: dev: /dev/sda1, mp: /, tot: 200889, avail: 182518 
Dec 31 11:50:04 mail zmmailboxdmgr[3154]: status requested
Dec 31 11:50:04 mail zmmailboxdmgr[3154]: status OK
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: antispam: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: antivirus: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: ldap: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: logger: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: mailbox: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: mta: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: snmp: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: spell: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: stats: Running 
Dec 31 11:50:42 mail postfix/smtpd[1762]: connect from uslec-66-255-79-114.cust.uslec.net[66.255.79.114]
Dec 31 11:50:42 mail postfix/smtpd[3261]: connect from uslec-66-255-79-114.cust.uslec.net[66.255.79.114]
Dec 31 11:50:44 mail postfix/smtpd[1762]: NOQUEUE: reject: RCPT from uslec-66-255-79-114.cust.uslec.net[66.255.79.114]: 550
Here is my MTA of global settings configuration

Code:
Protocol checks
	Hostname in greeting violates RFC (reject_invalid_hostname) (YES)
	Client must greet with a fully qualified hostname (reject_non_fqdn_hostname) (NO)
	Sender address must be fully qualified (reject_non_fqdn_sender) (YES)
DNS checks
	Client's IP address (reject_unknown_client) (NO)
	Hostname in greeting (reject_unknown_hostname) (NO)
	Sender's domain (reject_unknown_sender_domain) (NO)
Please note that the time is the spam mail exact time that I checked on the spam folder of my mail address.

another favor please if you can advice me to the proper way (configuration) to reduce the spam messages

Cheers,
Last edited by snake_eyes; 12-31-2008 at 03:48 AM..
Reply With Quote