[SOLVED] Spam Being Sent Thru Server - Help Needed!

[msf004]

Yes, I have been scanning "ps -ef" continually. The only things I find curious are the "/tmp/.swatch_script.19528" entries; however, from other posts that appears to be part of Zimbra - but I cannot say definitely.

Here is the output from ps -eafwww


UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jul27 ? 00:00:02 init [3]
root 2 1 0 Jul27 ? 00:00:10 [migration/0]
root 3 1 0 Jul27 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 Jul27 ? 00:00:10 [migration/1]
root 5 1 0 Jul27 ? 00:00:00 [ksoftirqd/1]
root 6 1 0 Jul27 ? 00:00:00 [events/0]
root 7 1 0 Jul27 ? 00:00:00 [events/1]
root 8 6 0 Jul27 ? 00:00:00 [khelper]
root 9 6 0 Jul27 ? 00:00:00 [kacpid]
root 34 6 0 Jul27 ? 00:00:00 [kblockd/0]
root 35 6 0 Jul27 ? 00:00:00 [kblockd/1]
root 36 1 0 Jul27 ? 00:00:00 [khubd]
root 56 6 0 Jul27 ? 00:00:00 [aio/0]
root 57 6 0 Jul27 ? 00:00:00 [aio/1]
root 55 1 0 Jul27 ? 00:01:12 [kswapd0]
root 201 1 0 Jul27 ? 00:00:00 [kseriod]
root 320 1 0 Jul27 ? 00:00:00 [scsi_eh_0]
root 334 6 0 Jul27 ? 00:00:00 [ata/0]
root 335 6 0 Jul27 ? 00:00:00 [ata/1]
root 339 1 0 Jul27 ? 00:00:00 [scsi_eh_1]
root 340 1 0 Jul27 ? 00:00:00 [scsi_eh_2]
root 350 1 0 Jul27 ? 00:02:56 [kjournald]
root 1629 1 0 Jul27 ? 00:00:00 udevd
root 1914 6 0 Jul27 ? 00:00:00 [kauditd]
root 1980 6 0 Jul27 ? 00:00:00 [kmirrord]
root 2000 1 0 Jul27 ? 00:00:00 [kjournald]
root 2597 1 0 Jul27 ? 00:01:55 syslogd -m 0
root 2601 1 0 Jul27 ? 00:00:00 klogd -x
root 2707 1 0 Jul27 ? 00:00:00 irqbalance
rpc 2731 1 0 Jul27 ? 00:00:00 portmap
root 2862 1 0 Jul27 ? 00:00:00 /usr/sbin/acpid
root 2968 1 0 Jul27 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 3004 1 0 Jul27 ? 00:00:00 gpm -m /dev/input/mice -t exps2
canna 3046 1 0 Jul27 ? 00:00:00 /usr/sbin/cannaserver -syslog -u canna
xfs 3087 1 0 Jul27 ? 00:00:00 xfs -droppriv -daemon
root 3104 1 0 Jul27 ? 00:00:00 /usr/sbin/atd
root 3223 1 0 Jul27 ? 00:00:00 /usr/bin/perl /usr/local/bin/ipalert_statd
root 3228 1 0 Jul27 tty1 00:00:00 /sbin/mingetty tty1
root 3229 1 0 Jul27 tty2 00:00:00 /sbin/mingetty tty2
root 3230 1 0 Jul27 tty3 00:00:00 /sbin/mingetty tty3
root 3231 1 0 Jul27 tty4 00:00:00 /sbin/mingetty tty4
root 3232 1 0 Jul27 tty5 00:00:00 /sbin/mingetty tty5
root 3233 1 0 Jul27 tty6 00:00:00 /sbin/mingetty tty6
root 3234 1 0 Jul27 ttyS0 00:00:00 /sbin/mingetty ttyS0 CON9600 vt102
root 4903 1 0 Jul28 ? 00:00:00 rhnsd --interval 240
rpcuser 20578 1 0 Jul28 ? 00:00:00 rpc.statd
root 22097 1 0 Jul28 ? 00:00:00 [krfcommd]
dbus 22162 1 0 Jul28 ? 00:00:00 dbus-daemon-1 --system
root 22284 1 0 Jul28 ? 00:00:00 hald
htt 22411 1 0 Jul28 ? 00:00:00 /usr/sbin/htt -retryonerror 0
htt 22412 22411 0 Jul28 ? 00:00:00 htt_server -nodaemon
root 22531 1 0 Jul28 ? 00:00:00 rpc.idmapd
root 22591 1 0 Jul28 ? 00:00:21 /usr/sbin/sshd
root 22669 1 0 Jul28 ? 00:00:02 crond
root 23103 1 0 Jul28 ? 00:00:00 sh -c /usr/bin/perl -Iblib/lib -Iblib/arch -I/usr/lib/perl5/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/5.8.5 -I/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.5 -I/usr/lib/perl5/site_perl/5.8.4 -I/usr/lib/perl5/site_perl/5.8.3 -I/usr/lib/perl5/site_perl/5.8.2 -I/usr/lib/perl5/site_perl/5.8.1 -I/usr/lib/perl5/site_perl/5.8.0 -I/usr/lib/perl5/site_perl -I/usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.5 -I/usr/lib/perl5/vendor_perl/5.8.4 -I/usr/lib/perl5/vendor_perl/5.8.3 -I/usr/lib/perl5/vendor_perl/5.8.2 -I/usr/lib/perl5/vendor_perl/5.8.1 -I/usr/lib/perl5/vendor_perl/5.8.0 -I/usr/lib/perl5/vendor_perl -I. examples/sslecho.pl 1212 examples/cert.pem examples/key.pem >>sslecho.log 2>&1
root 23104 23103 0 Jul28 ? 00:00:00 /usr/bin/perl -Iblib/lib -Iblib/arch -I/usr/lib/perl5/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/5.8.5 -I/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.5 -I/usr/lib/perl5/site_perl/5.8.4 -I/usr/lib/perl5/site_perl/5.8.3 -I/usr/lib/perl5/site_perl/5.8.2 -I/usr/lib/perl5/site_perl/5.8.1 -I/usr/lib/perl5/site_perl/5.8.0 -I/usr/lib/perl5/site_perl -I/usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.5 -I/usr/lib/perl5/vendor_perl/5.8.4 -I/usr/lib/perl5/vendor_perl/5.8.3 -I/usr/lib/perl5/vendor_perl/5.8.2 -I/usr/lib/perl5/vendor_perl/5.8.1 -I/usr/lib/perl5/vendor_perl/5.8.0 -I/usr/lib/perl5/vendor_perl -I. examples/sslecho.pl 1212 examples/cert.pem examples/key.pem
root 3730 1 0 Aug02 ? 00:00:03 /usr/sbin/httpd
zimbra 19528 1 0 Aug02 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
root 13023 6 0 Aug05 ? 00:00:09 [pdflush]
root 13031 6 0 Aug05 ? 00:00:00 [pdflush]
zimbra 13885 19528 0 Aug11 ? 00:00:31 /usr/bin/perl /tmp/.swatch_script.19528
zimbra 13928 13885 0 Aug11 ? 00:04:40 /usr/bin/perl /opt/zimbra/libexec/zmlogger
zimbra 26236 1 0 Aug12 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
zimbra 26278 26236 0 Aug21 ? 00:00:13 /usr/bin/perl /tmp/.swatch_script.26236
zimbra 26303 26278 0 Aug21 ? 00:01:31 /usr/bin/perl /opt/zimbra/libexec/zmlogger
root 21034 1 0 Aug23 ? 00:00:00 cupsd
root 29445 22591 0 Aug23 ? 00:00:00 sshd: marcsf [priv]
marcsf 29447 29445 0 Aug23 ? 00:00:00 sshd: marcsf@pts/3
marcsf 29448 29447 0 Aug23 pts/3 00:00:00 -bash
root 29846 29448 0 Aug23 pts/3 00:00:00 su -
root 29848 29846 0 Aug23 pts/3 00:00:00 -bash
zimbra 4001 1 0 00:02 ? 00:00:11 /opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://server.domain.net:389 -f /opt/zimbra/conf/slapd.conf
zimbra 4400 1 0 00:02 ? 00:00:00 /bin/sh /opt/zimbra/logger/mysql/bin/mysqld_safe --defaults-file=/opt/zimbra/conf/my.logger.cnf --ledir=/opt/zimbra/logger/mysql/libexec
zimbra 4468 4400 0 00:02 ? 00:01:35 /opt/zimbra/logger/mysql/libexec/mysqld --defaults-file=/opt/zimbra/conf/my.logger.cnf --basedir=/opt/zimbra/logger/mysql --datadir=/opt/zimbra/logger/db/data --pid-file=/opt/zimbra/logger/db/mysql.pid --skip-external-locking --port=7307 --socket=/opt/zimbra/logger/db/mysql.sock
zimbra 4469 1 0 00:02 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
zimbra 4883 1 0 00:03 ? 00:00:18 /usr/bin/perl /opt/zimbra/libexec/zmmtaconfig
zimbra 4906 1 0 00:03 ? 00:00:00 /bin/sh /opt/zimbra/mysql/bin/mysqld_safe --defaults-file=/opt/zimbra/conf/my.cnf --ledir=/opt/zimbra/mysql/libexec
zimbra 4978 1 0 00:03 ? 00:00:00 /usr/bin/perl -w /opt/zimbra/libexec/zmconvertdmon -c /opt/zimbra/libexec/zmconvertd
zimbra 5012 4906 0 00:03 ? 00:00:14 /opt/zimbra/mysql/libexec/mysqld --defaults-file=/opt/zimbra/conf/my.cnf --basedir=/opt/zimbra/mysql --datadir=/opt/zimbra/db/data --pid-file=/opt/zimbra/db/mysql.pid --skip-external-locking --port=7306 --socket=/opt/zimbra/db/mysql.sock
zimbra 5169 1 0 00:03 ? 00:00:04 /opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra -Djava.library.path=/opt/zimbra/lib -Djava.ext.dirs=/opt/zimbra/java/jre/lib/ext:/opt/zimbra/lib/jars:/opt/zimbra/lib/ext:/opt/zimbra/lib/ext/backup:/opt/zimbra/lib/ext/clamscanner:/opt/zimbra/lib/ext/network:/opt/zimbra/lib/ext/zimbra-license:/opt/zimbra/lib/ext/zimbrahsm:/opt/zimbra/lib/ext/zimbrasync -Djava.awt.headless=true -Djava.library.path=/opt/zimbra/verity/FilterSDK/bin:/opt/zimbra/verity/ExportSDK/bin com.zimbra.cs.convertd.TransformationServer
root 5726 1 0 00:03 ? 00:00:00 /opt/zimbra/libexec/zmtomcatmgr start -Xms806m -Xmx806m -client -XX:NewRatio=2 -Djava.awt.headless=true
zimbra 5727 5726 0 00:03 ? 00:00:45 /opt/zimbra/jdk1.5.0_08/bin/java -Xms806m -Xmx806m -client -XX:NewRatio=2 -Djava.awt.headless=true -Dcatalina.base=/opt/zimbra/apache-tomcat-5.5.15 -Dcatalina.home=/opt/zimbra/apache-tomcat-5.5.15 -Djava.io.tmpdir=/opt/zimbra/apache-tomcat-5.5.15/temp -Djava.library.path=/opt/zimbra/lib -Djava.endorsed.dirs=/opt/zimbra/apache-tomcat-5.5.15/common/endorsed -classpath /opt/zimbra/apache-tomcat-5.5.15/bin/bootstrap.jar:/opt/zimbra/apache-tomcat-5.5.15/bin/commons-logging-api.jar:/opt/zimbra/lib/jars/zimbra-launcher.jar com.zimbra.cs.launcher.TomcatLauncher
zimbra 5973 1 0 00:03 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
zimbra 6016 1 1 00:03 ? 00:06:25 /opt/zimbra/clamav/sbin/clamd --config-file /opt/zimbra/conf/clamd.conf
zimbra 6017 1 0 00:03 ? 00:00:00 /opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf -d --checks=12
zimbra 6019 1 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6021 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6022 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6023 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6025 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6026 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
root 6160 1 0 00:03 ? 00:00:05 /opt/zimbra/postfix-2.2.9/libexec/master
postfix 6169 6160 0 00:03 ? 00:00:00 qmgr -l -t fifo -u
zimbra 6208 1 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6219 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6220 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6222 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6223 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6239 1 0 00:03 ? 00:00:00 amavisd (master)
postfix 6255 6160 0 00:03 ? 00:00:00 tlsmgr -l -t unix -u
postfix 7146 6160 0 00:06 ? 00:00:01 anvil -l -t unix -u
apache 31560 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31561 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31562 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31563 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31564 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31565 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31566 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31567 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
postfix 8320 6160 0 03:43 ? 00:00:04 trivial-rewrite -n rewrite -t unix -u
zimbra 12596 5973 0 04:03 ? 00:00:00 /usr/bin/perl /tmp/.swatch_script.5973
zimbra 12597 4469 0 04:03 ? 00:00:00 /usr/bin/perl /tmp/.swatch_script.4469
zimbra 12612 12597 0 04:03 ? 00:00:08 /usr/bin/perl /opt/zimbra/libexec/zmlogger
apache 29625 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
apache 29626 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
apache 29627 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
apache 29826 3730 0 06:46 ? 00:00:00 /usr/sbin/httpd
zimbra 25488 6239 0 08:10 ? 00:00:02 amavisd (ch9-avail)
zimbra 27672 6239 0 08:21 ? 00:00:01 amavisd (ch7-avail)
zimbra 28647 6239 0 08:27 ? 00:00:01 amavisd (ch7-avail)
zimbra 28655 6239 0 08:27 ? 00:00:02 amavisd (ch8-avail)
zimbra 13917 6239 0 09:24 ? 00:00:01 amavisd (ch5-avail)
zimbra 20252 6239 0 09:56 ? 00:00:00 amavisd (ch3-avail)
root 20347 29848 0 09:56 pts/3 00:00:00 tail -f zimbra.log
root 20348 29848 0 09:56 pts/3 00:00:00 grep nrcpt
postfix 21611 6160 0 10:03 ? 00:00:00 pickup -l -t fifo -u
zimbra 29235 6239 0 10:13 ? 00:00:00 amavisd (ch2-avail)
zimbra 29615 6239 0 10:14 ? 00:00:00 amavisd (ch3-avail)
zimbra 29834 6239 0 10:16 ? 00:00:01 amavisd (ch2-avail)
apache 30018 3730 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 30019 3730 0 10:17 ? 00:00:00 /usr/sbin/httpd
postfix 30868 6160 0 10:21 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 31264 6160 0 10:22 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 31270 6160 0 10:23 ? 00:00:00 smtpd -n smtp -t inet -u
zimbra 31475 6239 0 10:24 ? 00:00:00 amavisd (virgin child)
postfix 31661 6160 0 10:25 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 31864 6160 0 10:26 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 32037 6160 0 10:27 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 32040 6160 0 10:27 ? 00:00:00 cleanup -z -t unix -u
postfix 32041 6160 0 10:27 ? 00:00:00 smtp -n smtp-amavis -t unix -u -o smtp_data_done_timeout 1200 -o smtp_send_xforward_command yes -o disable_dns_lookups yes -o max_use 20
postfix 32044 6160 0 10:27 ? 00:00:00 smtpd -n 127.0.0.1:10025 -t inet -u -o content_filter -o local_recipient_maps -o virtual_mailbox_maps -o virtual_alias_maps -o relay_recipient_maps -o smtpd_restriction_classes -o smtpd_delay_reject no -o smtpd_client_restrictions permit_mynetworks,reject -o smtpd_helo_restrictions -o smtpd_sender_restrictions -o smtpd_recipient_restrictions permit_mynetworks,reject -o mynetworks_style host -o mynetworks 127.0.0.0/8 -o strict_rfc821_envelopes yes -o smtpd_error_sleep_time 0 -o smtpd_soft_error_limit 1001 -o smtpd_hard_error_limit 1000 -o smtpd_client_connection_count_limit 0 -o smtpd_client_connection_rate_limit 0 -o receive_override_options no_header_body_checks,no_unknown_recipient_checks, no_address_mappings
zimbra 32049 5169 0 10:27 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 12 0
zimbra 32050 5169 0 10:27 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 14 0
postfix 32434 6160 0 10:29 ? 00:00:00 lmtp -t unix -u
zimbra 32439 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 16 0
zimbra 32440 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 18 0
zimbra 32444 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 20 0
zimbra 32445 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 22 0
zimbra 463 694 0 10:31 pts/4 00:00:00 ps -eafwww

[mdeneen]

Nothing jumps out at me there.

Have you looked in /opt/zimbra/tomcat/logs/access_log.2007-08-24 ?

Match them up with the timestamps of the spam, and you will see if it comes through webmail or somewhere else.

Mark

[p24t]

If you're getting mail sent from unrelated accounts, and from disabled accounts, have you tried changing any admin passwords? Perhaps someone is getting in through the View Mail option.

If you're worried about the system being compromised, try looking at lastlog to see if any accounts that shouldn't have been logged in have been, or from a strange location.

[fajarpri]

Ok.. getting more interesting.
1. This is a long shot, but it could be you enable 'clear text' authentication? Someone could be sniffing your network for username and password.
2. Download and run rkhunter in your server to check for any breaking attempts/backdoors.

[msf004]

fajarpl - First, thanks for recommending rkhunter. That is a nice tool to have around. I have never used it in the past.

However, it found nothing because SSH v1 login is currently allowed by the system - which I changed.

I did have clear text login allowed. So I guess the sniffer is a possibility; however, the person with the sniffer would have to be outside of our physical LAN and on the Internet somewhere - to the best of my knowledge. I say that because we have a dedicated 6mbps/1mbps line coming from the CO into our office - and there are only two of us in the office. I say dedicated because it is one of those lines that do not require telephone service (it doesn't ride the primary pair).

[mmorse]

The question is why aren't you analyzing tcpdumps on your RHEL box?
Heck even run wireshark (used to be ethereal) on her pc...

[fajarpri]

mmorse is right.
By analyzing the connection on her pc, we can make sure if there's an authorized connection coming into/going out her pc.
And also the fact that two more of your users being used for sending spam.

Is there any special need you want to enable clear text authentication? Because by default, zimbra disable it.

[fajarpri]

What is the status of this issue?
What is the real cause of it?

[msf004]

The status and cause of this is a good question. I could never find anything in log files or otherwise. After further review, it did only happen to one account, not two like I originally thought. As I stated, that account literally does have the emails in their sent items with all recipients now in their address book. So the email was definitely sent through Zimbra. The individual DOES NOT use a Zimbra connectors, the indivudal uses a Mac, not a Windows PC, I could not find anything running on the Mac which was unusual, the user had a secured password, and I have not seen anymore instances of emails being sent. There has not been anymore problems.

However, I was concerned enough with the incident that I ended up opening a Zimbra support ticket for assistance. I received one reply from a Zimbra employee asking for log files and more information, to which I responded; however, I have not heard back from Zimbra since then, and I have even followed-up a few times.

Right now I am mostly concerned if this is going to cost me a support ticket being I opened a support ticket through Zimbra for assistance. I say this because, I have not received any support. I would be paying for something that didn't happen.

[mmorse]

After further logfile examination it turns out that someone was attempting access to his administrator user.
/forums/administrators/11293-admin-password-not-working.html
-While we can't say with 100% certainty at this point that it was the exact same person as the one causing the spam sending of this thread, I am 'solving' this thread.
(You can certainly continue to post replies, as it's always good to learn for security sake. However, those reading the title will know that you don't need immediate help anymore)

msf004,
If your still concerned about a 'lost' support ticket for the issue, add your comments to the current open ticket and they can consider it for review.

However generally, as the forums & actual zimbra support are separate, plus the fact that you felt the issue critical enough to open a ticket: "I was concerned enough with the incident that I ended up opening a Zimbra support ticket for assistance." there's really not much you can do.

But, if the same issue comes up relatively soon again, and this current ticket has already been closed, have them reopen the existing ticket rather than using up another.

If you examine all your logs and find that it was just the same person in your most recent 'admin account locked', and that you have solved it on your own, please let them know as well so they don't waste support resources analyzing hundreds of lines, when they could be helping others
A list of pertinent logfiles and their functions can be found here: /docs/ne/latest/administration_guide/9_Monitoring.12.1.html#1075561

You can also request that they examine your zcs/system setup for the possibility of any other open holes.