Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: [SOLVED] Spam Being Sent Thru Server - Help Needed!

  1. #1
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default [SOLVED] Spam Being Sent Thru Server - Help Needed!

    Per another thread I started, I have found that SPAM is being sent through my Zimbra server. In the past two days two of my Zimbra accounts, both of which I personally know the account owner, have had occurances of an email being sent to 50 recipients throughout the day.

    I know the account owners are not sending the SPAM. The server is a per-the-instructions Zimbra install with nothing else on the server - it is a Zimbra mail-only server. Both accounts also do not use Outlook or the Outlook connector, both accounts only utilize the web-client to access their accounts.

    In trying to get a handle on the emails being sent, I have:

    (1) Attempted to have the individuals change their password - the SPAM emails are still being sent.
    (2) I have turned off "locked" their accounts - the SPAM emails are still being sent.
    (3) I changed the postfix smtpd_recipient_limit to 49, being the emails are being sent to 50 recipients - regardless the emails are still being sent to 50 users.

    These users actually SEE THE EMAILS in their Sent Folder. Further, all of the recipients to which these emails have been sent are now in the users "Emailed Contacts" list. In my mind this would show that the culprit is actually connecting to Zimbra as the user.

    I have been trying to troubleshoot this or find a stop-gap for 9 hours now. I find this rather alarming and a serious issue that I want to get stopped - I hate SPAM! I have even opened a support ticket through Zimbra being I am a Network customer - I am willing to pay the cost of a support ticket for help; however, their SLA is 48 hours and I have not yet heard anything from them.

    Can anyone offer any suggestions?

    Here is a portion of the zimbra.log during a send from this occurance. I have removed my servername and the from email address:

    Aug 23 10:01:44 postfix/smtpd[30658]: 863D638CC51F: client=localhost.localdomain[127.0.0.1]
    Aug 23 10:01:46 postfix/cleanup[30814]: 863D638CC51F: message-id=<9660788.17891187881267810.JavaMail.root@SERVER NAME-HERE>
    Aug 23 10:01:48 postfix/qmgr[27904]: 863D638CC51F: from=<EMAIL-ADDRESS-HERE>, size=4747, nrcpt=50 (queue active)

    It would appear that the emails are coming from a process on the local machine. The server is a Redhat RHEL4 Server with all patches up to date.

    Doing a ps -ef, the only "suspicious" processes I see are:

    /usr/bin/perl /tmp/.swatch_script.xxxx

    However, I am by no means an expert on the processes which should be running for a Zimbra install.

    Any help is greatly appreciated.

  2. #2
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    As a bit of additional info, this server and the Zimbra license were both purchases and placed into production on Aug 6th, 2007 - so this is a new server which has not been used too long. Further, before launching it live, I had a couple of services perform port scans, and open-relay checks - nothing was found.

  3. #3
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Can you post the whole log?

    Also, you may wish to look in /opt/zimbra/log/audit.log for any logins.

  4. #4
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    Posting the whole log would be huge, it is currently at 15MB; however, here is the first instance of the SPAM being sent through one of the accounts:

    Aug 23 10:01:08 postfix/smtpd[24759]: connect from <MY-SERVERNAME-HERE>
    Aug 23 10:01:08 postfix/smtpd[24759]: 228E038CC4DF: client=<MY-SERVERNAME-HERE>
    Aug 23 10:01:09 postfix/cleanup[29784]: 228E038CC4DF: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
    Aug 23 10:01:09 postfix/qmgr[27904]: 228E038CC4DF: from=<USERNAME-HERE>, size=4108, nrcpt=503 (queue active)
    Aug 23 10:01:09 postfix/smtpd[24759]: disconnect from <MY-SERVERNAME-HERE>
    Aug 23 10:01:11 postfix/smtpd[29788]: connect from localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/smtpd[29788]: 2822638CC4EB: client=localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/smtpd[30658]: connect from localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/cleanup[29784]: 2822638CC4EB: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
    Aug 23 10:01:13 postfix/qmgr[27904]: 2822638CC4EB: from=<USERNAME-HERE>, size=4747, nrcpt=50 (queue active)
    Aug 23 10:01:13 postfix/smtpd[29788]: disconnect from localhost.localdomain[127.0.0.1]


    I replaced my actual server name with "MY-SERVERNAME-HERE" and the users account with "USERNAME-HERE".

    I will check the audit.log and post what I find there too.

    Let me know if there is more of the zimbra.log you would like to see.

  5. #5
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    I found a couple of questionable entries in the audit log. Specifically, connections showing the user agent as Opera for a user who I KNOW does not use Opera. However, as stated, I had this user change their password, then I locked their account, and I have restarted Zimbra via zmcontrol stop - zmcontrol start; and the occurances of

    Aug 23 10:23:39 postfix/smtpd[8466]: 79AFA38CC510: client=localhost.localdomain[127.0.0.1]
    Aug 23 10:23:40 postfix/cleanup[8467]: 79AFA38CC510: message-id=<14619962.18031187882614894.JavaMail.root@serve r.domain.net>
    Aug 23 10:23:41 postfix/qmgr[27904]: 79AFA38CC510: from=<user@domain.net>, size=2604, nrcpt=50 (queue active)

    Aug 23 10:23:41 amavis[30718]: (30718-04) ...user@domain.com>,<user@domain.com>,<user@domain .com>,<user@domain.com>,<user@domain.com>,<user@do main.com>,<user@domain.com>,<user@domain.com>,<use r@domain.com>,<user@domain.com>,<user@domain.com>, <user@domain.com>, BODY=8BITMIME 250 2.6.0 Ok, id=30718-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 79AFA38CC510

    Aug 23 10:23:42 amavis[30718]: (30718-04) ...<user@domain.com>,<user@domain.com>,<user@domai n.com>,<user@domain.com>,<user@domain.com>,<user@d omain.com>,<user@domain.com>, Message-ID: <14619962.18031187882614894.JavaMail.root@server.d omain.net>, mail_id: oK5FMW07jrVP, Hits: -3.252, queued_as: 79AFA38CC510, 5452 ms

    Aug 23 10:23:41 postfix/smtp[8523]: 79AFA38CC510: to=<user@domain.com>, relay=mx.mailanyone.net[208.70.128.223], delay=2, status=sent (250 OK id=1IOEbo-0000SM-6B)

    Aug 23 10:23:42 postfix/smtp[8517]: 79AFA38CC510: to=<user@domain.com>, relay=mail.xecu.net[216.127.136.211], delay=3, status=sent (250 2.0.0 Ok: queued as 8EA4576A5F3)

    .
    .
    .

    ..more...

    Keep happening; even with a locked account - AND I have changed the Postfix policy to limit recipients to 49.
    Last edited by msf004; 08-23-2007 at 11:31 PM. Reason: hide email addresses

  6. #6
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    I am seeing entries like this in the audit.log:

    2007-08-24 01:00:04,925 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
    2007-08-24 01:00:04,926 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;


    Is that normal?

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,582
    Rep Power
    57

    Default

    Quote Originally Posted by msf004 View Post
    I am seeing entries like this in the audit.log:

    2007-08-24 01:00:04,925 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
    2007-08-24 01:00:04,926 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;


    Is that normal?
    Yes, it's normal but .....:. How often are you seeing these messages? Do any of them relate to when you have this 'spam' being sent?

    Could you attach a copy of your log to the support case you've raised? Is there any frequency of when these batches of messages are being sent? As this is a Network Edition, who uses your server - this is an HSP service isn't it? Is it in production? Can you also send details of your mynetwork setting to your case notes. Please include as much detail as you feel is necessary and we'll try and track this down for you.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    fajarpri's Avatar
    fajarpri is offline Loyal Member
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    8

    Default

    Sorry to joining the discussion.
    I find it very interesting. It looks like the spams are sent through the webmail.
    I suspect that someone in your network is guilty.
    Regarding the change password, it's still possible that he/she planted a keylogger in the victim's pc that will record and send the new password to the bad guy.

    In order to make sure that indeed the bad guys use the webmail, can you turn off tomcat for while and see if the spam stops? If it continues, then he's using another mean. If he's using webmail, we can begin tracing the ip address that is accessing the webmail. Knowing this, we will be able to narrow the possibilities.
    Last edited by fajarpri; 08-24-2007 at 03:38 AM.

  9. #9
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default

    Unfortunately, our "network" is only two people in a small and secured office. The rest of our users are customers.

    Also, locally we are not using any Windows computers. It is all Linux and Mac. Not to say that there are not keyloggers for macs or CentOS; however, less likely being (i) only two of us, (ii) secured office, (iii) no windows.

    This has also happened to two Zimbra accounts now as well. The two accounts too which it has happened are not related accounts, different companies who do not know each other.

  10. #10
    mdeneen is offline Active Member
    Join Date
    Jul 2007
    Posts
    45
    Rep Power
    8

    Default maybe

    maybe the output of "ps -eafwww" would be helpful. that is, if the problem is some sort of local process.

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 10:27 AM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. Error 256 on Installation
    By RuinExplorer in forum Installation
    Replies: 5
    Last Post: 10-19-2006, 09:19 AM
  5. Installation Problem
    By AnilKumarYalla in forum Developers
    Replies: 4
    Last Post: 09-22-2006, 06:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •