Is my server being used to forward spam?

[sgb]

My server is really slow and all these messages are comming through in the log. My server went down last night and I'm hoping these are the emails being processed from last night, but I see a lot of the same email addresses over and over again like
----------------------------------------
Mar 7 10:52:20 mi6 amavis[3163]: (03163-03-3) Blocked SPAM, LOCAL [192.168.1.1] [120.4.222.88] <Gino@ms16.hinet.net> -> <winter0504@yahoo.com.tw>,<winter0931@yahoo.com.tw >,<winter12310000@yahoo.com.tw>,<winter1993920@yah oo.com.tw>,<winter209@yahoo.com.tw>, Message-ID: <DBRJQDKCKQBYEELUKYHE@>, mail_id: FLxtoPiLnuqU, Hits: 40.77, 18436 ms
-----------------------------------------
Also, I have sent myself a few email tests and have not come through, I sent them from zimbra to hotmail and the other way around.

Thanks for any help..

Here is part of the log

Mar 7 10:52:15 mi6 amavis[3160]: (03160-02-3) ESMTP::10024 /opt/zimbra/amavisd/tmp/amavis-20060307T104940-03160: <-@yahoo.co.jp> -> <c199j@ms2.hinet.net>,<c19b19@ms26.hinet.net>,<c19 @ms4.hinet.net>,<c19c40@ms45.hinet.net>,<c199ct@ms 7.hinet.net>,<c19b39@ms7.hinet.net> Received: SIZE=5455 from mi6.extier.com ([127.0.0.1]) by localhost (mi6.extier.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03160-02-3; Tue, 7 Mar 2006 10:52:14 -0500 (EST)
Mar 7 10:52:15 mi6 amavis[3156]: (03156-05-3) Checking: AGFhLbhq2UKB [192.168.1.1] <xjubxgqzk@so-net.net.b4> -> <keggyp@ms10.hinet.net>,<keggert@ms21.hinet.net>,< keggert@ms44.hinet.net>,<keggert@ms45.hinet.net>,< keggert@ms46.hinet.net>,<keggert@ms47.hinet.net>,< keggert@ms48.hinet.net>,<keggert@ms49.hinet.net>,< keg81466@ms7.hinet.net>,<kegic@ms8.hinet.net>
Mar 7 10:52:15 mi6 amavis[3160]: (03160-02-3) Checking: DDz5scZb-H5b [192.168.1.1] <-@yahoo.co.jp> -> <c199j@ms2.hinet.net>,<c19b19@ms26.hinet.net>,<c19 @ms4.hinet.net>,<c19c40@ms45.hinet.net>,<c199ct@ms 7.hinet.net>,<c19b39@ms7.hinet.net>
Mar 7 10:52:15 mi6 amavis[3160]: (03160-02-3) cached 5b3e8a38400a77ea117f120c179e642d from <-@yahoo.co.jp> (1,1)
Mar 7 10:52:15 mi6 amavis[3160]: (03160-02-3) BAD HEADER from <-@yahoo.co.jp>: Non-encoded 8-bit data (char BE hex) in message header 'From': From: "\\276\\345\\276\\354\\276\\345\\276\\354\\276\\34 5\\276\\354\\276\\345\\276\\354...
Mar 7 10:52:15 mi6 amavis[3160]: (03160-02-3) NOTICE: Not sending DSN, spam level exceeds DSN cutoff level for all recips, mail intentionally dropped
Mar 7 10:52:16 mi6 amavis[3160]: (03160-02-3) Blocked SPAM, LOCAL [192.168.1.1] <-@yahoo.co.jp> -> <c199j@ms2.hinet.net>,<c19b19@ms26.hinet.net>,<c19 @ms4.hinet.net>,<c19c40@ms45.hinet.net>,<c199ct@ms 7.hinet.net>,<c19b39@ms7.hinet.net>, Message-ID: <@>, mail_id: DDz5scZb-H5b, Hits: 44.405, 2024 ms
Mar 7 10:52:16 mi6 amavis[3158]: (03158-03-5) ESMTP::10024 /opt/zimbra/amavisd/tmp/amavis-20060307T104940-03158: <qxrspcfwc@yahoo.com.hk> -> <k23698f@yahoo.com.tw>,<k2374349@yahoo.com.tw>,<k2 374810@yahoo.com.tw>,<k23755259@yahoo.com.tw>,<k23 7671@yahoo.com.tw>,<k2377083@yahoo.com.tw>,<k23773 96@yahoo.com.tw>,<k23782@yahoo.com.tw> Received: SIZE=2748 from mi6.extier.com ([127.0.0.1]) by localhost (mi6.extier.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03158-03-5; Tue, 7 Mar 2006 10:52:12 -0500 (EST)
Mar 7 10:52:17 mi6 amavis[3158]: (03158-03-5) Checking: Vaoh2HfWj1cT [192.168.1.1] <qxrspcfwc@yahoo.com.hk> -> <k23698f@yahoo.com.tw>,<k2374349@yahoo.com.tw>,<k2 374810@yahoo.com.tw>,<k23755259@yahoo.com.tw>,<k23 7671@yahoo.com.tw>,<k2377083@yahoo.com.tw>,<k23773 96@yahoo.com.tw>,<k23782@yahoo.com.tw>
Mar 7 10:52:20 mi6 amavis[3163]: (03163-03-3) BAD HEADER from <Gino@ms16.hinet.net>: Non-encoded 8-bit data (char C0 hex) in message header 'From': From: "abner\\300\\260\\261z\\273P\\267R\\244\\374\\267\ \276\\263qph...
Mar 7 10:52:20 mi6 amavis[3163]: (03163-03-3) NOTICE: Not sending DSN, spam level exceeds DSN cutoff level for all recips, mail intentionally dropped
Mar 7 10:52:20 mi6 amavis[3163]: (03163-03-3) Blocked SPAM, LOCAL [192.168.1.1] [120.4.222.88] <Gino@ms16.hinet.net> -> <winter0504@yahoo.com.tw>,<winter0931@yahoo.com.tw >,<winter12310000@yahoo.com.tw>,<winter1993920@yah oo.com.tw>,<winter209@yahoo.com.tw>, Message-ID: <DBRJQDKCKQBYEELUKYHE@>, mail_id: FLxtoPiLnuqU, Hits: 40.77, 18436 ms

[marcmac]

That's not good at all.

Check the logs right before that for the postfix logs - that will tell you where this mail is being submitted from.

If I had to guess, there's a PC (Windows Box) on your network that's got a virus.

If that's the case, it's possible your IP has been blacklisted for sending spam.

[sgb]

Is there any way that I can stop this? like only allowing the local server to send out email??
my windows servers are running fine and they have antivirus scanners and the latest virus definitions... I'm running an scan manually but has found nothing so far. All the emails I'm seeing are coming from my firewall ip therefore I believe they are comming from the internet, can anybody relay messages without authentication???

Please help

[phoenix]

You can always use this test or this to see if you're a relay.

[sgb]

Thanks for your help, I did the second test and the server passed, which the site said it means it is not relaying emails. But why am I only seeing my firewall ip address if that's the case?
Would changing the zimbra user password have any effect on the functionality of the server? I see sessions being closed for that user in the logs frequently and I'm thinking somebody might have craked the password, although I don't remember if I set a password for that user to beging with..

Thanks for your help I really appreciate it, and hopefully you can help me figure this out.

Thanks

Mar 7 12:56:56 mi6 amavis[9705]: (09705-01) Blocked SPAM, LOCAL [192.168.1.1] [197.64.0.106] <Theodore-Saunders@yahoo.com.cn> -> <nkb20839@yahoo.com.tw>, Message-ID: <VKJVKZXRHNFMQOKRAWLBZBJ@yahoo.com>, mail_id: P8RgCJ5+rLwU, Hits: 60.903, 104228 ms
Mar 7 12:57:22 mi6 zimbramon[5524]: 5524:info: 2006-03-07 12:38:13, STATUS: mi6.extier.com: mailbox: Running
Mar 7 12:57:26 mi6 zimbramon[5524]: 5524:info: 2006-03-07 12:38:13, STATUS: mi6.extier.com: mta: Running
Mar 7 12:57:30 mi6 zimbramon[5820]: 5820:info: 2006-03-07 12:39:12, STATUS: mi6.extier.com: antivirus: Running
Mar 7 12:57:01 mi6 crond(pam_unix)[10129]: session opened for user zimbra by (uid=0)
Mar 7 12:57:03 mi6 amavis[9704]: (09704-01) Blocked SPAM, LOCAL [192.168.1.1] [50.128.116.48] <Jaime.Morin@yahoo.ca> -> <jessica651001@yahoo.com.tw>, Message-ID: <DUCUMAODSHYXHZSKVGVSQWE@yahoo.com.tw>, mail_id: jond6p1i-hxS, Hits: 54.911, 111320 ms
Mar 7 12:56:44 mi6 amavis[6977]: (06977-08) NOTICE: Not sending DSN, spam level exceeds DSN cutoff level for all recips, mail intentionally dropped
Mar 7 12:57:18 mi6 amavis[9646]: (09646-01) extra modules loaded: Net/LDAP/Bind.pm
Mar 7 12:57:19 mi6 amavis[7199]: (07199-07) Checking: PwPvrYULU2cz [192.168.1.1] <Dominique-Ames@yahoo.com.ar> -> <nina@mail.dfmg.com.tw>
Mar 7 12:57:45 mi6 zimbramon[5820]: 5820:info: 2006-03-07 12:39:12, STATUS: mi6.extier.com: ldap: Running
Mar 7 12:57:46 mi6 zimbramon[5524]: 5524:info: 2006-03-07 12:38:13, STATUS: mi6.extier.com: snmp: Running
Mar 7 12:57:22 mi6 amavis[7023]: (07023-07-2) extra modules loaded: Net/LDAP/Bind.pm
Mar 7 12:57:22 mi6 amavis[9645]: (09645-01) extra modules loaded: Net/LDAP/Bind.pm
Mar 7 12:57:22 mi6 amavis[7200]: (07200-07) extra modules loaded: Net/LDAP/Bind.pm
Mar 7 12:57:32 mi6 amavis[6977]: (06977-08) Blocked SPAM, LOCAL [192.168.1.1] [167.79.22.60] <Aileen.Compton@yahoo.com.br> -> <jiko.s111@yahoo.com.tw>, Message-ID: <YGVODFAPTPMLVVRQLDUVPZSP@yahoo.com.tw>, mail_id: 1ewB37VmQuS4, Hits: 52.866, 141682 ms

[marcmac]

Thanks for your help, I did the second test and the server passed, which the site said it means it is not relaying emails. But why am I only seeing my firewall ip address if that's the case?

Where are you seeing the firewall IP? Can you send the logs from POSTFIX for these emails, prior to them being handed to amavis?

THe mail flow here is:
external->postfix->amavis->postfix->mailbox

So amavis is going to receive all of it's mail from the local host (I assume that's 192.168.1.1?)

Would changing the zimbra user password have any effect on the functionality of the server? I see sessions being closed for that user in the logs frequently and I'm thinking somebody might have craked the password, although I don't remember if I set a password for that user to beging with..

THe "session closed for user zimbra" stuff means that something ran out of cron - not related.

Thanks for your help I really appreciate it, and hopefully you can help me figure this out.

Thanks

Mar 7 12:56:56 mi6 amavis[9705]: (09705-01) Blocked SPAM, LOCAL [192.168.1.1] [197.64.0.106] <Theodore-Saunders@yahoo.com.cn> -> <nkb20839@yahoo.com.tw>, Message-ID: <VKJVKZXRHNFMQOKRAWLBZBJ@yahoo.com>, mail_id: P8RgCJ5+rLwU, Hits: 60.903, 104228 ms
Mar 7 12:57:22 mi6 zimbramon[5524]: 5524:info: 2006-03-07 12:38:13, STATUS: mi6.extier.com: mailbox: Running
Mar 7 12:57:26 mi6 zimbramon[5524]: 5524:info: 2006-03-07 12:38:13, STATUS: mi6.extier.com: mta: Running
Mar 7 12:57:30 mi6 zimbramon[5820]: 5820:info: 2006-03-07 12:39:12, STATUS: mi6.extier.com: antivirus: Running
Mar 7 12:57:01 mi6 crond(pam_unix)[10129]: session opened for user zimbra by (uid=0)
Mar 7 12:57:03 mi6 amavis[9704]: (09704-01) Blocked SPAM, LOCAL [192.168.1.1] [50.128.116.48] <Jaime.Morin@yahoo.ca> -> <jessica651001@yahoo.com.tw>, Message-ID: <DUCUMAODSHYXHZSKVGVSQWE@yahoo.com.tw>, mail_id: jond6p1i-hxS, Hits: 54.911, 111320 ms
Mar 7 12:56:44 mi6 amavis[6977]: (06977-08) NOTICE: Not sending DSN, spam level exceeds DSN cutoff level for all recips, mail intentionally dropped
Mar 7 12:57:18 mi6 amavis[9646]: (09646-01) extra modules loaded: Net/LDAP/Bind.pm
Mar 7 12:57:19 mi6 amavis[7199]: (07199-07) Checking: PwPvrYULU2cz [192.168.1.1] <Dominique-Ames@yahoo.com.ar> -> <nina@mail.dfmg.com.tw>
Mar 7 12:57:45 mi6 zimbramon[5820]: 5820:info: 2006-03-07 12:39:12, STATUS: mi6.extier.com: ldap: Running
Mar 7 12:57:46 mi6 zimbramon[5524]: 5524:info: 2006-03-07 12:38:13, STATUS: mi6.extier.com: snmp: Running
Mar 7 12:57:22 mi6 amavis[7023]: (07023-07-2) extra modules loaded: Net/LDAP/Bind.pm
Mar 7 12:57:22 mi6 amavis[9645]: (09645-01) extra modules loaded: Net/LDAP/Bind.pm
Mar 7 12:57:22 mi6 amavis[7200]: (07200-07) extra modules loaded: Net/LDAP/Bind.pm
Mar 7 12:57:32 mi6 amavis[6977]: (06977-08) Blocked SPAM, LOCAL [192.168.1.1] [167.79.22.60] <Aileen.Compton@yahoo.com.br> -> <jiko.s111@yahoo.com.tw>, Message-ID: <YGVODFAPTPMLVVRQLDUVPZSP@yahoo.com.tw>, mail_id: 1ewB37VmQuS4, Hits: 52.866, 141682 ms

[phoenix]

I have a vague recollection that when I first installed Zimbra (many months ago) I had a similar (or the same problem), I think it's possible those messages you're seeing is spam coming into your system and for some reason Zimbra is trying to deliver them to their email addresses.

Unfortunately I can't for the life of me remember what caused it. Is your DNS set-up correctly? Can you delete those messages from the postfix queues? Is it the same email being delivered over and over or are they all new emails?

[marcmac]

If you're on a shared network (eg, DSL line) and someone on a nearby IP tries to connect, postfix could have the wrong mynetworks setting.

zimbraMtaMyNetworks can fix this - check man 5 postconf for appropriate settings for your network.

[sgb]

Where can I find the logs for Postfix??
I've looked in the /opt/zimbra/log directory
also in my /var/logs directory and the only thing I can find there is what I posted above.

[marcmac]

grep postfix /var/log/zimbra.log