Results 1 to 9 of 9

Thread: Possible spam issue

  1. #1
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default Possible spam issue

    I have had some weird entries in my admin panel lately and we were reported to spamcop for sending out spam. I am having some issues trying to track down where it is coming from so I have attached a couple of log entries for one or two of the weird messages I have seen in my admin panel along with a screen shot. Any help would be greatly appreciated. In the image for the pop up information box the From Host is the server fqdn while the From IP is the DMZ address of the server. Thanks.

    Jul 24 16:09:59 servername postfix/smtpd[27708]: connect from barracuda.fqdn[dmz address]
    Jul 24 16:09:59 servername postfix/smtpd[27708]: 1415D438566: client=barracuda.fqdn[dmz address]
    Jul 24 16:09:59 servername postfix/cleanup[28649]: 1415D438566: message-id=<20080724162550.twehtmnldtvp@mx8.transparentcha nnel.com>
    Jul 24 16:09:59 servername postfix/smtpd[27708]: disconnect from barracuda.fqdn[dmz address]
    Jul 24 16:09:59 servername postfix/qmgr[3738]: 1415D438566: from=<mary.n@transparentchannel.com>, size=168950, nrcpt=1 (queue active)
    Jul 24 16:09:59 servername postfix/smtpd[27708]: connect from servername.fqdn[email dmz address]
    Jul 24 16:09:59 servername postfix/smtpd[27708]: 874924385C0: client=servername.fqdn[email dmz address]
    Jul 24 16:09:59 servername postfix/cleanup[28561]: 874924385C0: message-id=<21453557.7211216930199542.JavaMail.root@server name.fqdn>
    Jul 24 16:09:59 servername postfix/qmgr[3738]: 874924385C0: from=<>, size=1114, nrcpt=1 (queue active)
    Jul 24 16:09:59 servername postfix/smtpd[27708]: disconnect from servername.fqdn[email dmz address]

    dj
    Attached Images Attached Images

  2. #2
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    bump ! ! !

  3. #3
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    bumping again. is the log file enough to go on or do I need to post more info?

    dj

  4. #4
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    No help from anyone? Any tips on how to track down a machine which may be sending this out?

    dj

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Is the SPAM actually originating from your server or is it that somebody is spoofing your domain ? You should also consider upgrading your ZCS server is you are still on 4.5.7

  6. #6
    Jbrabander's Avatar
    Jbrabander is offline Elite Member
    Join Date
    May 2008
    Location
    Park City, KS
    Posts
    342
    Rep Power
    7

    Default

    We have stuff like that all the time. I've always assumed that a spam came in trying to get to a bad address. The mailer-daemon tries to send back a reply but it never goes since the "return" address is bogus. Would that be a correct assumption?

  7. #7
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    Quote Originally Posted by uxbod View Post
    Is the SPAM actually originating from your server or is it that somebody is spoofing your domain ? You should also consider upgrading your ZCS server is you are still on 4.5.7
    Well it is showing up in my logs and in my admin panel so I would think it would be coming from my server. I get about three or four of these messages and we did get graylisted by some places here recently. So I would think it is coming from here somewhere. I just need to track it down and was wanting to see if anyone here could verify by what I posted that it is coming from somewhere here.

    We are in the process of upgrading to the latest version. We had some hardware go bad in our VM server so we in the midst of getting that upgraded first.

    The part of Zimbra that is impressing me right now is that we have it running in a VM enviroment running on a server 2003 box which the hardware is really nothing more than a desktop pc at the moment. It was a last resort thing until the server is back up and running.

    Thanks.

    dj

  8. #8
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    Quote Originally Posted by Jbrabander View Post
    We have stuff like that all the time. I've always assumed that a spam came in trying to get to a bad address. The mailer-daemon tries to send back a reply but it never goes since the "return" address is bogus. Would that be a correct assumption?
    That would be a reasonable assumption, it's know as backscatter or NDR spam. I've mentioned a solution in the other thread of yours here: Limit to a blacklist? it might also apply in this case.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    Finally figured out what was going on. Jbrabander's last message was close to what was going on. We had a user that had retired and an away message was turned on. When ever that account got any spam it would try and reply back to the person sending it. Well most of the time that account didn't exist so the server just stuck it in the defered que.

    After I took the away message out, the problem went away. Thanks.


    dj

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Spam/Ham training under Outlook/Thunderbird/etc.
    By chuckm in forum Administrators
    Replies: 23
    Last Post: 03-18-2009, 11:01 AM
  2. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM
  3. Some more simple tips for cutting spam. . .
    By dwmtractor in forum Administrators
    Replies: 14
    Last Post: 11-21-2007, 06:03 PM
  4. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM
  5. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 03:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •