Results 1 to 4 of 4

Thread: Someone is sending spam from my server

  1. #1
    DMRDave is offline Active Member
    Join Date
    Feb 2006
    Location
    Southern California
    Posts
    49
    Rep Power
    9

    Default Someone is sending spam from my server

    This started yesterday morning, but I didn't notice it until last night. Digging through the logs shows the following:


    Jul 24 06:15:43 dmrmail02 postfix/smtpd[29410]: initializing the server-side TLS engine
    Jul 24 06:15:44 dmrmail02 postfix/smtpd[29410]: connect from mail.spgglobal.net[206.108.180.69]
    Jul 24 06:15:44 dmrmail02 saslauthd[17074]: zmauth: authenticating against elected url 'https://dmrmail02.poboxdmr.com:7071/service/admin/soap/' ...
    Jul 24 06:15:44 dmrmail02 saslauthd[17074]: zmpost: url='https://dmrmail02.poboxdmr.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="12435"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_c14775f6c9e 1292b7aa22d3462f1ec864a62837f_69643d33363a31343939 373931312d666537312d346237312d626538642d6232386166 663963353766623b6578703d31333a31323137303738313434 3736353b747970653d363a7a696d6272613b6d61696c686f73 743d31353a36392e32382e3130382e32393a38303b</authToken><lifetime>172799999</lifetime><skin>sand</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jul 24 06:15:44 dmrmail02 saslauthd[17074]: auth_zimbra: contact auth OK
    Jul 24 06:15:45 dmrmail02 postfix/smtpd[29410]: 4325D98A40FF: client=mail.spgglobal.net[206.108.180.69], sasl_method=LOGIN, sasl_username=xxxxxx
    Jul 24 06:15:48 dmrmail02 postfix/cleanup[29413]: 4325D98A40FF: message-id=<20080724131545.4325D98A40FF@dmrmail02.poboxdmr .com>
    Jul 24 06:15:48 dmrmail02 postfix/qmgr[17045]: 4325D98A40FF: from=<refunds@irs.gov>, size=3131, nrcpt=30 (queue active)
    Jul 24 06:15:48 dmrmail02 amavis[15020]: (15020-13) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20080723T162658-15020: <refunds@irs.gov> -> <abamedia@abamedia.com>,<abana@abana.org>,<aballag @airweb2.org>,<abaret1@aisd.net>,<abandler@aol.com >,<abarber51@aol.com>,<abarberino@aol.com>,<abarbu to@bu.edu>,<abaldwin@centralcarolinasoil.com>,<aba rgerhuff@dallergreenberg.com>,<abarbour@du.edu>,<a ballard@gassville.com>,<aballagh@georgiasouthern.e du>,<aballroy@hotmail.com>,<abander@hotmail.com>,< abarger1@hotmail.com>,<aba-ptl@mail.abanet.org>,<abarber@massasoit.org>,<abar ak@mscc.huji.uc.ils>,<abarcenasjr@msn.com>,<abarbe tt@neo.rr.com>,<abarchetto@njm.com>,<aban.ltd@pars online.net>,<abanister@quantumhydraulic.com>,<aban calari@restaurantassociates.com>,<aball@statesman. com>,<abarbee@txculturaltrust.org>,<aballen1@veriz on.net>,<abana@yahoo.com>,<abaquel@yahoo.com> SIZE=3131 Received: from dmrmail02.poboxdmr.com ([127.0.0.1]) by localhost (dmrmail02.poboxdmr.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; ...
    Jul 24 06:15:48 dmrmail02 amavis[15020]: (15020-13) ...Thu, 24 Jul 2008 06:15:48 -0700 (PDT)
    Jul 24 06:15:48 dmrmail02 amavis[15020]: (15020-13) Checking: O2Nls-TF+QjH [206.108.180.69] <refunds@irs.gov> -> <abamedia@abamedia.com>,<abana@abana.org>,<aballag @airweb2.org>,<abaret1@aisd.net>,<abandler@aol.com >,<abarber51@aol.com>,<abarberino@aol.com>,<abarbu to@bu.edu>,<abaldwin@centralcarolinasoil.com>,<aba rgerhuff@dallergreenberg.com>,<abarbour@du.edu>,<a ballard@gassville.com>,<aballagh@georgiasouthern.e du>,<aballroy@hotmail.com>,<abander@hotmail.com>,< abarger1@hotmail.com>,<aba-ptl@mail.abanet.org>,<abarber@massasoit.org>,<abar ak@mscc.huji.uc.ils>,<abarcenasjr@msn.com>,<abarbe tt@neo.rr.com>,<abarchetto@njm.com>,<aban.ltd@pars online.net>,<abanister@quantumhydraulic.com>,<aban calari@restaurantassociates.com>,<aball@statesman. com>,<abarbee@txculturaltrust.org>,<aballen1@veriz on.net>,<abana@yahoo.com>,<abaquel@yahoo.com>
    Jul 24 06:15:48 dmrmail02 postfix/smtpd[29410]: disconnect from mail.spgglobal.net[206.108.180.69]
    Jul 24 06:15:50 dmrmail02 postfix/smtpd[29410]: connect from mail.spgglobal.net[206.108.180.69]
    Jul 24 06:15:50 dmrmail02 saslauthd[17075]: zmauth: authenticating against elected url 'https://dmrmail02.poboxdmr.com:7071/service/admin/soap/' ...
    Jul 24 06:15:50 dmrmail02 saslauthd[17075]: zmpost: url='https://dmrmail02.poboxdmr.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="12435"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_e74a69b8532 66abe565059ef249ee4db27685445_69643d33363a31343939 373931312d666537312d346237312d626538642d6232386166 663963353766623b6578703d31333a31323137303738313530 3933373b747970653d363a7a696d6272613b6d61696c686f73 743d31353a36392e32382e3130382e32393a38303b</authToken><lifetime>172800000</lifetime><skin>sand</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jul 24 06:15:50 dmrmail02 saslauthd[17075]: auth_zimbra: contact auth OK
    Jul 24 06:15:51 dmrmail02 postfix/smtpd[29410]: A1CD998A41AC: client=mail.spgglobal.net[206.108.180.69], sasl_method=LOGIN, sasl_username=xxxxxx
    Jul 24 06:15:53 dmrmail02 postfix/smtpd[29417]: initializing the server-side TLS engine
    Jul 24 06:15:53 dmrmail02 postfix/smtpd[29417]: connect from localhost[127.0.0.1]
    Jul 24 06:15:53 dmrmail02 postfix/smtpd[29417]: 3065A98A41B5: client=localhost[127.0.0.1]
    Jul 24 06:15:53 dmrmail02 postfix/cleanup[29418]: 3065A98A41B5: message-id=<20080724131545.4325D98A40FF@dmrmail02.poboxdmr .com>
    Jul 24 06:15:53 dmrmail02 postfix/smtpd[29417]: disconnect from localhost[127.0.0.1]
    Jul 24 06:15:53 dmrmail02 postfix/qmgr[17045]: 3065A98A41B5: from=<refunds@irs.gov>, size=3851, nrcpt=30 (queue active)
    Jul 24 06:15:53 dmrmail02 amavis[15020]: (15020-13) FWD via SMTP: <refunds@irs.gov> -> <abamedia@abamedia.com>,<abana@abana.org>,<aballag @airweb2.org>,<abaret1@aisd.net>,<abandler@aol.com >,<abarber51@aol.com>,<abarberino@aol.com>,<abarbu to@bu.edu>,<abaldwin@centralcarolinasoil.com>,<aba rgerhuff@dallergreenberg.com>,<abarbour@du.edu>,<a ballard@gassville.com>,<aballagh@georgiasouthern.e du>,<aballroy@hotmail.com>,<abander@hotmail.com>,< abarger1@hotmail.com>,<aba-ptl@mail.abanet.org>,<abarber@massasoit.org>,<abar ak@mscc.huji.uc.ils>,<abarcenasjr@msn.com>,<abarbe tt@neo.rr.com>,<abarchetto@njm.com>,<aban.ltd@pars online.net>,<abanister@quantumhydraulic.com>,<aban calari@restaurantassociates.com>,<aball@statesman. com>,<abarbee@txculturaltrust.org>,<aballen1@veriz on.net>,<abana@yahoo.com>,<abaquel@yahoo.com>,BODY =7BIT 250 2.6.0 Ok, id=15020-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3065A98A41B5
    Jul 24 06:15:53 dmrmail02 amavis[15020]: (15020-13) Passed CLEAN, [206.108.180.69] [206.108.180.69] <refunds@irs.gov> -> <abamedia@abamedia.com>,<abana@abana.org>,<aballag @airweb2.org>,<abaret1@aisd.net>,<abandler@aol.com >,<abarber51@aol.com>,<abarberino@aol.com>,<abarbu to@bu.edu>,<abaldwin@centralcarolinasoil.com>,<aba rgerhuff@dallergreenberg.com>,<abarbour@du.edu>,<a ballard@gassville.com>,<aballagh@georgiasouthern.e du>,<aballroy@hotmail.com>,<abander@hotmail.com>,< abarger1@hotmail.com>,<aba-ptl@mail.abanet.org>,<abarber@massasoit.org>,<abar ak@mscc.huji.uc.ils>,<abarcenasjr@msn.com>,<abarbe tt@neo.rr.com>,<abarchetto@njm.com>,<aban.ltd@pars online.net>,<abanister@quantumhydraulic.com>,<aban calari@restaurantassociates.com>,<aball@statesman. com>,<abarbee@txculturaltrust.org>,<aballen1@veriz on.net>,<abana@yahoo.com>,<abaquel@yahoo.com>, Message-ID: <20080724131545.4325D98A40FF@dmrmail02.poboxdmr.co m>, mail_id: O2Nls-TF+QjH, Hits: 6.431, size: 3131, queued_as: 3065A98A41B5, 4412 ms
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abamedia@abamedia.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abana@abana.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<aballag@airweb2.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abaret1@aisd.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abandler@aol.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abarber51@aol.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abarberino@aol.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abarbuto@bu.edu>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abaldwin@centralcarolinasoil.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abargerhuff@dallergreenberg.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abarbour@du.edu>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<aballard@gassville.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<aballagh@georgiasouthern.edu>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<aballroy@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abander@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abarger1@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<aba-ptl@mail.abanet.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)
    Jul 24 06:15:53 dmrmail02 postfix/smtp[29414]: 4325D98A40FF: to=<abarber@massasoit.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.1, delays=3.7/0.01/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3065A98A41B5)

    It goes on and on and on. Thousands of messages. I've cleared my queue of the 1000's of messages at this point and am running normal as of now. I've received messages from Verizon, AOL, and others informing me that I've been blacklisted. Crap. Doing damage control now. Can anyone help me figure out how this happened, and how to prevent it in the future.

    In the logs posted above, I did change the login=xxxxxx from the login name that was in the logs. Other than that, this is what the logs show. Is this simply a case of a compromised password? Thank you for any help you can provide.
    - dmrdave

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,580
    Rep Power
    57

    Default

    It's likely to be a compromised password, you should set the lockout policy and check on this page if you are an open relay for starters.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    DMRDave is offline Active Member
    Join Date
    Feb 2006
    Location
    Southern California
    Posts
    49
    Rep Power
    9

    Default

    Thanks Phoenix. I assumed as much. I'll look into the lockout policy as well. Regards.
    - dmrdave

  4. #4
    SamTzu's Avatar
    SamTzu is offline Loyal Member
    Join Date
    Jan 2006
    Location
    Finland
    Posts
    83
    Rep Power
    9

    Default

    initializing the server-side TLS engine
    Have you checked your SSL Certificates?
    There was a weakness revealed a while ago in most Debian/Ubuntu based Certificates.
    Could be someone is using that weakness to gain access.
    SamTzu
    -----------------------------------------------
    "I keep hitting the esc key, why am I still here?"

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Mail sent from Zimbra server going to spam on yahoo
    By sundru in forum Administrators
    Replies: 16
    Last Post: 05-30-2009, 12:02 PM
  2. Initializing ldap...FAILED (28416) error
    By josesoft in forum Installation
    Replies: 11
    Last Post: 05-16-2009, 03:00 PM
  3. [SOLVED] Server migration/move for OS steps I used
    By newmember in forum Migration
    Replies: 0
    Last Post: 09-06-2007, 10:57 PM
  4. [Network Edition Trial] OS X Installation
    By dmg in forum Installation
    Replies: 4
    Last Post: 02-07-2007, 05:25 PM
  5. Intallation on FC5
    By rsharpe in forum Installation
    Replies: 24
    Last Post: 06-13-2006, 05:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •