Zimbra

snake_eyes · #1 (**permalink**) 12-31-2008, 03:43 AM

Hello,

I'm receiving a large volume of spam messages, one of them it sent from it@mydomain.com to it@mydomain.com although the it is alias name contain the I.T. Department stuff.

I copied the log from /var/log/zimbra.log and I found this:

Code:

Dec 31 11:48:32 mail zmmailboxdmgr[2333]: status requested
Dec 31 11:48:32 mail zmmailboxdmgr[2333]: status OK
Dec 31 11:48:33 mail zmmailboxdmgr[2396]: status requested
Dec 31 11:48:33 mail zmmailboxdmgr[2396]: status OK
Dec 31 11:49:42 mail zmmailboxdmgr[2731]: status requested
Dec 31 11:49:42 mail zmmailboxdmgr[2731]: status OK
Dec 31 11:49:43 mail zmmailboxdmgr[2792]: status requested
Dec 31 11:49:43 mail zmmailboxdmgr[2792]: status OK
Dec 31 11:49:44 mail postfix/smtpd[1762]: connect from unknown[212.70.50.179]
Dec 31 11:49:44 mail postfix/smtpd[1762]: 95FE3AA02B6: client=unknown[212.70.50.179]
Dec 31 11:49:44 mail postfix/cleanup[1766]: 95FE3AA02B6: message-id=<0KCQ00HPAGH6WL@ling.atheer.net.sa>
Dec 31 11:49:44 mail postfix/qmgr[19037]: 95FE3AA02B6: from=<it@myomain.com>, size=2314, nrcpt=9 (queue active)
Dec 31 11:49:44 mail amavis[12859]: (12859-16) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20081230T115440-12859: <it@myomain.com> -> <d.nakouzi@myomain.com>,<dawood@myomain.com>,<h.kawass@myomain.com>,<hilal@myomain.com>,<k.jubeily@myomain.com>,<m.othman@myomain.com>,<r.baba@myomain.com>,<r.nawam@myomain.com>,<wafik@myomain.com> SIZE=2314 BODY=8BITMIME Received: from mail.myomain.com ([127.0.0.1]) by localhost (mail.myomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Wed, 31 Dec 2008 11:49:44 +0300 (AST)
Dec 31 11:49:44 mail amavis[12859]: (12859-16) Checking: EkJj7vpmdfLW [212.70.50.179] <it@myomain.com> -> <d.nakouzi@myomain.com>,<dawood@myomain.com>,<h.kawass@myomain.com>,<hilal@myomain.com>,<k.jubeily@myomain.com>,<m.othman@myomain.com>,<r.baba@myomain.com>,<r.nawam@myomain.com>,<wafik@myomain.com>
Dec 31 11:49:44 mail postfix/smtpd[1762]: disconnect from unknown[212.70.50.179]
Dec 31 11:49:46 mail postfix/smtpd[1777]: connect from localhost.localdomain[127.0.0.1]
Dec 31 11:49:46 mail postfix/smtpd[1777]: D0190AA02B7: client=localhost.localdomain[127.0.0.1]
Dec 31 11:49:46 mail postfix/cleanup[1766]: D0190AA02B7: message-id=<0KCQ00HPAGH6WL@ling.atheer.net.sa>
Dec 31 11:49:46 mail postfix/qmgr[19037]: D0190AA02B7: from=<it@myomain.com>, size=3072, nrcpt=9 (queue active)
Dec 31 11:49:46 mail postfix/smtpd[1777]: disconnect from localhost.localdomain[127.0.0.1]
Dec 31 11:49:46 mail amavis[12859]: (12859-16) FWD via SMTP: <it@myomain.com> -> <d.nakouzi@myomain.com>,<dawood@myomain.com>,<h.kawass@myomain.com>,<hilal@myomain.com>,<k.jubeily@myomain.com>,<m.othman@myomain.com>,<r.baba@myomain.com>,<r.nawam@myomain.com>,<wafik@myomain.com>,BODY=8BITMIME 250 2.6.0 Ok, id=12859-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as D0190AA02B7
Dec 31 11:49:46 mail amavis[12859]: (12859-16) Passed SPAMMY, [212.70.50.179] [98.209.154.224] <it@myomain.com> -> <d.nakouzi@myomain.com>,<dawood@myomain.com>,<h.kawass@myomain.com>,<hilal@myomain.com>,<k.jubeily@myomain.com>,<m.othman@myomain.com>,<r.baba@myomain.com>,<r.nawam@myomain.com>,<wafik@myomain.com>, Message-ID: <0KCQ00HPAGH6WL@ling.atheer.net.sa>, mail_id: EkJj7vpmdfLW, Hits: 11.999, size: 2313, queued_as: D0190AA02B7, 2253 ms
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<d.nakouzi@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<dawood@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<h.kawass@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<hilal@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<k.jubeily@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<m.othman@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<r.baba@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<r.nawam@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/smtp[1767]: 95FE3AA02B6: to=<wafik@myomain.com>, orig_to=<it@myomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=0.05/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0190AA02B7)
Dec 31 11:49:46 mail postfix/qmgr[19037]: 95FE3AA02B6: removed
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<d.nakouzi@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<dawood@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<h.kawass@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<hilal@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<k.jubeily@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<m.othman@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<r.baba@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<r.nawam@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/lmtp[1780]: D0190AA02B7: to=<wafik@myomain.com>, relay=mail.myomain.com[192.168.119.4]:7025, delay=0.99, delays=0.05/0.01/0/0.93, dsn=2.1.5, status=sent (250 2.1.5 OK)
Dec 31 11:49:47 mail postfix/qmgr[19037]: D0190AA02B7: removed
Dec 31 11:50:01 mail zimbramon[2847]: 2847:info: 2008-12-31 11:50:01, QUEUE: 0 0 
Dec 31 11:50:02 mail zimbramon[2858]: 2858:info: 2008-12-31 11:50:01, DISK: mail.myomain.com: dev: /dev/sda1, mp: /, tot: 200889, avail: 182518 
Dec 31 11:50:04 mail zmmailboxdmgr[3154]: status requested
Dec 31 11:50:04 mail zmmailboxdmgr[3154]: status OK
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: antispam: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: antivirus: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: ldap: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: logger: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: mailbox: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: mta: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: snmp: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: spell: Running 
Dec 31 11:50:05 mail zimbramon[2863]: 2863:info: 2008-12-31 11:50:01, STATUS: mail.myomain.com: stats: Running 
Dec 31 11:50:42 mail postfix/smtpd[1762]: connect from uslec-66-255-79-114.cust.uslec.net[66.255.79.114]
Dec 31 11:50:42 mail postfix/smtpd[3261]: connect from uslec-66-255-79-114.cust.uslec.net[66.255.79.114]
Dec 31 11:50:44 mail postfix/smtpd[1762]: NOQUEUE: reject: RCPT from uslec-66-255-79-114.cust.uslec.net[66.255.79.114]: 550

Here is my MTA of global settings configuration

Code:

Protocol checks
	Hostname in greeting violates RFC (reject_invalid_hostname) (YES)
	Client must greet with a fully qualified hostname (reject_non_fqdn_hostname) (NO)
	Sender address must be fully qualified (reject_non_fqdn_sender) (YES)
DNS checks
	Client's IP address (reject_unknown_client) (NO)
	Hostname in greeting (reject_unknown_hostname) (NO)
	Sender's domain (reject_unknown_sender_domain) (NO)

Please note that the time is the spam mail exact time that I checked on the spam folder of my mail address.

another favor please if you can advice me to the proper way (configuration) to reduce the spam messages

Cheers,

uxbod · #2 (**permalink**) 12-31-2008, 06:54 AM

Wiki :: Improving Anti-Spam System

Zimbra

Downloads

Product Information

Toolbox

Why Join?