[SOLVED] Somebody is sending spam through my server??

[mazive]

In my administrator daily report I can see that someone is spamming through my server.

Most active senders
XXXXXX
2 jobnet@ams.dk
2 info@shapex.eu
2 bounce_79db54a0b2408fa8a98f843e83cb@...tromail s.com
1 japanesev42@schatz.de
1 fatties@sermicro.com
1 prepositioning@santiagoecintra.es
1 rapprochementsu2@securita.pl

I am not sure why they are able to send through my server, but i was told that one of my users probably have a virus of some sort.

I know that I should look at the log file, but I don’t know what to search for.

I have tried to search the forum, but i dont know any keywords for my problem.

Please, help me find the leak.

[phoenix]

They are not sending spam through your server, that's a total for people sending spam TO your server.

[mazive]

Peew! Thanks Phoenix.

I have gotten some messages from my self, to my self. Do you know why that is happening?

Sorry for my newbie questions. I think thats something is wrong, but i don't know what. One of my messages was blocked by spamhouse.org

[phoenix]

Quote:

Originally Posted by mazive

Peew! Thanks Phoenix.

You can always check if you're an open relay (by default Zimbra is not an open relay) by using one of the internet check sites (do an internet search for them)

Quote:

Originally Posted by mazive

I have gotten some messages from my self, to my self. Do you know why that is happening?

Sorry for my newbie questions. I think thats something is wrong, but i don't know what. One of my messages was blocked by spamhouse.org

Are the messages really from you? Perhaps they're NDR spam, have a look in the log files
and see what errors (if any) you're getting and post them here plus the headers from a message that was rejected by spamhaus.

[mazive]

It looked like the message was sent from me, to me, but sadly i have deleted the message.

The message returned from spamhouse was:
The mail system

<crj@itq.dk>: host relay.inet.tele.dk[194.182.148.151] said: 554 Service
unavailable; Client host [212.242.114.238] blocked using
rblplus.combined.foo; http://www.spamhaus.org/query/bl?ip=212.242.114.238
(in reply to RCPT TO command)

Reporting-MTA: dns; mail.mazive.dk
X-Postfix-Queue-ID: 9D7375A901
X-Postfix-Sender: rfc822; morten@azm.dk
Arrival-Date: Fri, 3 Jul 2009 16:09:39 +0200 (CEST)

Final-Recipient: rfc822; crj@itq.dk
Original-Recipient: rfc822;crj@itq.dk
Action: failed
Status: 5.0.0
Remote-MTA: dns; relay.inet.tele.dk
Diagnostic-Code: smtp; 554 Service unavailable; Client host [212.242.114.238]
blocked using rblplus.combined.foo;
http://www.spamhaus.org/query/bl?ip=212.242.114.238

[mazive]

I tried: telnet relay-test.mail-abuse.org
and got this
System appeared to reject relay attempts
Connection closed by foreign host.
That should be ok, maybe i'm just paranoid.

Sadly i have deleted the spam message from myself to myself.

This is the MDS message i got.

The mail system

<crj@itq.dk>: host relay.inet.tele.dk[194.182.148.151] said: 554 Service
unavailable; Client host [212.242.114.238] blocked using
rblplus.combined.foo; http://www.spamhaus.org/query/bl?ip=212.242.114.238
(in reply to RCPT TO command)

Reporting-MTA: dns; mail.mazive.dk
X-Postfix-Queue-ID: 9D7375A901
X-Postfix-Sender: rfc822; morten@azm.dk
Arrival-Date: Fri, 3 Jul 2009 16:09:39 +0200 (CEST)

Final-Recipient: rfc822; crj@itq.dk
Original-Recipient: rfc822;crj@itq.dk
Action: failed
Status: 5.0.0
Remote-MTA: dns; relay.inet.tele.dk
Diagnostic-Code: smtp; 554 Service unavailable; Client host [212.242.114.238]
blocked using rblplus.combined.foo;
http://www.spamhaus.org/query/bl?ip=212.242.114.238

[phoenix]

If you read the error message here: The Spamhaus Project - PBL it tells you that you must relay your outbound mail through your ISPs mail server. You might also be able to get it removed from the block list if you look at the second option on that page.