Mail server zimbra in blacklist

[mvalenzuela.cl]

My mail server is in blacklist of Spamcop, CBL, Sophos and various more. I have installed zimbra Release 5.0.11_GA_2695.RHEL5_20081117051306 CentOS5 FOSS edition.

I have asked that delist my server, but returns again and again blacklists. I install and run rkhunter in search of some rootkit, it found nothing.

Where I keep checking, can I upgrade to Zimbra 5.0.18 help?

This situation is very uncomfortable and exhausting.

Rules in FW

port 25, 80, 110, and 143 open to NET

[LMStone]

Assuming your server isn't hacked, then one of your user's accounts has been compromised.

Suggest you force everyone to change their passwords. If the hacker changes the compromised account's password before the legitimate user, the user will complain that they can't access their email.

Then you can ask that user how it was that their password came to be known to a spammer.

Also, if you are not using complex passwords and forced password rotations, now would be a good time to start doing that.

We insist on changing passwords at least every 120 days, and all passwords must have:

• At least eight characters;
• At least one upper-case character;
• At least one lower-case character;
• At least one number, and;
• At least one punctuation mark, like a comma or an exclamation point.

Hope that helps,
Mark

[mvalenzuela.cl]

Well, yesterday asked users change their passwords, the password will expire every 90 days.
What can I check log files and tracks like seeing my server is being used used to send SPAM.

[LMStone]

Quote:

Originally Posted by mvalenzuela.cl

Well, yesterday asked users change their passwords, the password will expire every 90 days.
What can I check log files and tracks like seeing my server is being used used to send SPAM.

I would do three things:

1. First, ask all the users to examine their Sent Items folder for any emails that look out of the ordinary.
2. Next, I would look in /var/log/zimbra.log and /opt/zimbra/log/mailbox.log yourself to see if there is anything unusual.
3. Lastly, I would contact the blacklisting companies for help. They won't tell you who reported the spam that got you blacklisted, but some will tell you why--and give you tips for finding out exactly where the compromise in your system is.

Hope that helps,
Mark

[veronica]

Can you show any log snippet showing server is blacklisted ?

[ArcaneMagus]

If your mail server is on the same network as workstation computers, or if it's traffic comes from the same public IP address then one of your workstation machines may be infected with a trojan/virus that is sending out spam email and since they come from the same IP as your server those blacklists will think your email server is sending out these messages.

[maumar]

there 2 ipothesys:
1. one of the pc on your lan was infected and it is spreading out spamming
2. someone has guessed a weak password and using sasl authenticated access, is ab-using your zimbra
This is very easy to discover:
here is a zimbra were they have abused *abuse* account:

Code:

grep sasl /var/log/maillog|grep abuse |wc -l
1107

all caming from 68.153.206.153

Code:

grep sasl /var/log/maillog|grep 68.153.206.153 |wc -l                                                                 
1107

if u do not need mta smtpauth, if do not have some client that should use your zimbra at home and all your client are on local lan, then uncheck smtp auth.

[mvalenzuela.cl]

Quote:

Originally Posted by veronica

Can you show any log snippet showing server is blacklisted ?

De: Mail Delivery System [mailto:MAILER-DAEMON@mail.sitac.cl]
Enviado el: Viernes, 02 de Octubre de 2009 8:30
Para: lperez@sitac.cl
Asunto: Undelivered Mail Returned to Sender

This is the mail system at host mail.sitac.cl.

I'm sorry to have to inform you that your message could not be delivered to
one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own
text from the attached returned message.

The mail system

<hlecarosf@ossabulnes.cl>: host mail.ossabulnes.cl[200.29.0.215] said:
550-X-RBL-Warning: 200.55.221.106 is in the bl.spamcop.net blacklist.
550
SpamCop.net - Blocking List ( bl.spamcop.net ) (in reply to RCPT TO command)

---------OTHER--------------------
----- Mensaje reenviado -----
De: "Mail Delivery System" <MAILER-DAEMON@mail.sitac.cl>
Para: dlopez@sitac.cl
Enviados: Viernes, 2 de Octubre 2009 9:42:37 (GMT-0400) Auto-Detected
Asunto: Undelivered Mail Returned to Sender

This is the mail system at host mail.sitac.cl.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<sws-support@waterloo.water.slb.com>: host
us1061mta02.mail.slb.com[199.6.139.15] said: 550 5.7.1
<mail.sitac.cl[200.55.221.106]>: Client host rejected: Your message was
rejected due to spam filtering. Please see
SophosLabs IP address classification lookup (in reply to
RCPT TO command


Thanks Vero

[LMStone]

Quote:

Originally Posted by ArcaneMagus

If your mail server is on the same network as workstation computers, or if it's traffic comes from the same public IP address then one of your workstation machines may be infected with a trojan/virus that is sending out spam email and since they come from the same IP as your server those blacklists will think your email server is sending out these messages.

Good point! This is why we have our clients use office firewalls that block all outbound port 25 traffic except from the mail server.

All the best,
Mark

[mvalenzuela.cl]

Quote:

Originally Posted by ArcaneMagus

If your mail server is on the same network as workstation computers, or if it's traffic comes from the same public IP address then one of your workstation machines may be infected with a trojan/virus that is sending out spam email and since they come from the same IP as your server those blacklists will think your email server is sending out these messages.

My mail server is in DMZ!!