Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Mail server zimbra in blacklist

  1. #1
    mvalenzuela.cl is offline Senior Member
    Join Date
    Sep 2007
    Location
    Santiago - Chile
    Posts
    73
    Rep Power
    7

    Exclamation Mail server zimbra in blacklist

    My mail server is in blacklist of Spamcop, CBL, Sophos and various more. I have installed zimbra Release 5.0.11_GA_2695.RHEL5_20081117051306 CentOS5 FOSS edition.

    I have asked that delist my server, but returns again and again blacklists. I install and run rkhunter in search of some rootkit, it found nothing.

    Where I keep checking, can I upgrade to Zimbra 5.0.18 help?

    This situation is very uncomfortable and exhausting.

    Rules in FW

    port 25, 80, 110, and 143 open to NET

  2. #2
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Assuming your server isn't hacked, then one of your user's accounts has been compromised.

    Suggest you force everyone to change their passwords. If the hacker changes the compromised account's password before the legitimate user, the user will complain that they can't access their email.

    Then you can ask that user how it was that their password came to be known to a spammer.

    Also, if you are not using complex passwords and forced password rotations, now would be a good time to start doing that.

    We insist on changing passwords at least every 120 days, and all passwords must have:
    • At least eight characters;
    • At least one upper-case character;
    • At least one lower-case character;
    • At least one number, and;
    • At least one punctuation mark, like a comma or an exclamation point.


    Hope that helps,
    Mark

  3. #3
    mvalenzuela.cl is offline Senior Member
    Join Date
    Sep 2007
    Location
    Santiago - Chile
    Posts
    73
    Rep Power
    7

    Default

    Well, yesterday asked users change their passwords, the password will expire every 90 days.
    What can I check log files and tracks like seeing my server is being used used to send SPAM.

  4. #4
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by mvalenzuela.cl View Post
    Well, yesterday asked users change their passwords, the password will expire every 90 days.
    What can I check log files and tracks like seeing my server is being used used to send SPAM.
    I would do three things:
    1. First, ask all the users to examine their Sent Items folder for any emails that look out of the ordinary.
    2. Next, I would look in /var/log/zimbra.log and /opt/zimbra/log/mailbox.log yourself to see if there is anything unusual.
    3. Lastly, I would contact the blacklisting companies for help. They won't tell you who reported the spam that got you blacklisted, but some will tell you why--and give you tips for finding out exactly where the compromise in your system is.


    Hope that helps,
    Mark

  5. #5
    veronica is offline Outstanding Member
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    Can you show any log snippet showing server is blacklisted ?

  6. #6
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    If your mail server is on the same network as workstation computers, or if it's traffic comes from the same public IP address then one of your workstation machines may be infected with a trojan/virus that is sending out spam email and since they come from the same IP as your server those blacklists will think your email server is sending out these messages.

  7. #7
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    350
    Rep Power
    8

    Default

    there 2 ipothesys:
    1. one of the pc on your lan was infected and it is spreading out spamming
    2. someone has guessed a weak password and using sasl authenticated access, is ab-using your zimbra
    This is very easy to discover:
    here is a zimbra were they have abused *abuse* account:
    Code:
    grep sasl /var/log/maillog|grep abuse |wc -l
    1107
    all caming from 68.153.206.153
    Code:
    grep sasl /var/log/maillog|grep 68.153.206.153 |wc -l                                                                 
    1107
    if u do not need mta smtpauth, if do not have some client that should use your zimbra at home and all your client are on local lan, then uncheck smtp auth.

  8. #8
    mvalenzuela.cl is offline Senior Member
    Join Date
    Sep 2007
    Location
    Santiago - Chile
    Posts
    73
    Rep Power
    7

    Default

    Quote Originally Posted by veronica View Post
    Can you show any log snippet showing server is blacklisted ?
    De: Mail Delivery System [mailto:MAILER-DAEMON@mail.sitac.cl]
    Enviado el: Viernes, 02 de Octubre de 2009 8:30
    Para: lperez@sitac.cl
    Asunto: Undelivered Mail Returned to Sender

    This is the mail system at host mail.sitac.cl.

    I'm sorry to have to inform you that your message could not be delivered to
    one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can delete your own
    text from the attached returned message.

    The mail system

    <hlecarosf@ossabulnes.cl>: host mail.ossabulnes.cl[200.29.0.215] said:
    550-X-RBL-Warning: 200.55.221.106 is in the bl.spamcop.net blacklist.
    550
    SpamCop.net - Blocking List ( bl.spamcop.net ) (in reply to RCPT TO command)

    ---------OTHER--------------------
    ----- Mensaje reenviado -----
    De: "Mail Delivery System" <MAILER-DAEMON@mail.sitac.cl>
    Para: dlopez@sitac.cl
    Enviados: Viernes, 2 de Octubre 2009 9:42:37 (GMT-0400) Auto-Detected
    Asunto: Undelivered Mail Returned to Sender

    This is the mail system at host mail.sitac.cl.

    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

    The mail system

    <sws-support@waterloo.water.slb.com>: host
    us1061mta02.mail.slb.com[199.6.139.15] said: 550 5.7.1
    <mail.sitac.cl[200.55.221.106]>: Client host rejected: Your message was
    rejected due to spam filtering. Please see
    SophosLabs IP address classification lookup (in reply to
    RCPT TO command


    Thanks Vero

  9. #9
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by ArcaneMagus View Post
    If your mail server is on the same network as workstation computers, or if it's traffic comes from the same public IP address then one of your workstation machines may be infected with a trojan/virus that is sending out spam email and since they come from the same IP as your server those blacklists will think your email server is sending out these messages.
    Good point! This is why we have our clients use office firewalls that block all outbound port 25 traffic except from the mail server.

    All the best,
    Mark

  10. #10
    mvalenzuela.cl is offline Senior Member
    Join Date
    Sep 2007
    Location
    Santiago - Chile
    Posts
    73
    Rep Power
    7

    Default

    Quote Originally Posted by ArcaneMagus View Post
    If your mail server is on the same network as workstation computers, or if it's traffic comes from the same public IP address then one of your workstation machines may be infected with a trojan/virus that is sending out spam email and since they come from the same IP as your server those blacklists will think your email server is sending out these messages.
    My mail server is in DMZ!!

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 8
    Last Post: 01-20-2009, 01:06 PM
  2. zmamavisdctl stopped and won't restart
    By alto in forum Installation
    Replies: 2
    Last Post: 04-18-2008, 12:41 AM
  3. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM
  4. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM
  5. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 11:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •