Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: [SOLVED] My zimbra server is under spamming attack.

  1. #1
    ght
    ght is offline Member
    Join Date
    Dec 2008
    Posts
    11
    Rep Power
    6

    Unhappy [SOLVED] My zimbra server is under spamming attack.

    I think my server is under such attack mentioned below :
    How can I prevent my server from crashing in a DOS attack??

    there are about 400,000 mails in queue and mail server can not handle such huge mails and it is so slow and even local mails don't work.

    How can I ban domains like msa.hinet.net , yahoo.com.tw , etc?

    I entered zimbra administration website on port 7071, and go to the mail queue page, but I can not delete that huge mail with web interface and it says me :

    Server error encountered Message: system failure: exception occurred performing queue action Error code: service.FAILURE Method: MailQueueActionRequest Details:soap:Receiver

    please help me, I don't know how I can back to the normal state.

  2. #2
    n.bochev is offline Active Member
    Join Date
    Aug 2009
    Location
    Bulgaria
    Posts
    25
    Rep Power
    5

    Default

    Log into the zimbra server as root and do :

    cd /opt/zimbra/postfix/sbin
    ./postsuper -d ALL

    That should do the trick deleting all emails in the queue.

  3. #3
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Remember that will delete everything including valid emails that are still in the queue

    Do you have a secondary MX ? If so you could block access to port 25 externally which will give you time to clear the queue and work on how to stop this from happening again.

    By any chance are you using catch-all accounts ? or are these emails targeted at valid addresses ? What RBLs do you have in place at the moment ?

  4. #4
    ght
    ght is offline Member
    Join Date
    Dec 2008
    Posts
    11
    Rep Power
    6

    Default

    I've deleted all mails in queue. it is working now, but there are some problems in web-based interface, I can not modify my domain and change its status of one of my domains from Maintenance to Active (how Can I do this with command line?)
    It is bad to say, but I have not any RBLs now, how can I run it?
    Please give me straight forward directions, to don't let them attack me anymore.
    It seems there is a problem in my firewall too, because it put his IP in the source IP that come from anywhere (It is fortigate 300A and maybe I should ask them how prevent this habit).
    but for now, please give me directions about RBLs and activating domain via command line.
    Thank you very much

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,504
    Rep Power
    57

    Default

    Improving Anti-spam system - Zimbra :: Wiki Search the forums for adding RBLs and using zmprov to change from maintenance mode.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    ght
    ght is offline Member
    Join Date
    Dec 2008
    Posts
    11
    Rep Power
    6

    Default

    I've searched but I did not find something useful for activating a domain. I have three domains in my mail server, two of them is reachable by web-based interface for changing status but the third and most important domain, after one minutes give me this error:

    Code:
    Server error encountered Error code: BAD_JSON_RESPONSE Method: SearchDirectoryRequest
    I found this post and it does not work for me too (even for an individual account).

    Maintenance mode for all Accounts

    If I delete the domain by zmprov and add it again, all mails will be deleted? is there anyway to active it in any config file, etc?

    P.S. : I search in zimbra (zimbraAccountStatus=*active*) , and I found out all accounts in that domain I mentioned are Active, but when I want to login with them, I get this error: This account is currently in maintenance mode.
    I think there is a difference between maintenance mode of a domain, and maintenance mode of an account, is that right?
    Then how can I change mode for domain from command line, I didn't find any useful command for this page:
    Managing Domains - Zimbra :: Wiki

    FYI: my server is Ubuntu 8.04 and zimbra Release is 5.0.10_GA_2609.UBUNTU8 UBUNTU8 FOSS edition.
    Last edited by ght; 10-12-2009 at 03:51 PM.

  7. #7
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    Did you try the following:

    su - zimbra
    zmprov md yourdomain.com zimbraDomainStatus active
    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  8. #8
    ght
    ght is offline Member
    Join Date
    Dec 2008
    Posts
    11
    Rep Power
    6

    Default

    WoW,thanks, That works.
    I've checked my mail server with this link and it said me your server is an open relay.

    Is there anyway to restrict it from open relaying? Is that spamming attack because fo being open relay?

    I've added those servers of my network in mynetwork option of postfix, is that enough?

  9. #9
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    Zimbra by default is NOT open relay..you must have done something which is making it "open relay".
    can you please explain what you have done ?

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  10. #10
    ght
    ght is offline Member
    Join Date
    Dec 2008
    Posts
    11
    Rep Power
    6

    Default

    I didn't do anything before attack (just installed and was happy with it). but one day I saw there is about 400,000 mails in queue from Taiwanese website. I saw it from web-based interface.
    I have not enable anti-spam engine too. but maybe it was because of trusted hosts. I added a range of IPs of my server zone that my firewall was in it too. I saw that many mails source IP is from Firewall. I think it replaces its IP by the main source and that makes problems. what you think?

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. zmmailboxdctl is not running !!!!!!
    By olibite in forum Administrators
    Replies: 14
    Last Post: 04-28-2011, 05:50 AM
  2. Error after installation
    By robsontuxlinux in forum Installation
    Replies: 13
    Last Post: 09-11-2008, 09:48 PM
  3. [SOLVED] Why my MTA Cross???
    By fsloke in forum Installation
    Replies: 6
    Last Post: 07-30-2008, 08:55 PM
  4. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •