| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
01-21-2010, 07:19 AM
| | |  Spam being sent from localhost and strange domain
I've been watching my Mail Queues, and I have 199 messages being sent to random verizon.net addresses which are being blocked with error
"Verizon.net refused to talk to me: 571 email from ........ is currently blocked by verizon online's anti-spam system. the email sender or email service provider may visit........ and request removal of the block."
The messages are all coming from Sender domain of "mail.nu" with an Origin IP of "127.0.0.1" so it seems to be coming from my mail server, but "mail.nu" is not my domain.
I'm 100% sure these messages are spam, so I'm not going to request a whitelist add from Verizon until I get it fixed...how can I figure out how it's using my mail server to send it? Thanks in advance for any help you can give.
Last edited by alapierre; 01-21-2010 at 07:35 AM..
|
01-21-2010, 08:28 PM
| | |
Make sure you are not a open relay :- Email Server Test - Online SMTP diagnostics tool - MxToolbox plus check /var/log/zimbra.log to see exactly where the email came from. You can also check /opt/zimbra/log/audit.log and mailbox.log for potentially compromised accounts.
__________________  |
01-25-2010, 04:14 PM
| | |
The server passed the openrelay tests. In zimbra.log there are a bunch of lines like this... Code: Jan 25 08:33:43 mail postfix/qmgr[23711]: E489BC89567: from=<eBay@mail.nu>, size=8075, nrcpt=50 (queue active)
Jan 25 08:33:43 mail postfix/qmgr[23711]: E02CAC896CA: from=<aw-confirm@mail.nu>, size=8059, nrcpt=50 (queue active)
Jan 25 08:33:43 mail postfix/qmgr[23711]: E661EC89735: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:43 mail postfix/qmgr[23711]: E5735C896B5: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:43 mail postfix/qmgr[23711]: E466CC8974C: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:43 mail postfix/qmgr[23711]: E9065C892F2: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: E8FF2C8977D: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: EACA3C89502: from=<eBay@mail.nu>, size=8064, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 73E67C89257: from=<eBay@mail.nu>, size=8064, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 7F5F1C8964C: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 7274DC8929E: from=<aw-confirm@mail.nu>, size=8059, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 7C786C89694: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 7BE50C8949D: from=<eBay@mail.nu>, size=8075, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 70E68C8960E: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 7E737C8972D: from=<aw-confirm@mail.nu>, size=8055, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 77440C89686: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 71567C896B2: from=<aw-confirm@mail.nu>, size=8055, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 7DBB5C8956A: from=<eBay@mail.nu>, size=8075, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 788D2C89710: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 0D38AC896AF: from=<aw-confirm@mail.nu>, size=8059, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 0DC23C891D4: from=<eBay@mail.nu>, size=8064, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 0E5B9C897A9: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active)
Jan 25 08:33:44 mail postfix/smtp[24813]: connect to lycos.co.uk[209.202.254.14]: Connection refused (port 25)
Jan 25 08:33:44 mail postfix/qmgr[23711]: 0201DC89635: from=<aw-confirm@mail.nu>, size=8061, nrcpt=50 (queue active) I'm not sure how to tell where it is coming from...
The audit.log file seems relatively clean. There were a few authentication fails, but not many. Alot of activity, but from many different users, probably all valid. I'm not sure exactly what to look for. Thanks for your help  |
01-25-2010, 06:02 PM
| | |
It looks like backscatter to me so search the forums for that word.
__________________ |
01-28-2010, 06:13 AM
| | | Same Issue
I have the same issue and can't understand why!
I'm not an open relay.. here's my log Code: Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jstguy@aol.com>, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.16/1 .8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193] ref used to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/4 21dynt1.html)
Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jsthalman@aol.com >, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.1 6/1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/error s/421dynt1.html)
Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jstheduke@aol.com >, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.1 6/1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/error s/421dynt1.html)
Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jsthngin@aol.com> , relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0.16 /1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193] r efused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors /421dynt1.html)
Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jsthomas99@aol.co m>, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0. 16/1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/erro rs/421dynt1.html)
Jan 28 06:58:13 argentina postfix/smtp[26125]: C70C9890E4: to=<jsthompson@aol.co m>, relay=mailin-01.mx.aol.com[205.188.146.193]:25, delay=27398, delays=27396/0. 16/1.8/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[205.188.146.193] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/erro rs/421dynt1.html) |
01-29-2010, 12:25 PM
| | |
nicola if your server is passing the open relay tests, then you probably have a compromised account, or your mta trusted networks are too permissive and an infected machine on your network is using your server to relay messages.
Try forcing a password change for all users and checking your mta trusted networks. |
01-31-2010, 11:50 PM
| | Advanced Member | |
Posts: 193
| |
It seems that your network or system is hitted by backscatter.The same problem I faced few weeks ago. | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
