Spam relay via Zimbra

[mzcktyler]

Hi, since nearly one month, my zcs server send a lot of mail from yahoo.de hotmail.de to others hotmail or yahoo mail address.
Last day there were nearly 5000 mails queued.

Here is the log

an 24 08:55:49 ******34 postfix/smtpd[10993]: connect from mail.pca.com[208.179.88.50]
Jan 24 08:55:50 ******34 postfix/smtpd[10993]: lost connection after EHLO from mail.pca.com[208.179.88.50]
Jan 24 08:55:50 ******34 postfix/smtpd[10993]: disconnect from mail.pca.com[208.179.88.50]
Jan 24 08:55:50 ******34 postfix/smtpd[15781]: connect from mail.pca.com[208.179.88.50]
Jan 24 08:55:50 ******34 postfix/smtpd[11002]: lost connection after EHLO from host82-159-static.184-82-b.business.telecomitalia.it[82.184.159.82]
Jan 24 08:55:50 ******34 postfix/smtpd[11002]: disconnect from host82-159-static.184-82-b.business.telecomitalia.it[82.184.159.82]
Jan 24 08:55:51 ******34 postfix/smtpd[15781]: setting up TLS connection from mail.pca.com[208.179.88.50]
Jan 24 08:55:51 ******34 postfix/smtpd[15781]: Anonymous TLS connection established from mail.pca.com[208.179.88.50]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jan 24 08:55:52 ******34 postfix/smtpd[10993]: connect from host82-159-static.184-82-b.business.telecomitalia.it[82.184.159.82]
Jan 24 08:55:52 ******34 postfix/smtpd[15781]: 96C8FD1802A: client=mail.pca.com[208.179.88.50], sasl_method=PLAIN, sasl_username=test
Jan 24 08:55:53 ******34 postfix/cleanup[14255]: 96C8FD1802A: message-id=<20100124075552.96C8FD1802A@******34.com>
Jan 24 08:55:53 ******34 postfix/qmgr[5957]: 96C8FD1802A: from=<webbanke102r@cua.com.au>, size=2685, nrcpt=1 (queue active)
Jan 24 08:55:53 ******34 postfix/smtpd[15781]: disconnect from mail.pca.com[208.179.88.50]
Jan 24 08:55:53 ******34 postfix/smtpd[5765]: connect from localhost.localdomain[127.0.0.1]
Jan 24 08:55:53 ******34 postfix/smtpd[5765]: 6B25ED1802E: client=localhost.localdomain[127.0.0.1]
Jan 24 08:55:53 ******34 postfix/cleanup[14255]: 6B25ED1802E: message-id=<20100124075552.96C8FD1802A@******34.com>
Jan 24 08:55:53 ******34 postfix/qmgr[5957]: 6B25ED1802E: from=<webbanke102r@cua.com.au>, size=3141, nrcpt=1 (queue active)
Jan 24 08:55:53 ******34 postfix/smtp[18494]: 96C8FD1802A: to=<goldfinger737@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.73/0/0/0.35, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=08364-14, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6B25ED1802E)
Jan 24 08:55:53 ******34 postfix/qmgr[5957]: 96C8FD1802A: removed
Jan 24 08:55:53 ******34 postfix/smtpd[5765]: disconnect from localhost.localdomain[127.0.0.1]
Jan 24 08:55:53 ******34 postfix/smtp[16854]: 6B25ED1802E: to=<goldfinger737@hotmail.com>, relay=smtp.free.fr[212.27.48.4]:25, delay=0.1, delays=0.01/0.01/0.07/0, dsn=4.7.0, status=deferred (host smtp.free.fr[212.27.48.4] refused to talk to me: 421 4.7.0 smtp3-g21.free.fr Error: too many connections from 78.***.***.***)

Please help me i'm forced to delete mails manually...

[uxbod]

Welcome to the forums

Please check Email Server Test - Online SMTP diagnostics tool - MxToolbox to see whether you are a open relay or not.

[mzcktyler]

Thanks,

But my server is not an open spam relay...
Do you know what else can do this ?

[uxbod]

One of your accounts may have been compromised. Are you running Apache on your ZCS server aswell ?

[mzcktyler]

Hi, thanks, I deleted a "test" account with a simple password, I hope it is this... I'll see.
But I'haven't an apache server running, why this question ?

[mintra]

Hi

I have a Zimbra server verion 5.0.6 on Centos.

This has been working well for some years, however I am getting thousands of spam mails sent through the system these state they come from one hotmail.com account and in the mail.log it said the mail was from 127.0.0.1.

How can I find which compromised mail account or of the listed IP ranges the compromise is coming from.

Currently I run a script to constantly delete anything from the mail queue contating that email address but this is not the answer

I have tested and it does not appear to be an open relay

Thanks

[uxbod]

If you check the headers of one of the emails and look at X-Originating-IP you should then be able to scan /opt/zimbra/log/audit.log to see which account that IP accessed.

[mintra]

Hi this is still a big problem for me. I am not sure how to look at the mail headers postqueue -p gives some information about deffered mail.

Am I meant to get the ID for the mail from postqueue -p then look in the
/opt/zimbra/data/postfix/spool/deffer folder

Whikst I can find more info in here I can not see X-Originating-IP in any of these.

Where should I be looking?

[phoenix]

Quote:

Originally Posted by mintra

Hi this is still a big problem for me. I am not sure how to look at the mail headers postqueue -p gives some information about deffered mail.

Am I meant to get the ID for the mail from postqueue -p then look in the
/opt/zimbra/data/postfix/spool/deffer folder

Whikst I can find more info in here I can not see X-Originating-IP in any of these.

Where should I be looking?

You can also look in your daily mail report and see who is sending the greatest number of emails.

[uxbod]

Quote:

Originally Posted by mintra

Hi this is still a big problem for me. I am not sure how to look at the mail headers postqueue -p gives some information about deffered mail.

Am I meant to get the ID for the mail from postqueue -p then look in the
/opt/zimbra/data/postfix/spool/deffer folder

Whikst I can find more info in here I can not see X-Originating-IP in any of these.

Where should I be looking?

So post the headers from one of those deferred emails so we may take a look.