[SOLVED] Spam email sent out by our email server

[Hennie]

We are running Zimbra 6.01 OSE. Since yesterday we have huge amounts of outbound email that is sent by info@ups.com to bogus email accounts at yahoo, gmail and hotmail. We have now subsequently been blacklisted by these companies.

I have checked that the server is not a relay server as it has successfully passed the relay tests done by popular sites. I keep on deleting the emails in the queues on active and deferred, but they keep on adding up more and more. Is there any way for me to know how the spammer does this and to stop this from happening? Please help as this is causing us to be blacklisted everywhere.


Thank you.
Hennie

See below the header of one of the spam emails:

Return-Path: info@ups.com
Received: from zmail01.ourdomain.com (LHLO
zmail01.ourdomain.com) (10.0.0.18) by zmail01.ourdomain.com
with LMTP; Mon, 1 Mar 2010 14:47:42 +0200 (SAST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmail01.ourdomain.com (Postfix) with ESMTP id 1E6A82FDE16C
for <xxxx@ourdomain.com>; Mon, 1 Mar 2010 14:47:42 +0200 (SAST)
X-Virus-Scanned: amavisd-new at zmail01.ourdomain.com
X-Spam-Flag: YES
X-Spam-Score: 11.369
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.369 tagged_above=-10 required=6.6
tests=[ADVANCE_FEE_2=1.234, ADVANCE_FEE_3=1.432, ALL_TRUSTED=-1.8,
AWL=-0.121, BAYES_99=3.5, FH_DATE_PAST_20XX=3.188,
FORGED_MUA_OUTLOOK=3.116, MSOE_MID_WRONG_CASE=0.82] autolearn=no
Received: from zmail01.ourdomain.com ([127.0.0.1])
by localhost (zmail01.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ThUpEvun+3qL; Mon, 1 Mar 2010 14:47:41 +0200 (SAST)
Received: from User (unknown [195.245.108.36])
by zmail01.ourdomain.com (Postfix) with ESMTPA id 610E72FDE05A;
Mon, 1 Mar 2010 14:45:47 +0200 (SAST)
Reply-To: <ups.agent.ng1@gmail.com>
From: "UPS COURIER SERVICES."<info@ups.com>
Subject: Confirm Your Parcel With Us ASAP.
Date: Mon, 1 Mar 2010 12:50:18 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20100301124550.610E72FDE05A@zmail01.ourdomain.com >
To: undisclosed-recipients:;

Subject: Confirm Your Parcel With Us ASAP.
From: Universal Parcel Service <info@ups.com.ng>

[uxbod]

Welcome to the forums

Check /opt/zimbra/log/audit.log and look for erroneous activity. I would imagine that one of your accounts may have been compromised due to poor password complexity.

[uxbod]

Quote:

Originally Posted by Hennie

FH_DATE_PAST_20XX=3.188

On a side note you should also fix that problem : [SOLVED] FH_DATE_PAST_20XX - Spamassassin bug - incorrect tagging from Jan 1, 2010 on

[jrefl5]

Check other system logs.

who was using ip 195.245.109.36 at 14:45:47?

Code:

Received: from User (unknown [195.245.108.36])
by zmail01.ourdomain.com (Postfix) with ESMTPA id 610E72FDE05A;
Mon, 1 Mar 2010 14:45:47 +0200 (SAST)

That is your problem machine/user.

I'd hazard a guess that 192.245.109.* is in your "mynetworks"

[Hennie]

Quote:

Originally Posted by uxbod

Welcome to the forums

Check /opt/zimbra/log/audit.log and look for erroneous activity. I would imagine that one of your accounts may have been compromised due to poor password complexity.

Hi Uxbod, thank you for the advice. I have checked the audit.log files and could not find anything "strange". Could you perhaps explain a way how I could see what account has been compromised? It seems like mail gets sent randomly from 10.0.0.18, which is internal IP of the mail server.

I have also checked auth.log, but cannot see the 195.245.108.36 anywhere? I would really appreciate your help here.

[raj]

post the output of the following command

Quote:

su - zimbra
zmprov gs `zmhostname` | grep zimbraMtaMyNetworks

it will show your mynetworks..

Raj

[jrefl5]

Check your networks DCHP server, for the 192.245.109.36 address and where it was assigned.

you need to track back to the source PC.

[Hennie]

Hi All,

I have seen many of the following entries in the mail.log file:
client=unknown[196.245.109.36], sasl_method=LOGIN, sasl_username=spam

Could it be that the spam account have been compromised? If so, can I just change the password of the spam account?

[raj]

change password for SPAM user asap and also if your password was same for other accounts change those too..
this is a very common problem where simple passwords are guessed by spammers and then they can SMTP AUTH using your server and RELAY unlimited mail.

sasl_username=spam --> means spammer is using this account with authentication using your password

Raj

[MxToolBox]

All of the suggestions above are great, but we would also recommend scanning all local work stations and the mail server with Spybot Search & Destory, Ad-Aware and Malwarebytes Anti-Malware; these are all free from Cnet Downloads (download.cnet.com). This group of software is specifically designed to find virus/trojan activity that your typical anti-virus program misses.

Also if you are listed on any Blacklists we would recommend finding the source of the spam before you try to remove yourself. If you attempt to remove yourself before the issue is resolved Blacklists may re-list you and each time you delist it is more difficult to actually get removed. To check if you are Blacklisted, we would recommend using our Blacklist Tool.

Please let us know if you have any other problems and we will be glad to assist.

Thank you,
@MxToolBox