Results 1 to 6 of 6

Thread: [SOLVED] Spam problem

  1. #1
    GaryC's Avatar
    GaryC is offline Junior Member
    Join Date
    Feb 2009
    Location
    Federal Way WA
    Posts
    8
    Rep Power
    6

    Default [SOLVED] Spam problem

    It appears my zimbra mail server is sending out spam to the world.
    I have gone into /opt/zimbra/data/postfix/spool/active and run a less on several files and can see the spam. I have not been able to determine where it is being originated from. The trendmicro anti virus that is running on me client is not reporting any problems on clients. The header of the spam e-mail is pointing to 127.0.0.1, the loopback on the zimbra server. I have looked at the /var/log/zimbra.log but am not sure what it is really telling me. I am not sure where else to look or what else to do. Can someone point me in the right direction to help me (1) identify where the spam is being originated (2) what do look for and (3) ideas on how to spot it from happening again.

    Thanks
    GaryC

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    Please update your forum profile with the output of the following (do not post it in this thread):

    Code:
    zmcontrol -v
    What's in the log files? What do the headers of some of the spam look like? Does the spam appear to come from a specific one of your accounts? Have you made any modifications to the ZImbra config? Have you checked to see if your server is an open relay (there are dozens of test sites on the internet if you search)? Could it be backscatter (search the forums for the word 'backscatter)?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    We would need to see the headers from one of the emails in the queue. It is possible one of your account has been compromised, from a poor password, so please check /opt/zimbra/log/audit.log for entries that may have not originated from your user community.

  4. #4
    GaryC's Avatar
    GaryC is offline Junior Member
    Join Date
    Feb 2009
    Location
    Federal Way WA
    Posts
    8
    Rep Power
    6

    Default Spam problem

    Thanks for the tips.
    We have looked at the mailbox.log, the mailq, and reviewed the email from the ../postfix/spool/deferred/F/ files. the postcat is a bynary file so could not do anything with it???

    We can see that all of our e-mail is being rejected from everywhere but are no closer to solving the problem.

    The e-mail address that we are seeing that does not belong to us are from either henrylaudesk@gmail.com or laudedesk@yahoo.com but it is showing up with our server address.

    I know that we are blacklisted everywhere and I can request that we be removed from the blacklist but if we can not stop the outgoing spam we will be right back on the blacklist very soon.

    Can anyone make a suggestion as to what my next step should be.
    It appears that our server has been compromised but I can not determine how.
    I do not think that this is being generated from one of my user e-mail accounts.
    I think that my server has been hacked.

    HELP!!!!!!!!!

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Run the following
    Code:
    cat /opt/zimbra/log/mailbox.log | sed -n "s/.*btpool.*name=\(.*\);mid=.*;ip=.*;ua=ZimbraWebClient.*/\1/p" | sort | uniq -c
    And look for a account that has a value far in excess of other users. It may help you to track down a compromised account.

  6. #6
    GaryC's Avatar
    GaryC is offline Junior Member
    Join Date
    Feb 2009
    Location
    Federal Way WA
    Posts
    8
    Rep Power
    6

    Default

    Thanks uxbod that helped very much.
    We were able to determine that one of ours users username and password were used to access the server and then the spam was sent out using our server as a bot. we have changed everyones passwords and made them more dificult to crack, we have changed some security setting to tighten down the server so hopfully we will not see this problem again.

    GaryC

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM
  2. Missing Email Problem
    By prox in forum Zimbra Connector for Outlook
    Replies: 6
    Last Post: 03-16-2008, 10:01 PM
  3. Replies: 3
    Last Post: 02-25-2008, 06:33 AM
  4. Spam training problem...
    By TaskMaster in forum Installation
    Replies: 2
    Last Post: 05-08-2007, 09:49 AM
  5. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 03:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •