[SOLVED] Spam problem

[GaryC]

It appears my zimbra mail server is sending out spam to the world.
I have gone into /opt/zimbra/data/postfix/spool/active and run a less on several files and can see the spam. I have not been able to determine where it is being originated from. The trendmicro anti virus that is running on me client is not reporting any problems on clients. The header of the spam e-mail is pointing to 127.0.0.1, the loopback on the zimbra server. I have looked at the /var/log/zimbra.log but am not sure what it is really telling me. I am not sure where else to look or what else to do. Can someone point me in the right direction to help me (1) identify where the spam is being originated (2) what do look for and (3) ideas on how to spot it from happening again.

Thanks
GaryC

[phoenix]

Please update your forum profile with the output of the following (do not post it in this thread):

Code:

zmcontrol -v

What's in the log files? What do the headers of some of the spam look like? Does the spam appear to come from a specific one of your accounts? Have you made any modifications to the ZImbra config? Have you checked to see if your server is an open relay (there are dozens of test sites on the internet if you search)? Could it be backscatter (search the forums for the word 'backscatter)?

[uxbod]

We would need to see the headers from one of the emails in the queue. It is possible one of your account has been compromised, from a poor password, so please check /opt/zimbra/log/audit.log for entries that may have not originated from your user community.

[vavai]

Quote:

Originally Posted by GaryC

It appears my zimbra mail server is sending out spam to the world.
I have gone into /opt/zimbra/data/postfix/spool/active and run a less on several files and can see the spam. I have not been able to determine where it is being originated from. The trendmicro anti virus that is running on me client is not reporting any problems on clients. The header of the spam e-mail is pointing to 127.0.0.1, the loopback on the zimbra server.

You may tracking the email's original sender by looking at queue (if it still resides on it)

Code:

su - zimbra
mailq

And then check the ID of queue, ex :

Code:

/opt/zimbra/postfix/sbin/postcat /opt/zimbra/data/postfix/spool/deferred/9/916D97A45C

[GaryC]

Thanks for the tips.
We have looked at the mailbox.log, the mailq, and reviewed the email from the ../postfix/spool/deferred/F/ files. the postcat is a bynary file so could not do anything with it???

We can see that all of our e-mail is being rejected from everywhere but are no closer to solving the problem.

The e-mail address that we are seeing that does not belong to us are from either henrylaudesk@gmail.com or laudedesk@yahoo.com but it is showing up with our server address.

I know that we are blacklisted everywhere and I can request that we be removed from the blacklist but if we can not stop the outgoing spam we will be right back on the blacklist very soon.

Can anyone make a suggestion as to what my next step should be.
It appears that our server has been compromised but I can not determine how.
I do not think that this is being generated from one of my user e-mail accounts.
I think that my server has been hacked.

HELP!!!!!!!!!

[uxbod]

Run the following

Code:

cat /opt/zimbra/log/mailbox.log | sed -n "s/.*btpool.*name=\(.*\);mid=.*;ip=.*;ua=ZimbraWebClient.*/\1/p" | sort | uniq -c

And look for a account that has a value far in excess of other users. It may help you to track down a compromised account.

[GaryC]

Thanks uxbod that helped very much.
We were able to determine that one of ours users username and password were used to access the server and then the spam was sent out using our server as a bot. we have changed everyones passwords and made them more dificult to crack, we have changed some security setting to tighten down the server so hopfully we will not see this problem again.

GaryC