Need urgent help on spamming issue

[chandu]

Hi Guys,

We are facing very serious issue ...we are having example.com domain and
multiple <invalid>@example.com emails IDs are using our mail server to send mails to other valid / invalid email IDs.....

Our mail server is behind firewall and not open relay ....

Right now more than 30000 mails are in queue and our customer's mails are getting stuck in MTA from last more tahn 2 hours....

So here someone is using valid domain name with invalid local part ( left side of @) and sending mail through our server.....


Please suggest and help .....

[uxbod]

Check /opt/zimbra/log/mailbox.log and look for a IP address you do not know; you may have a account that has been compromised.

[chandu]

Hi Uxbod...thanks for your reply..

Our customer domain which got used to send SPAM is example.com..

all users of this domain are internet users. So everytime IP is getting changed..i suspect one of the ID is keep changing IP from last 2 days..i put that account in Maintenance mode..

But the main issue is i am getting request from DIFFERENT public IPs ..( which are belong to diff countries) and its using example.com as domain but non exist email ID and receipeint is also invalid .....and all these getting stuck in my MTA ....

i couldnt understand logic behind it...how can use our mail server like this...wht kind of sender restriction I can put...or where should I check ...

Thanks

[uxbod]

Are you sure they are being sent from your server; and you are actually seeing backscatter ?

[chandu]

Yes I am sure ...just have alook at logs :
everything is getting stuck in MTA ....


pr 12 21:24:03 mail postfix/qmgr[22523]: 77A47133219A: from=<bftantamount@example.com>, status=expired, returned to sender
Apr 12 21:24:03 mail postfix/qmgr[22523]: 73FAC13392E6: from=<vqboarder@example.com>, status=expired, returned to sender
Apr 12 21:24:03 mail postfix/qmgr[22523]: 7239813322D0: from=<pporacle@example.com>, size=1464, nrcpt=1 (queue active)
Apr 12 21:24:03 mail postfix/qmgr[22523]: CCD5E1332EB1: from=<mglsatanic@example.com>, size=980, nrcpt=1 (queue active)
Apr 12 21:24:03 mail postfix/qmgr[22523]: 7FF1C133923A: from=<vieaglassware@example.com>, size=1491, nrcpt=1 (queue active)
Apr 12 21:24:03 mail postfix/qmgr[22523]: 7076D133BB84: from=<sueofalls@example.com>, size=1457, nrcpt=1 (queue active)
Apr 12 21:24:03 mail postfix/error[424]: B591ED4F46: to=<upcoutclass@example.com>, relay=none, delay=473, delays=473/0.01/0/0.01, dsn=5.0.0, status=bounced (example.com)
Apr 12 21:24:03 mail postfix/qmgr[22523]: CD442D54EF: from=<exoverdo@example.com>, size=1448, nrcpt=1 (queue active)
Apr 12 21:24:03 mail amavis[6316]: (06316-02) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20100412T212226-06316: <mglsatanic@example.com> -> <Richard-aka-tricky@hotmail.co.uk> SIZE=980 Received: from example.com ([127.0.0.1]) by localhost (example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <Richard-aka-tricky@hotmail.co.uk>; Mon, 12 Apr 2010 21:24:03 +0530 (IST)
Apr 12 21:24:03 mail postfix/error[874]: 99658D6708: to=<kiftatting@example.com>, relay=none, delay=10633, delays=10633/0.01/0/0, dsn=5.0.0, status=bounced (example.com)
Apr 12 21:24:06 mail amavis[6316]: (06316-02) Checking: Kl0F88qPmKx2 [190.255.169.238] <mglsatanic@example.com> -> <Richard-aka-tricky@hotmail.co.uk>
Apr 12 21:24:06 mail postfix/qmgr[22523]: 7D53F1331283: from=<bjlepiscopacy@example.com>, size=1488, nrcpt=1 (queue active)
Apr 12 21:24:07 mail postfix/qmgr[22523]: 752DD13329E1: from=<yoseriocomic@example.com>, status=expired, returned to sender
Apr 12 21:24:07 mail postfix/qmgr[22523]: 74FA3133357B: from=<pbsvibration@example.com>, size=1430, nrcpt=1 (queue active)
Apr 12 21:24:07 mail postfix/smtpd[4762]: NOQUEUE: reject: RCPT from unknown[114.69.249.212]: 550 5.1.0 <parvinder@example.com>: Sender address rejected: example.com; from=<parvinder@example.com> to=<parvinder@example.com> proto=SMTP helo=<alppilux.fi>
Apr 12 21:24:07 mail postfix/qmgr[22523]: 242B5D49E4: from=<xhvddrowsy@example.com>, size=1401, nrcpt=1 (queue active)
Apr 12 21:24:07 mail postfix/qmgr[22523]: 7371413386CE: from=<xzjufascism@example.com>, size=1584, nrcpt=1 (queue active)

[uxbod]

If somebody is doing this from a client then you could track down who is signing in often using

Code:

cat mailbox.log | sed -n "s/.*btpool.*name=\(.*\);mid=.*;ip=.*;ua=ZimbraWebClient.*/\1/p" | sort | uniq -c

[chandu]

I checked Uxbod...i m getting all geniune mail IDs in output...our all client using webmail + outlook...
My server got blacklisted at yahoo

[chandu]

Do you need any specfic details regarding this issue ?

[uxbod]

Yes you may be getting genuine IDs but does one appear a lot higher than the rest ? if you users are using Outlook then it is possible one of them has a virus.

[chandu]

No there is no huge mail communication from geninue ID....Yes I accept there is 100 % possibility that cleint desktop might get affected by virus ...and this particular domain users are accesing from internet and data card ..and hardware is not managed by us ..so cant control the desktop level and client network level security...bu from the server end how we restrict it ...as it is affecting all other customer domains and mail server got blacklisted ...

I am googling from last few hours I reading on all sender and recipient level restrictions ..at least to stop / reject this mail communication...but still no luck ... :-(