Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-16-2010, 11:02 PM
Senior Member
 
Posts: 63
Default Spam comming from 127.0.0.1 getting to deffered messages.

Hi,

Recently installed ZCS 6.07 in our internal LAN behind firewall using split DNS. Everything seems to be working well, except for thousands of spam originating from Zimbra localhost 127.0.0.1.

Though our users doesn't get too much of it, our problem lies with the deferred messages increasing up to 1000+ messages per day. Last time we've checked we have 15,000 messages. How can we make Zimbra delete spam messages in the deferred que.

Since the spam originates from 127.0.0.1 does it pass through spam assassin? And if so why it is not deleted? Here is our current SA config:

-------------------------------------------------------------------------------------
rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock

header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
describe DSPAM_SPAM DSPAM claims it is spam
score DSPAM_SPAM 5.0

header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
describe DSPAM_HAM DSPAM claims it is ham
score DSPAM_HAM -0.5

%%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
%%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%

rewrite_header Subject *SPAM* _STARS(*)_
bayes_auto_learn 1
bayes_min_spam_num 60
bayes_min_ham_num 30
clear_headers
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

# Enabled BAYES filter
use_bayes 1
skip_rbl_checks 0

# Added SPF checking
score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000

# Added score increase
score BAYES_99 4.300
score BAYES_90 3.500
score BAYES_80 3.000

# Blacklist (* is a wildcard)
blacklist_from *@yahoo.com.tw
blacklist_from *@*.hinet.net
blacklist_from *@pchome.com.tw
blacklist_from *@xuite.net
blacklist_from *@*.ca
blacklist_from *@*.ro
blacklist_from *@*.gr
blacklist_from *@*.ru
blacklist_from *@*.cz
blacklist_from *@*.ee
blacklist_from *@*.fr
blacklist_from *@*.in
blacklist_from *@juno.com
blacklist_from *@guevos.com
blacklist_from *@aol.com
blacklist_from *@*-host-219-90-92-18.tri.ph
blacklist_ftom *@host-219-90-92-18.tri.ph
blacklist_from *@yahoo.com.*
blacklist_from *@qq.com
blacklist_from *@vdc.vn
blacklist_from *@sina.com
blacklist_from *@163.*
blacklist_from *@126.*
blacklist_from *163.*
blacklist_from *163.*
# Blacklist all domain that starts with number
blacklist_from *@0*.*
blacklist_from *@1*.*
blacklist_from *@2*.*
blacklist_from *@3*.*
blacklist_from *@4*.*
blacklist_from *@5*.*
blacklist_from *@6*.*
blacklist_from *@7*.*
blacklist_from *@8*.*
blacklist_from *@9*.*

# Keywords for spam
body LOCAL_****** /******/i
score LOCAL_****** 3.000

body LOCAL_*** /***/i
score LOCAL_*** 2.000

body LOCAL_ERECTION /erection/i
score LOCAL_ERECTION 1.500
------------------------------------------------------------------------------
Attached Images
File Type: jpg Screenshot-4.jpg (60.2 KB, 102 views)
Reply With Quote
  #2 (permalink)  
Old 07-17-2010, 03:12 PM
Senior Member
 
Posts: 63
Default

I forgot to send my postfix log. Just figure out lately how to get it. Our Zimbra server is inside DMZ with IP 10.10.10.0/29. Our firewall forward only ports needed by Zimbra from WAN->DMZ and from LAN->DMZ as what I've learned from the wiki, others were blocked.

Also to add, why is it that when we first installed Zimbra using live IP we haven't encountered this problem. I've just add RBL checks and do not have to tinker with salocal.cf.in. It's only when we have a new installation of Zimbra behind NAT, (first on LAN then we later move it to DMZ) that it becomes a spam sender server. Were afraid that our IP would be eventually block by RBLs if we don't fix this.

We're using ZCS 6.0.7 Open Source Ed. running on Ubuntu 8.04 on a virtual machine.

Please help. Thanks
Reply With Quote
  #3 (permalink)  
Old 07-17-2010, 03:13 PM
Senior Member
 
Posts: 63
Default

Jul 18 05:44:02 mail postfix/qmgr[32190]: 55646D202B: from=<nrwb@host-219-90-92-18.tri.ph>, size=1991, nrcpt=1 (queue active)
Jul 18 05:44:02 mail postfix/smtp[25067]: D55A7D201D: to=<dahui@sxdahui.cn>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.86, delays=0.29/0/0.01/0.57, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25530-03 - SPAM)
Jul 18 05:44:02 mail postfix/qmgr[32190]: D55A7D201D: removed
Jul 18 05:44:03 mail postfix/smtpd[11962]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:03 mail postfix/smtp[24449]: 55646D202B: to=<seasons0109@126.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.92, delays=0.33/0/0/0.59, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25501-03 - SPAM)
Jul 18 05:44:03 mail postfix/qmgr[32190]: 55646D202B: removed
Jul 18 05:44:03 mail postfix/smtpd[21590]: 77AF7D201D: client=unknown[10.10.10.1]
Jul 18 05:44:04 mail postfix/cleanup[24875]: 77AF7D201D: message-id=<20100717214403.77AF7D201D@mail.aurotech.com>
Jul 18 05:44:04 mail postfix/qmgr[32190]: 77AF7D201D: from=<onicomedes7@aurotech.com>, size=3534, nrcpt=1 (queue active)
Jul 18 05:44:05 mail postfix/smtpd[21590]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:07 mail postfix/qmgr[32190]: 7CF90D203A: from=<>, size=3271, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: 7F714D2019: from=<>, size=3625, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: 79932D2018: from=<>, size=3672, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: 71C4DD2003: from=<>, size=3592, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: 42E55D2029: from=<>, size=4797, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: 4B3A3D2006: from=<>, size=3627, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: 92E40D2015: from=<>, size=6113, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: C7C40D2162: from=<>, size=5994, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: BBD7AD2002: from=<>, size=15796, nrcpt=1 (queue active)
Jul 18 05:44:07 mail postfix/qmgr[32190]: 26D10D2026: from=<>, size=37879, nrcpt=1 (queue active)
Jul 18 05:44:08 mail postfix/smtp[26271]: 4B3A3D2006: to=<uyupokay6841@charter.com>, relay=ib1.charter.net[216.33.127.20]:25, delay=1088, delays=1088/0.17/0.56/0, dsn=4.0.0, status=deferred (host ib1.charter.net[216.33.127.20] refused to talk to me: 554 imp06 charter.net ?? IP: 124.105.236.74, You are not allowed to send mail. Please see CSI IP Reputation Remediation Portal if you feel this is in error. E1310)
Jul 18 05:44:09 mail postfix/smtp[26263]: connect to veloxzone.com.br[200.223.8.81]:25: Connection refused
Jul 18 05:44:09 mail postfix/smtp[26263]: 79932D2018: to=<emupuw3762@veloxzone.com.br>, relay=none, delay=1047, delays=1045/0.12/1.1/0, dsn=4.4.1, status=deferred (connect to veloxzone.com.br[200.223.8.81]:25: Connection refused)
Jul 18 05:44:09 mail postfix/smtp[26278]: connect to gallery-09ujizwbu1eqp.usercash.com[79.170.89.9]:25: Connection refused
Jul 18 05:44:09 mail postfix/smtp[26278]: 26D10D2026: to=<allapa@gallery-09ujizwbu1eqp.usercash.com>, relay=none, delay=1076, delays=1075/0.24/1/0, dsn=4.4.1, status=deferred (connect to gallery-09ujizwbu1eqp.usercash.com[79.170.89.9]:25: Connection refused)
Jul 18 05:44:09 mail postfix/smtpd[20427]: connect from unknown[10.10.10.1]
Jul 18 05:44:09 mail postfix/smtp[24106]: connect to mail.goedge.com[64.72.118.174]:25: Connection refused
Jul 18 05:44:09 mail postfix/smtpd[20427]: C1EDED202B: client=unknown[10.10.10.1]
Jul 18 05:44:09 mail postfix/smtp[24106]: 7CF90D203A: to=<bushingrf869@rosebush.com>, relay=none, delay=21508, delays=21506/0.04/1.8/0, dsn=4.4.1, status=deferred (connect to mail.goedge.com[64.72.118.174]:25: Connection refused)
Jul 18 05:44:09 mail postfix/smtpd[24988]: connect from localhost[127.0.0.1]
Jul 18 05:44:09 mail postfix/smtpd[24988]: D9254D202C: client=localhost[127.0.0.1]
Jul 18 05:44:09 mail postfix/cleanup[15965]: D9254D202C: message-id=<20100717214403.77AF7D201D@mail.aurotech.com>
Jul 18 05:44:09 mail postfix/qmgr[32190]: D9254D202C: from=<onicomedes7@aurotech.com>, size=3982, nrcpt=1 (queue active)
Jul 18 05:44:09 mail postfix/smtp[24311]: 77AF7D201D: to=<onicomedes7@aurotech.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.9, delays=1.7/0/0.01/5.1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=25414-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as D9254D202C)
Jul 18 05:44:09 mail postfix/qmgr[32190]: 77AF7D201D: removed
Jul 18 05:44:09 mail postfix/cleanup[15950]: C1EDED202B: message-id=<20100717214409.C1EDED202B@mail.aurotech.com>
Jul 18 05:44:10 mail postfix/error[24079]: D9254D202C: to=<onicomedes7@aurotech.com>, relay=none, delay=0.18, delays=0.07/0.01/0/0.09, dsn=5.0.0, status=bounced (aurotech.com)
Jul 18 05:44:10 mail postfix/qmgr[32190]: C1EDED202B: from=<ejo@host-219-90-92-18.tri.ph>, size=1651, nrcpt=1 (queue active)
Jul 18 05:44:10 mail postfix/cleanup[24877]: 1020DD201D: message-id=<20100717214410.1020DD201D@mail.aurotech.com>
Jul 18 05:44:10 mail postfix/bounce[24080]: D9254D202C: sender non-delivery notification: 1020DD201D
Jul 18 05:44:10 mail postfix/qmgr[32190]: 1020DD201D: from=<>, size=5774, nrcpt=1 (queue active)
Jul 18 05:44:10 mail postfix/qmgr[32190]: D9254D202C: removed
Jul 18 05:44:10 mail postfix/error[24079]: 1020DD201D: to=<onicomedes7@aurotech.com>, relay=none, delay=0.19, delays=0.1/0/0/0.09, dsn=5.0.0, status=bounced (aurotech.com)
Jul 18 05:44:10 mail postfix/qmgr[32190]: 1020DD201D: removed
Jul 18 05:44:10 mail postfix/smtpd[20427]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:11 mail postfix/smtpd[18441]: connect from unknown[10.10.10.1]
Jul 18 05:44:11 mail postfix/smtp[25100]: C1EDED202B: to=<jhnie@jjhy.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.3/0/0.01/1.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=23275-12 - SPAM)
Jul 18 05:44:11 mail postfix/qmgr[32190]: C1EDED202B: removed
Jul 18 05:44:11 mail postfix/smtpd[29260]: connect from unknown[10.10.10.1]
Jul 18 05:44:11 mail postfix/smtpd[18441]: 9E05FD201D: client=unknown[10.10.10.1]
Jul 18 05:44:11 mail postfix/smtpd[29260]: BB1E0D202B: client=unknown[10.10.10.1]
Jul 18 05:44:11 mail postfix/cleanup[24875]: 9E05FD201D: message-id=<20100717214411.9E05FD201D@mail.aurotech.com>
Jul 18 05:44:11 mail postfix/qmgr[32190]: 9E05FD201D: from=<sxcgm@host-219-90-92-18.tri.ph>, size=4008, nrcpt=1 (queue active)
Jul 18 05:44:11 mail postfix/cleanup[24422]: BB1E0D202B: message-id=<20100717214411.BB1E0D202B@mail.aurotech.com>
Jul 18 05:44:12 mail postfix/qmgr[32190]: BB1E0D202B: from=<sxchm@host-219-90-92-18.tri.ph>, size=4018, nrcpt=1 (queue active)
Jul 18 05:44:12 mail postfix/smtp[24325]: 9E05FD201D: to=<jswjg516@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.74, delays=0.26/0/0/0.47, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25530-04 - SPAM)
Jul 18 05:44:12 mail postfix/qmgr[32190]: 9E05FD201D: removed
Jul 18 05:44:12 mail postfix/smtpd[18441]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:12 mail postfix/smtpd[29260]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:14 mail postfix/smtpd[24707]: connect from unknown[10.10.10.1]
Jul 18 05:44:14 mail postfix/smtp[24449]: BB1E0D202B: to=<jswjgjyxgs@3158.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.7, delays=0.27/0/0.01/2.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25168-06 - SPAM)
Jul 18 05:44:14 mail postfix/qmgr[32190]: BB1E0D202B: removed
Jul 18 05:44:14 mail postfix/smtpd[24707]: 74076D201D: client=unknown[10.10.10.1]
Jul 18 05:44:14 mail postfix/cleanup[15965]: 74076D201D: message-id=<20100717214414.74076D201D@mail.aurotech.com>
Jul 18 05:44:14 mail postfix/qmgr[32190]: 74076D201D: from=<wbglrw@host-219-90-92-18.tri.ph>, size=955, nrcpt=1 (queue active)
Jul 18 05:44:14 mail postfix/smtp[24311]: 74076D201D: to=<da-huyou@163.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.42, delays=0.27/0/0.01/0.14, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=23275-13 - SPAM)
Jul 18 05:44:14 mail postfix/qmgr[32190]: 74076D201D: removed
Jul 18 05:44:15 mail postfix/smtpd[24707]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:15 mail postfix/smtpd[1240]: connect from unknown[10.10.10.1]
Jul 18 05:44:15 mail postfix/smtpd[1240]: B1A93D201D: client=unknown[10.10.10.1]
Jul 18 05:44:15 mail postfix/cleanup[24875]: B1A93D201D: message-id=<20100717214415.B1A93D201D@mail.aurotech.com>
Jul 18 05:44:15 mail postfix/qmgr[32190]: B1A93D201D: from=<hmr@host-219-90-92-18.tri.ph>, size=1497, nrcpt=1 (queue active)
Jul 18 05:44:16 mail postfix/smtp[24328]: B1A93D201D: to=<wwq830626@sina.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.63, delays=0.28/0/0.01/0.34, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25494-05 - SPAM)
Jul 18 05:44:16 mail postfix/qmgr[32190]: B1A93D201D: removed
Jul 18 05:44:16 mail postfix/smtpd[25269]: disconnect from localhost[127.0.0.1]
Jul 18 05:44:16 mail postfix/smtpd[1240]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:16 mail postfix/smtpd[20418]: connect from unknown[10.10.10.1]
Jul 18 05:44:16 mail postfix/smtpd[20418]: B4AB8D201D: client=unknown[10.10.10.1]
Jul 18 05:44:16 mail postfix/smtpd[1255]: connect from unknown[10.10.10.1]
Jul 18 05:44:16 mail postfix/cleanup[24422]: B4AB8D201D: message-id=<20100717214416.B4AB8D201D@mail.aurotech.com>
Jul 18 05:44:16 mail postfix/smtpd[1255]: F0C29D202B: client=unknown[10.10.10.1]
Jul 18 05:44:17 mail postfix/qmgr[32190]: B4AB8D201D: from=<tydio@host-219-90-92-18.tri.ph>, size=1521, nrcpt=1 (queue active)
Jul 18 05:44:17 mail postfix/cleanup[15950]: F0C29D202B: message-id=<20100717214416.F0C29D202B@mail.aurotech.com>
Jul 18 05:44:17 mail postfix/qmgr[32190]: F0C29D202B: from=<tydiot@host-219-90-92-18.tri.ph>, size=1516, nrcpt=1 (queue active)
Jul 18 05:44:17 mail postfix/smtp[24325]: B4AB8D201D: to=<handsomeallan@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.67, delays=0.34/0/0/0.33, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25530-05 - SPAM)
Jul 18 05:44:17 mail postfix/qmgr[32190]: B4AB8D201D: removed
Jul 18 05:44:17 mail postfix/smtpd[20418]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:17 mail postfix/smtp[24449]: F0C29D202B: to=<handsomebay1028@163.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.67, delays=0.3/0/0.01/0.37, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=23275-14 - SPAM)
Jul 18 05:44:17 mail postfix/qmgr[32190]: F0C29D202B: removed
Jul 18 05:44:17 mail postfix/smtpd[1255]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:23 mail postfix/smtpd[24076]: connect from unknown[10.10.10.1]
Jul 18 05:44:23 mail postfix/smtpd[24076]: D0582D201D: client=unknown[10.10.10.1]
Jul 18 05:44:23 mail postfix/smtpd[18440]: connect from unknown[10.10.10.1]
Jul 18 05:44:24 mail postfix/cleanup[15965]: D0582D201D: message-id=<20100717214423.D0582D201D@mail.aurotech.com>
Jul 18 05:44:24 mail postfix/smtpd[18440]: 0CB91D202B: client=unknown[10.10.10.1]
Jul 18 05:44:24 mail postfix/qmgr[32190]: D0582D201D: from=<xbglrw@host-219-90-92-18.tri.ph>, size=950, nrcpt=1 (queue active)
Jul 18 05:44:24 mail postfix/cleanup[24422]: 0CB91D202B: message-id=<20100717214424.0CB91D202B@mail.aurotech.com>
Jul 18 05:44:24 mail postfix/qmgr[32190]: 0CB91D202B: from=<xchmrw@host-219-90-92-18.tri.ph>, size=941, nrcpt=1 (queue active)
Jul 18 05:44:24 mail postfix/smtp[24328]: D0582D201D: to=<dai@atunicorn.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.83, delays=0.43/0.01/0.01/0.38, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25168-07 - SPAM)
Jul 18 05:44:24 mail postfix/qmgr[32190]: D0582D201D: removed
Jul 18 05:44:24 mail postfix/smtpd[24076]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:24 mail postfix/smtp[24311]: 0CB91D202B: to=<dai@aandb.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.67, delays=0.46/0/0.02/0.19, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=25530-06 - SPAM)
Jul 18 05:44:24 mail postfix/qmgr[32190]: 0CB91D202B: removed
Jul 18 05:44:25 mail postfix/smtpd[18440]: disconnect from unknown[10.10.10.1]
Jul 18 05:44:29 mail postfix/smtp[26275]: connect to mxin1.gvt.com.br[200.139.127.5]:25: No route to host
Jul 18 05:44:29 mail postfix/smtp[26275]: BBD7AD2002: to=<jegukuviey9556@gvt.net.br>, relay=none, delay=30593, delays=30571/0.19/21/0, dsn=4.4.1, status=deferred (connect to mxin1.gvt.com.br[200.139.127.5]:25: No route to host)
Jul 18 05:44:30 mail postfix/smtpd[1254]: connect from unknown[10.10.10.1]
Jul 18 05:44:30 mail postfix/smtpd[18441]: connect from unknown[10.10.10.1]
Jul 18 05:44:30 mail postfix/smtpd[1255]: connect from unknown[10.10.10.1]
Jul 18 05:44:30 mail postfix/smtpd[1254]: EB846D201D: client=unknown[10.10.10.1]
Jul 18 05:44:31 mail postfix/smtpd[18441]: 029D6D202B: client=unknown[10.10.10.1]
Jul 18 05:44:31 mail postfix/cleanup[24875]: EB846D201D: message-id=<20100717214430.EB846D201D@mail.aurotech.com>
Jul 18 05:44:31 mail postfix/cleanup[24877]: 029D6D202B: message-id=<20100717214431.029D6D202B@mail.aurotech.com>
Jul 18 05:44:31 mail postfix/smtpd[1255]: 3590CD202C: client=unknown[10.10.10.1]
Jul 18 05:44:31 mail postfix/qmgr[32190]: EB846D201D: from=<tydio@host-219-90-92-18.tri.ph>, size=3994, nrcpt=1 (queue active)
Jul 18 05:44:31 mail postfix/qmgr[32190]: 029D6D202B: from=<tydiot@host-219-90-92-18.tri.ph>, size=3992, nrcpt=1 (queue active)
Jul 18 05:44:31 mail postfix/cleanup[15950]: 3590CD202C: message-id=<20100717214431.3590CD202C@mail.aurotech.com>
Jul 18 05:44:31 mail postfix/qmgr[32190]: 3590CD202C: from=<afkpuze@host-219-90-92-18.tri.ph>, size=1537, nrcpt=1 (queue active)
Reply With Quote
  #4 (permalink)  
Old 07-17-2010, 03:22 PM
Senior Member
 
Posts: 63
Default

I have blacklisted the domain host-219-90-92-18.tri.ph by editing amavisd.conf.in but it doesn't stop my server from sending other spam
messages. How do I know if a local user account has been compromised?
And if so, does changing password can solve this?
Reply With Quote
  #5 (permalink)  
Old 07-17-2010, 11:08 PM
Zimbra Consultant & Moderator
 
Posts: 20,313
Default

Quote:
Originally Posted by aldennis View Post
I have blacklisted the domain host-219-90-92-18.tri.ph by editing amavisd.conf.in but it doesn't stop my server from sending other spam
messages. How do I know if a local user account has been compromised?
You can check some of these threads for details on how to check who's sending high volumes of mail: site:zimbra.com +spam +compromised +account - Yahoo! Search Results

Quote:
Originally Posted by aldennis View Post
And if so, does changing password can solve this?
Yes and you should enforce strong password security via the Admin UI.
__________________
Regards


Bill
Reply With Quote
  #6 (permalink)  
Old 07-18-2010, 06:59 PM
Senior Member
 
Posts: 63
Default

Another this, here is a copy of a spam message sent to an account from his own account.
--------------------------------------------------------------------------------------
Return-Path: rgalvan@aurotech.com
Received: from mail.aurotech.com (LHLO mail.aurotech.com) (10.10.10.2) by
mail.aurotech.com with LMTP; Mon, 19 Jul 2010 09:13:36 +0800 (PHT)
Received: from localhost (localhost [127.0.0.1])
by mail.aurotech.com (Postfix) with ESMTP id 10918D2014;
Mon, 19 Jul 2010 09:13:36 +0800 (PHT)
X-Quarantine-ID: <ShRQYvxCA2c2>
X-Virus-Scanned: amavisd-new at aurotech.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char AE hex):
Subject: rgalvan@aurotech.com ****** \256 Official Site -18%
Received: from mail.aurotech.com ([127.0.0.1])
by localhost (mail.aurotech.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ShRQYvxCA2c2; Mon, 19 Jul 2010 09:13:23 +0800 (PHT)
Received: from net98.78.95-230.chelny.ertelecom.ru (unknown [10.10.10.1])
by mail.aurotech.com (Postfix) with SMTP id 0B138D2020
for <rgalvan@aurotech.com>; Mon, 19 Jul 2010 09:13:21 +0800 (PHT)
From: rgalvan@aurotech.com
To: rgalvan@aurotech.com
Subject: rgalvan@aurotech.com ****** � Official Site -18%
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20100719011322.0B138D2020@mail.aurotech.com>
Date: Mon, 19 Jul 2010 09:13:21 +0800 (PHT)

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="width: 896px">
<tr><td align="center" style="font: normal 11px Verdana, sans-serif; color: #333;"><a href="http://hvb.autdrug.ru?ewsd=rgalvan@aurotech.com" style="text-decoration: none; color: #0099ff;">Click here. </td></tr>
<tr><td align="center">
<br />
<a href="http://gzn.autdrug.ru?zrjm=rgalvan@aurotech.com"><img alt="Dear rgalvan@aurotech.com" src="http://kms.autdrug.ru/m.gif" style="border-width: 0px" /></a></td></tr>
</table>
</body>
</html>
-------------------------------------------------------------------------------------

ZCS seems unable to extract dns info for the domain net98.78.95-230.chelny.ertelecom.ru from the DMZ gateway 10.10.10.1. since it indicate "unknown". I have set ZCS to reject_unknown_hostname via Admin GUI->Global Settings->MTA->DNS Checks. In my understanding a valid hostname should have a valid MX and A records? Is that how zimbra checks it or am I wrong?

Coz it could be either Zimbra was unable to perform DNS checks or it doesnt do DNS checks on trusted IP.

Do mail which comes from the trusted IP (127.0.0.0/8 10.10.10.0/29 in our case) never get scanned by spamassasin?
Reply With Quote
  #7 (permalink)  
Old 07-18-2010, 07:03 PM
Senior Member
 
Posts: 63
Default

I could ping internet domains inside the ZCS server.

Thanks
Reply With Quote
  #8 (permalink)  
Old 07-23-2010, 06:53 PM
Senior Member
 
Posts: 63
Default

Hi,

Our trusted IP when we install Zimbra on LAN was 192.168.0.0/24 maybe it was that time when spambots on local LAN have gained access to zimbra server and make it an open relay for sending spams. Since the entire 192.68.0.0/24 is trusted.

After two weeks of battling spam originating from our server itself and having to change our IP everytime we get blacklisted we are now installing Zimbra outside our Firewall on our own WAN subnet. Then use HTTPS instead of HTTP for the web client and change password for all users.

Can we install a firewall application in the Zimbra server itself?
Also is it possible to add another ethernet card that would have IP address on our DMZ zone?

We will use it to run rysnc to our standby Zimbra server on the same DMZ subnet.
Reply With Quote
  #9 (permalink)  
Old 07-27-2010, 03:34 AM
Zimbra Consultant & Moderator
 
Posts: 20,313
Default

Quote:
Originally Posted by aldennis View Post
Our trusted IP when we install Zimbra on LAN was 192.168.0.0/24 maybe it was that time when spambots on local LAN have gained access to zimbra server and make it an open relay for sending spams. Since the entire 192.68.0.0/24 is trusted.
All you need to do is add only the LAN IP of the Zimbra server (plus, of course, the current loopback entry) itself to the Trusted Networks, that is covered in the forums threads on this problem. Do note that if you do that then all your users (that use fat clients) will have to Authenticate to send email via the server and they should be using port 587 for that anyway.
__________________
Regards


Bill
Reply With Quote
  #10 (permalink)  
Old 07-30-2010, 03:39 AM
Senior Member
 
Posts: 63
Default

We're running our server now on WAN and so far no spam had been made its way to our users mailbox Inbox. I have used ip tables on the Zimbra server to close all ports other than the ports required by Zimbra as seen in the Wiki.

I still don't know if I can add another NIC on the Zimbra server and have its IP inside the DMZ. Does it have an effect in Zimbra if I use two NIC's with different gateway?
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com




 

SEO by vBSEO ©2011, Crawlability, Inc.