Results 1 to 5 of 5

Thread: How to identify infected PC from spamming zimbra?

  1. #1
    bhwong is offline Elite Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    489
    Rep Power
    6

    Default How to identify infected PC from spamming zimbra?

    We notice there is a huge jump in the amount of emails/spams (10x) from the zimbra daily mail report. We notice that there are a huge number of message delivery going to .it domains and huge number of messsage received from cartabcc.it.

    Is there a way to block .it domains in Zimbra or even just to mark them as spam? And is there a way to block non-member domain from using Zimbra to send out emails?

    Also, the top sender is from no-reply@cartabcc.it, which is not even from our email accounts. Thus, we suspect that one of our PCs might be infected. Is there a way to identity the IP address of the PC that is using no-reply@cartabcc.it to send out emails thru Zimbra?

    How do you guys proceed in resolving such issues?

    Thanks,
    Boon Hong.

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by bhwong View Post
    Also, the top sender is from no-reply@cartabcc.it, which is not even from our email accounts. Thus, we suspect that one of our PCs might be infected. Is there a way to identity the IP address of the PC that is using no-reply@cartabcc.it to send out emails thru Zimbra?
    Your daily mail report should give you a clue on which user account is sending, you can also search the log files to see where the mail is coming from (there's a command in the forums to count them, if you search). You can always scan your LAN to see if there's any infections on your PCs.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    bhwong is offline Elite Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    489
    Rep Power
    6

    Default

    Is there easier method to do this such as compiling the logs into meaningful result instead of having to search and make guess work?

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Why would it be guess work ? If you scan the log files to see which station is sending large numbers of emails then that is a pretty good indicator. Do you know the average number of emails your users send per day ?

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by bhwong View Post
    Is there easier method to do this such as compiling the logs into meaningful result instead of having to search and make guess work?
    It's not 'guess work' it's called investigation, you could always have your logs sent to a syslog server (such as Splunk), if you have one, and analyse them in that. You could also have a look at the information provided by pflogsumm (it's provided with Zimbra and produces the daily mail report) and what options there are for getting different reports, search the internet for the web site of the author.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Migrate Zimbra Server to VMware
    By Oasy in forum Administrators
    Replies: 11
    Last Post: 07-14-2010, 07:13 AM
  2. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 02:00 AM
  3. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 05:43 AM
  4. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 08:55 AM
  5. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •