Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page How to identify infected PC from spamming zimbra?

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-09-2010, 06:24 PM
Elite Member
  
Posts: 377
Default How to identify infected PC from spamming zimbra?
We notice there is a huge jump in the amount of emails/spams (10x) from the zimbra daily mail report. We notice that there are a huge number of message delivery going to .it domains and huge number of messsage received from cartabcc.it.

Is there a way to block .it domains in Zimbra or even just to mark them as spam? And is there a way to block non-member domain from using Zimbra to send out emails?

Also, the top sender is from no-reply@cartabcc.it, which is not even from our email accounts. Thus, we suspect that one of our PCs might be infected. Is there a way to identity the IP address of the PC that is using no-reply@cartabcc.it to send out emails thru Zimbra?

How do you guys proceed in resolving such issues?

Thanks,
Boon Hong.
Reply With Quote
  #2 (permalink)  
Old 08-10-2010, 12:16 AM
Zimbra Consultant & Moderator
  
Posts: 20,313
Default
Quote:
Originally Posted by bhwong View Post
Also, the top sender is from no-reply@cartabcc.it, which is not even from our email accounts. Thus, we suspect that one of our PCs might be infected. Is there a way to identity the IP address of the PC that is using no-reply@cartabcc.it to send out emails thru Zimbra?
Your daily mail report should give you a clue on which user account is sending, you can also search the log files to see where the mail is coming from (there's a command in the forums to count them, if you search). You can always scan your LAN to see if there's any infections on your PCs.
__________________
Regards


Bill
Reply With Quote
  #3 (permalink)  
Old 08-10-2010, 11:17 PM
Elite Member
  
Posts: 377
Default
Is there easier method to do this such as compiling the logs into meaningful result instead of having to search and make guess work?
Reply With Quote
  #4 (permalink)  
Old 08-11-2010, 02:25 AM
Moderator
  
Posts: 7,928
Default
Why would it be guess work ? If you scan the log files to see which station is sending large numbers of emails then that is a pretty good indicator. Do you know the average number of emails your users send per day ?
__________________
Reply With Quote
  #5 (permalink)  
Old 08-11-2010, 04:08 AM
Zimbra Consultant & Moderator
  
Posts: 20,313
Default
Quote:
Originally Posted by bhwong View Post
Is there easier method to do this such as compiling the logs into meaningful result instead of having to search and make guess work?
It's not 'guess work' it's called investigation, you could always have your logs sent to a syslog server (such as Splunk), if you have one, and analyse them in that. You could also have a look at the information provided by pflogsumm (it's provided with Zimbra and produces the daily mail report) and what options there are for getting different reports, search the internet for the web site of the author.
__________________
Regards


Bill
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.