Possible virus causing spam issue

[dljordaneku]

I think we have a pc on our network that is sending out spam due to a virus but I can't figure out how to track it down. I have poured through some log files trying to track it down using the Zimbra log and the audit log. We have been placed on some blacklist and we are deleting out several thousand deferred emails a day due to this.

Is there any other log file that would track this down better? Any other tips or tricks?

dj

[phoenix]

Quote:

Originally Posted by dljordaneku

I think we have a pc on our network that is sending out spam due to a virus but I can't figure out how to track it down. I have poured through some log files trying to track it down using the Zimbra log and the audit log. We have been placed on some blacklist and we are deleting out several thousand deferred emails a day due to this.

Is there any other log file that would track this down better? Any other tips or tricks?

Are you sure that the infected machine is actually using your server? Does the daily mail report (you can run that any time) not show you the accounts that is sending lots of mail? The daily mail report is based on pflogsumm and you can get further information from it that might be useful.

[dljordaneku]

Quote:

Originally Posted by phoenix

Are you sure that the infected machine is actually using your server? Does the daily mail report (you can run that any time) not show you the accounts that is sending lots of mail? The daily mail report is based on pflogsumm and you can get further information from it that might be useful.

We are pretty sure. We have two accounts showing up in the daily report, each with over 4k in messages being sent out and about as many being returned as undeliverable back to them. Plus our email server has been blacklisted in some places so now we can't send email to some ISPs.

We think someone who is using Outlook has been hit with something and it is spoofing these two addresses. I don't think either of these two users have Outlook running. If they do, they sure didn't set it up if you know what I mean.

dj

[phoenix]

Quote:

Originally Posted by dljordaneku

We are pretty sure. We have two accounts showing up in the daily report, each with over 4k in messages being sent out and about as many being returned as undeliverable back to them. Plus our email server has been blacklisted in some places so now we can't send email to some ISPs.

Have you checked the machines of these two account owners to see if they are infected or do they use machines outside your network to send email? If you've identified the two 'suspect' accounts then I'd suggest you make them inactive to see if the spam problem goes down. Is there any other suspicious activity from any other accounts? It is possible a brute force attack could compromise an account via the web ui, do you have a strong password requirement on your Zimbra server?

[dljordaneku]

Quote:

Originally Posted by phoenix

Have you checked the machines of these two account owners to see if they are infected or do they use machines outside your network to send email? If you've identified the two 'suspect' accounts then I'd suggest you make them inactive to see if the spam problem goes down. Is there any other suspicious activity from any other accounts? It is possible a brute force attack could compromise an account via the web ui, do you have a strong password requirement on your Zimbra server?

To the best of our knowledge, these two users don't have a machine. They just have a Blackberry and maybe check it via the web interface. That's why we were thinking someone with Outlook and it's pulling a name out of their address book and sending using that name. That's why I was wondering if there was a log file that had any information in it where I could see what IP address was sending out a lot of emails. Most of it seems to come from over night around midnight. I'm planning on removing that person's pop access tonight and see if the problem goes away. But I would like to know if there was any other way of checking.

dj

[dljordaneku]

Any other options or ideas on this? Something just kicked over 2,000 emails through our que and most of them are in the deferred state right now. Is there any log file that captures the ip address the emails are coming from?

dj

[dljordaneku]

Ok. I am going to bump this and ask for help again. The pc I thought it might be may not be the problem account. I have ran a virus scan on this pc and let Wireshark run over night on it to monitor the port and it showed nothing.

But yet we had to delete over 1k messages from the que this morning. There has to be something in a log file somewhere that tells me a computer or an account that is accessing the server over night and sending out these messages.

dj

[jrefl5]

Have you looked at zimbra.log for the Message ID's of some of those messages you found in the queue? That will give you an idea of When they are entering the system along with a hint as to where they are coming from.

You can then look in mailbox.log, sync.log, etc. around that time frame and see what is happening there.

[dljordaneku]

Quote:

Originally Posted by jrefl5

Have you looked at zimbra.log for the Message ID's of some of those messages you found in the queue? That will give you an idea of When they are entering the system along with a hint as to where they are coming from.

You can then look in mailbox.log, sync.log, etc. around that time frame and see what is happening there.

We were looking through some of those this morning and they really don't match up in some cases. And when they do, they match up against a couple of different users. Could be more than one infected I guess.

dj

[dljordaneku]

Well now I know why I was never able to find anything in port scans. Someone was logging to the web client over seas and sending out emails that. Finally some serous searching in the log files we found some entries that showed us where the spam was coming from.

Can you see stronger password policy coming up?

dj