Results 1 to 10 of 10

Thread: Possible virus causing spam issue

  1. #1
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default Possible virus causing spam issue

    I think we have a pc on our network that is sending out spam due to a virus but I can't figure out how to track it down. I have poured through some log files trying to track it down using the Zimbra log and the audit log. We have been placed on some blacklist and we are deleting out several thousand deferred emails a day due to this.

    Is there any other log file that would track this down better? Any other tips or tricks?

    dj

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    Quote Originally Posted by dljordaneku View Post
    I think we have a pc on our network that is sending out spam due to a virus but I can't figure out how to track it down. I have poured through some log files trying to track it down using the Zimbra log and the audit log. We have been placed on some blacklist and we are deleting out several thousand deferred emails a day due to this.

    Is there any other log file that would track this down better? Any other tips or tricks?
    Are you sure that the infected machine is actually using your server? Does the daily mail report (you can run that any time) not show you the accounts that is sending lots of mail? The daily mail report is based on pflogsumm and you can get further information from it that might be useful.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    Quote Originally Posted by phoenix View Post
    Are you sure that the infected machine is actually using your server? Does the daily mail report (you can run that any time) not show you the accounts that is sending lots of mail? The daily mail report is based on pflogsumm and you can get further information from it that might be useful.
    We are pretty sure. We have two accounts showing up in the daily report, each with over 4k in messages being sent out and about as many being returned as undeliverable back to them. Plus our email server has been blacklisted in some places so now we can't send email to some ISPs.

    We think someone who is using Outlook has been hit with something and it is spoofing these two addresses. I don't think either of these two users have Outlook running. If they do, they sure didn't set it up if you know what I mean.

    dj

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    Quote Originally Posted by dljordaneku View Post
    We are pretty sure. We have two accounts showing up in the daily report, each with over 4k in messages being sent out and about as many being returned as undeliverable back to them. Plus our email server has been blacklisted in some places so now we can't send email to some ISPs.
    Have you checked the machines of these two account owners to see if they are infected or do they use machines outside your network to send email? If you've identified the two 'suspect' accounts then I'd suggest you make them inactive to see if the spam problem goes down. Is there any other suspicious activity from any other accounts? It is possible a brute force attack could compromise an account via the web ui, do you have a strong password requirement on your Zimbra server?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    Quote Originally Posted by phoenix View Post
    Have you checked the machines of these two account owners to see if they are infected or do they use machines outside your network to send email? If you've identified the two 'suspect' accounts then I'd suggest you make them inactive to see if the spam problem goes down. Is there any other suspicious activity from any other accounts? It is possible a brute force attack could compromise an account via the web ui, do you have a strong password requirement on your Zimbra server?
    To the best of our knowledge, these two users don't have a machine. They just have a Blackberry and maybe check it via the web interface. That's why we were thinking someone with Outlook and it's pulling a name out of their address book and sending using that name. That's why I was wondering if there was a log file that had any information in it where I could see what IP address was sending out a lot of emails. Most of it seems to come from over night around midnight. I'm planning on removing that person's pop access tonight and see if the problem goes away. But I would like to know if there was any other way of checking.

    dj

  6. #6
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    Any other options or ideas on this? Something just kicked over 2,000 emails through our que and most of them are in the deferred state right now. Is there any log file that captures the ip address the emails are coming from?

    dj

  7. #7
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    Ok. I am going to bump this and ask for help again. The pc I thought it might be may not be the problem account. I have ran a virus scan on this pc and let Wireshark run over night on it to monitor the port and it showed nothing.

    But yet we had to delete over 1k messages from the que this morning. There has to be something in a log file somewhere that tells me a computer or an account that is accessing the server over night and sending out these messages.

    dj

  8. #8
    jrefl5 is offline Advanced Member
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    7

    Default

    Have you looked at zimbra.log for the Message ID's of some of those messages you found in the queue? That will give you an idea of When they are entering the system along with a hint as to where they are coming from.

    You can then look in mailbox.log, sync.log, etc. around that time frame and see what is happening there.

  9. #9
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    Quote Originally Posted by jrefl5 View Post
    Have you looked at zimbra.log for the Message ID's of some of those messages you found in the queue? That will give you an idea of When they are entering the system along with a hint as to where they are coming from.

    You can then look in mailbox.log, sync.log, etc. around that time frame and see what is happening there.
    We were looking through some of those this morning and they really don't match up in some cases. And when they do, they match up against a couple of different users. Could be more than one infected I guess.

    dj

  10. #10
    dljordaneku is offline Elite Member
    Join Date
    Sep 2007
    Location
    Richmond, Ky
    Posts
    281
    Rep Power
    7

    Default

    Well now I know why I was never able to find anything in port scans. Someone was logging to the web client over seas and sending out emails that. Finally some serous searching in the log files we found some entries that showed us where the spam was coming from.

    Can you see stronger password policy coming up?

    dj

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Spam, Spam and more Spam (Inbox)
    By luma in forum Administrators
    Replies: 4
    Last Post: 10-07-2010, 07:57 AM
  2. Turn off SPAM and Virus Filter
    By telescop in forum Administrators
    Replies: 1
    Last Post: 04-10-2008, 06:50 AM
  3. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM
  4. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 03:39 PM
  5. Forwarding Spam and Virus filtered?
    By rhostager in forum Administrators
    Replies: 9
    Last Post: 10-24-2006, 04:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •