Help with compromised server

[amnesia]

I was notified by my ISP that my server was reported for spam and I need to correct the problem or face shutdown. Although I've worked with other MTA in the past, I'm a bit of a Zimbra newb, so I honestly am not sure how to begin tracking down the source of this problem.

I tested to make sure it's not an open relay. I only allow SSL/TLS connections. I checked my trusted networks. From what I gather, I suspect this is a coming from a compromised account, but being new to Zimbra I'm confused on how to read the logs.

I checked my daily mail report, but the top senders seems to include ALL senders, not just user accounts. For example, I took a few that were obvious spam senders and tried to egrep them in the logs, but it didn't give me any indication of which account had sent them. I had the COS set to allow sending from any address (which I've now disabled), so I assume the exploiter has taken advantage of this.

I've tried looking into the audit log, but nothing stands out, probably because I'm not entirely sure what to look for. I see the POP3 authentications, but I'm not entirely clear what to look for in relay authentications.

Can somebody please help me get going?

[phoenix]

What exactly did your ISP tell you about the problem (any details)? Are you on any RBLs? Are you on a dynamic IP address? Does your daily mail report show any exceptionally large numbers of email sent by your users?

[amnesia]

I'm trying to get better details from them (unfortunately I just have to wait for a ticket reply), they just said my server was reported for large volumes of spam. I've used several tests (ie, mxtoolbox.com) to check that it is not an open relay, and it is not on any RBLs that I can find. It's a static IP.

The daily mail report doesn't show numbers that I would consider exceptional, and certainly not from any particular user account. That's why I'm scratching my head a bit.

[phoenix]

Quote:

Originally Posted by amnesia

I'm trying to get better details from them (unfortunately I just have to wait for a ticket reply), they just said my server was reported for large volumes of spam. I've used several tests (ie, mxtoolbox.com) to check that it is not an open relay, and it is not on any RBLs that I can find. It's a static IP.

The daily mail report doesn't show numbers that I would consider exceptional, and certainly not from any particular user account. That's why I'm scratching my head a bit.

Me too. Without any specific details it's hard to give you any useful advice. As a temporary measure you could relay your mail through another server (your ISP for example) until you get a reply from them about your current problem. Do you actually use any RBLs on your server?

[amnesia]

Yes:

dsn.rfc-ignorant.org
zen.spamhaus.org
dul.dnsbl.sorbs.net
bl.spamcop.net

I don't know what else to check, I'm just going to wait for their response. I was just trying to be pro-active. Thanks for the replies.

[LMStone]

You are right that until you know the reason for the server being reported as a spam source it is hard to do anything about it!

We subscribe to a paid service called DNSStuff that checks a gazillion blacklists at one-time, and provides links to those blacklists' IP checkers. The subscription for their Professional tool set is good value and is especially helpful sorting out the difficult "User A didn't get User B's email-why?" questions, which are sometime DNS related instead of blacklist related.

But at the moment, I'd start with the major spam blockers and run your server's IP address through their checkers. Their checkers will tell you if you are being blacklisted and if so, why.

Here are a few:
http://www.spamhaus.org/lookup.lasso
AT&T
AOL Postmaster | Postmaster

Abuse.net also runs an open relay test here:
Mail relay testing

Hope that helps,
Mark