Results 1 to 6 of 6

Thread: Help with compromised server

  1. #1
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default Help with compromised server

    I was notified by my ISP that my server was reported for spam and I need to correct the problem or face shutdown. Although I've worked with other MTA in the past, I'm a bit of a Zimbra newb, so I honestly am not sure how to begin tracking down the source of this problem.

    I tested to make sure it's not an open relay. I only allow SSL/TLS connections. I checked my trusted networks. From what I gather, I suspect this is a coming from a compromised account, but being new to Zimbra I'm confused on how to read the logs.

    I checked my daily mail report, but the top senders seems to include ALL senders, not just user accounts. For example, I took a few that were obvious spam senders and tried to egrep them in the logs, but it didn't give me any indication of which account had sent them. I had the COS set to allow sending from any address (which I've now disabled), so I assume the exploiter has taken advantage of this.

    I've tried looking into the audit log, but nothing stands out, probably because I'm not entirely sure what to look for. I see the POP3 authentications, but I'm not entirely clear what to look for in relay authentications.

    Can somebody please help me get going?

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,580
    Rep Power
    57

    Default

    What exactly did your ISP tell you about the problem (any details)? Are you on any RBLs? Are you on a dynamic IP address? Does your daily mail report show any exceptionally large numbers of email sent by your users?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default

    I'm trying to get better details from them (unfortunately I just have to wait for a ticket reply), they just said my server was reported for large volumes of spam. I've used several tests (ie, mxtoolbox.com) to check that it is not an open relay, and it is not on any RBLs that I can find. It's a static IP.

    The daily mail report doesn't show numbers that I would consider exceptional, and certainly not from any particular user account. That's why I'm scratching my head a bit.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,580
    Rep Power
    57

    Default

    Quote Originally Posted by amnesia View Post
    I'm trying to get better details from them (unfortunately I just have to wait for a ticket reply), they just said my server was reported for large volumes of spam. I've used several tests (ie, mxtoolbox.com) to check that it is not an open relay, and it is not on any RBLs that I can find. It's a static IP.

    The daily mail report doesn't show numbers that I would consider exceptional, and certainly not from any particular user account. That's why I'm scratching my head a bit.
    Me too. Without any specific details it's hard to give you any useful advice. As a temporary measure you could relay your mail through another server (your ISP for example) until you get a reply from them about your current problem. Do you actually use any RBLs on your server?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    amnesia is offline Senior Member
    Join Date
    Apr 2010
    Posts
    58
    Rep Power
    5

    Default

    Yes:

    dsn.rfc-ignorant.org
    zen.spamhaus.org
    dul.dnsbl.sorbs.net
    bl.spamcop.net

    I don't know what else to check, I'm just going to wait for their response. I was just trying to be pro-active. Thanks for the replies.

  6. #6
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    10

    Default

    You are right that until you know the reason for the server being reported as a spam source it is hard to do anything about it!

    We subscribe to a paid service called DNSStuff that checks a gazillion blacklists at one-time, and provides links to those blacklists' IP checkers. The subscription for their Professional tool set is good value and is especially helpful sorting out the difficult "User A didn't get User B's email-why?" questions, which are sometime DNS related instead of blacklist related.

    But at the moment, I'd start with the major spam blockers and run your server's IP address through their checkers. Their checkers will tell you if you are being blacklisted and if so, why.

    Here are a few:
    http://www.spamhaus.org/lookup.lasso
    AT&T
    AOL Postmaster | Postmaster

    Abuse.net also runs an open relay test here:
    Mail relay testing

    Hope that helps,
    Mark

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How to: cold standby server (no cluster)
    By fisch09 in forum Installation
    Replies: 50
    Last Post: 02-18-2014, 10:51 AM
  2. Keeping a backup server synced with live server
    By Q-Mike in forum Administrators
    Replies: 5
    Last Post: 04-11-2008, 01:40 PM
  3. [SOLVED] Server migration/move for OS steps I used
    By newmember in forum Migration
    Replies: 0
    Last Post: 09-06-2007, 10:57 PM
  4. Replies: 1
    Last Post: 09-16-2006, 11:02 PM
  5. Replies: 18
    Last Post: 03-20-2006, 02:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •