Email Server Sending Spam

[profediego]

Hi,
My zimbra mail server is spamming. I know because of the reports, from daily reports.

The thing is, its an outside account of my domain, a gmail account, i already modify zmmta.cf so it only accept sending emails from my domain, but the spam continue to go out.

I try following the logs, zimbra.log, audit.log and mail.log, but i cant see which is the user account that has been compromised.

Could somebody point me in the rigth direction to determine which user account is being used to spam, any help would be apreciate it.

regards.

[Krishopper]

In your spam reports, are you being provided with a message-id header that you can search /var/log/zimbra.log for?

[raj]

generally a compromised account's SMTP AUTH is used to relay email (unless your internal network in infected which is in trusted network)

run the following which will spit out all the SMTP AUTH logins

Quote:

tail -n 100000 /var/log/maillog | grep "sasl_username=" > /tmp/smtpauthlogins.txt

A smapmmer's patters will be a lots of logins you can easily see it repeating many times..that account or accounts is your problem.

Raj

[profediego]

Hi,
Thanks raj and Krishopper, i was able to determined the user account compromised.

I already implemented new rules about passwords and how often should the user have to change it.

thanks a lot

regards.

[browland]

I do not have any entries for "sasl_username=" in mail.log

I have the same issue with spamming. I can stop it from the queue, but our server contiues to send 1,000's of emails every night around 10pm and 6am local time.

[phoenix]

Quote:

Originally Posted by browland

I do not have any entries for "sasl_username=" in mail.log

I have the same issue with spamming. I can stop it from the queue, but our server contiues to send 1,000's of emails every night around 10pm and 6am local time.

You can also look at the daily mail report and determine which account is sending the most mail. You should also consider implementing a more secure password policy.