Outgoing spam

[mrdebian]

Hello all,

I've got a few abuse reports recently and while checking those reports it seems that someone is using my Zimbra (7 open source) installation to spam the world.

I can't figure out how to prevent this as from the report all I can see is a few addresses (not mine). Example (I've replace my up with myip and my domain with mydomain.com):

Return-Path: <gfrankpm@sns.nl>
X-Original-To: prisma.gegenwart@kraftschlag.biz
Received: from webmail.mydomain.com (webmail.mydomain.com [myip])
by mx.dlcp.de (Spamtrap) with ESMTP
for prisma.gegenwart@kraftschlag.biz; Mon, 04 Apr 2011 08:25:17 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by webmail.mydomain.com (Postfix) with ESMTP id AA8162103B73
for <prisma.gegenwart@kraftschlag.biz>; Sun, 3 Apr 2011 20:35:13 +0300 (EEST)
X-Virus-Scanned: amavisd-new at mydomain.com
Received: from webmail.mydomain.com ([127.0.0.1])
by localhost (webmail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 9I4ky1axFAvx for <prisma.gegenwart@kraftschlag.biz>;
Sun, 3 Apr 2011 20:35:13 +0300 (EEST)
Received: from Milkyway (accountancywales.plus.com [212.159.29.33])
by webmail.mydomain.com (Postfix) with ESMTPA id 9AD2F20F6B82
for <prisma.gegenwart@kraftschlag.biz>; Sun, 3 Apr 2011 19:05:58 +0300 (EEST)
From: "Frank P M" <gfrankpm@sns.nl>
Subject: Sehr dringend
To: prisma.gegenwart@kraftschlag.biz
MIME-Version: 1.0
Reply-To: frankmp@gmx.com

Any help is much appreciated.

[phoenix]

Have you checked to see if you have a compromised account on the server?

[mrdebian]

The output doesn't show any account with large number

Thanks

Have you checked to see if you have a compromised account on the server?

[mrdebian]

But if I run the same command and use a domain that has nothing to do with me (the spammed domain) then I'm getting:

cat /var/log/zimbra.log | sed -n "s/.*from=<\(.*\)@sns.nl>.*/\1/p" | uniq -c

125138 gfrankpm

but there is no such a user (gfrankpm) into my db.

How can I prevent this from sending spams?

Thanks in advance

[mickier]

Have you found it yet?
I have had a similar problem, and it turned out to be a compromised account - a user responded to a phishing email and gave out their password...
have you looked at your daily mail report (auto-sent to admin@yourdomain every night)? It will show who's account is sending out the emails...

If it simply shows the emails come from "localhost", it probably means that the emails are originating from your web-client. Many times the perpetrator will alter the "from" field, to make it harder for you to figure out which user's account it is...

In my case, they had dorked with the signature, so it was easy to confirm that I had found the account...

[Saaidi]

but then, what will you do to the account, is it simply close the account?

Actually i have similar case "western union" spam currently infecting one of email account, so i would like to block any western union subject from that account to be sent out..how to do that ??