My Mailserver is spamming.

[amolchawathe]

Hello Friends,

Can someone help me figure out a way to stop emails going from php scripts.

All emails which are triggered from local machine need to be stopped urgently since there seems to be some kind of a script which is being triggered either through php or pl which starts sending about 10000 emails an hour.

I need to first block emails from

localhost.localdomain so that we can keep our mail server working and just allow users created from zimbra to send emails.

Please help.

[amolchawathe]

Hello Friends,

Can someone help me figure out a way to stop emails going from php scripts.

All emails which are triggered from local machine need to be stopped urgently since there seems to be some kind of a script which is being triggered either through php or pl which starts sending about 10000 emails an hour.

I need to first block emails from

localhost.localdomain so that we can keep our mail server working and just allow users created from zimbra to send emails.

Please help.

Please can someone help

[first]

I'm not sure what you want to achieve and why you can't stop your local server (localhost) to send emails.

Some solutions:
1. Login in Admin console and in MTA config, there should be one config for Local network IP addresses. Remove the local IPs (but not only 127.0.0.1 because you don't know if the script is using 127.0.0.1 or other local IP on the machine). Doing that means that the script should not be able to send emails without authentication. Bear in mind that it might affect other ZCS functionality.
2. Use local firewall to block SMTP port 25 (which I believe is used by the script). You should block it for all connections coming from 127.0.0.1 and other local IPs (because you don't know which IP is used by the script).

Hope it helps.

Cheers,
first

[Labsy]

I'd first require all users to authenticate SMTP for sending, so you will have control over who sends how much (daily report sent to admin@yourzimbraserver)

[Yves Pires]

probably a virus/bot sending massive emails

use:

watch --interval=1 'tail -n1000 /var/log/auth.log | grep 'auth_zimbra:''

to see which account is compromised

[wndege]

Can someone help me to stop local.domail from sending spams.

[phoenix]

Can someone help me to stop local.domail from sending spams.

Not really, you haven't given any information or examples of your problem. A default installation of Zimbra does not send spam and is not an open relay - you need to describe exactly what your problem is.

[wndege]

My mail server is sending out over 10000 mails using ip address 127.0.0.1. Is there away that any mail coming from 127.0.0.1 can be dropped automatically.

Regards,
Walter

[phoenix]

My mail server is sending out over 10000 mails using ip address 127.0.0.1. Is there away that any mail coming from 127.0.0.1 can be dropped automatically.

That's not really much of a description nor any evidence. If, however, there really is spam being sent from your server then you either have a compromised mail account or a user on your LAN has an infected machine. Search the forums for further details of those two problems or start here: site:zimbra.com +"compromised account" - Yahoo! Search Results

[soba@ukw.edu.pl]

ZCS is the default MTA postfix OpenRelay server.

Telnet from outside the network:

Half OpenRelay sample:
TELNET myzimbrahost.foo.bar 25
EHLO helo.com
MAIL FROM:<user@mydomain.foo.bar>
RCPT TO:<user2@mydomain.foo.bar>
DATA.

FullOpenRelay sample - default zimbra config.
TELNET myzimbrahost.foo.bar 25
EHLO helo.com
MAIL FROM:<user@notmydomain.foo.bar>
RCPT TO:<user2@notmydomain2foo.bar>
DATA.

FullOpenRelay sample - default zimbra config.
TELNET myzimbrahost.foo.bar 25
EHLO helo.com
MAIL FROM:<user@notmydomain.foo.bar>
RCPT TO:<user@mydomain.foo.bar>
DATA.

Solution:

Modify (zimbra user) postconf -e restriction (eg. sender, reciptioen, helo and data) and zmprov mc default postfix restrition paremeters. See also /opt/zimbra/postfix/conf/master.cf.in

Default postfix restrictions (sample):
smtpd_client_restrictions = permit_sasl_authenticated, permit
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access dbm:/opt/csw/etc/postfix/sender_checks_my, reject_non_fqdn_sender, reject_unknown_recipient_domain, permit
smtpd_restriction_classes =
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unverified_sender, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, reject_sender_login_mismatch, reject_unauth_pipelining, reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org=127.0.0.2, reject_rbl_client xbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org=127.0.0.4, reject_rbl_client xbl.spamhaus.org=127.0.0.5, reject_rbl_client xbl.spamhaus.org=127.0.0.6, reject_rbl_client pbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org=127.0.0.10, reject_rbl_client pbl.spamhaus.org=127.0.0.11, reject_rbl_client zen.spamhaus.org, reject_rbl_client zen.spamhaus.org=127.0.0.2, reject_rbl_client zen.spamhaus.org=127.0.0.4, reject_rbl_client zen.spamhaus.org=127.0.0.5, reject_rbl_client zen.spamhaus.org=127.0.0.6, reject_rbl_client zen.spamhaus.org=127.0.0.7, reject_rbl_client zen.spamhaus.org=127.0.0.8, reject_rbl_client zen.spamhaus.org=127.0.0.10, reject_rbl_client zen.spamhaus.org=127.0.0.11, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client dnsbl.sorbs.net=127.0.0.2, permit

RBL is too restrictive.