 Zimbra server sends out spam messages
Hi Zimbra lovers,
I have an odd problem which started some while ago. My domain has around 1300 e-mail users but few of them are online concurrently.
I often check /var/log/maillog for abnormal e-mail activity. Yesterday I noticed that the maillog file had 2 million lines which is too many for a rather small number of active e-mail users. Also there was too much smtp activity on the server which is not normal. I found more than 1500 e-mails in the defered queue meaning spam messages were being sent from the e-mail server. Spam messages were being sent from a valid user to a dictionary list of emails, as shown in the below log. The log shows that the smtp connection is originated from localhost.
--- Does it mean that the server is compromised? The user had a weak password, but still I know that the user have no local shell access.
--- Why doesn't Zimbra bypass local mail spam check? I tested to send e-mail ot my yahoo account and saw that the mail bypasses spam check.
--- Does "relay=127.0.0.1[127.0.0.1]:10024" mean that e-mail is sent locally?
Also the log shows the mail flow from [127.0.0.1]:10025 to [127.0.0.1]:10024 which i think it is forwarded to amavisd but not spam checked ???
How do you think I can stop further spam mania problems?
Thanks for your help.
#su - zimbra -c "zmcontrol -v"
Release 6.0.7_GA_2473.F11_64_20100616200802 F11_64 FOSS edition.
/var/log/maillog
================================================== ================================================== ================================================== ================================================== ======================
Sep 19 07:11:47 host postfix/smtpd[21828]: CF2AD2C2006: client=localhost[127.0.0.1]
Sep 19 07:11:48 host postfix/smtpd[21832]: connect from localhost[127.0.0.1]
Sep 19 07:11:48 host postfix/cleanup[21831]: CF2AD2C2006: message-id=<2008561551.2.1316405500902.JavaMail.root@host. mydomain.org>
Sep 19 07:11:48 host postfix/qmgr[11782]: CF2AD2C2006: from=<validuser@mydomain.org>, size=1339, nrcpt=50 (queue active)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_cowboy63@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_de_la_muerte@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_heaven@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_klaha_@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_lidia@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_loose_e@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_lou_albert@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_love18@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifer_lover_fj@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:48 host postfix/smtp[21818]: 1330C2C2002: to=<lucifergodoy@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.6, delays=2.5/0.16/0.02/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10575-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CF2AD2C2006)
Sep 19 07:11:51 host postfix/smtp[21846]: CF2AD2C2006: to=<lucifer_heaven@hotmail.com>, relay=mx2.hotmail.com[65.55.92.168]:25, delay=3.2, delays=0.74/1.1/0.9/0.43, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.168] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
Sep 19 07:11:51 host postfix/smtp[21846]: CF2AD2C2006: to=<lucifer_lover_fj@hotmail.com>, relay=mx2.hotmail.com[65.55.92.168]:25, delay=3.3, delays=0.74/1.1/0.9/0.55, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.168] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
Sep 19 07:11:51 host postfix/smtp[21846]: CF2AD2C2006: to=<lucifer_lutxi@hotmail.com>, relay=mx2.hotmail.com[65.55.92.168]:25, delay=3.3, delays=0.74/1.1/0.9/0.59, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.168] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
Sep 19 07:11:51 host postfix/smtp[21846]: CF2AD2C2006: to=<lucifer_orhun@hotmail.com>, relay=mx2.hotmail.com[65.55.92.168]:25, delay=3.4, delays=0.74/1.1/0.9/0.62, dsn=5.0.0, status=bounced (host mx2.hotmail.com[65.55.92.168] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
Sep 19 07:11:51 host postfix/smtp[21850]: 86ADD2C2004: to=<lucierodoz@hotmail.com>, relay=mx4.hotmail.com[65.55.92.184]:25, delay=3.7, delays=2.1/0.62/0.63/0.37, dsn=5.0.0, status=bounced (host mx4.hotmail.com[65.55.92.184] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
/opt/zimbra/conf/salocal.cf
================================================== ================================================== =======================
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
################################################## #########################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock
header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
describe DSPAM_SPAM DSPAM claims it is spam
score DSPAM_SPAM 1.5
header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
describe DSPAM_HAM DSPAM claims it is ham
score DSPAM_HAM -0.5
trusted_networks 127.0.0.0/8 10.0.0.0/24 192.168.1.0/24
lock_method flock
rewrite_header Subject *SPAM* _STARS(*)_
bayes_auto_learn 1
bayes_min_spam_num 60
bayes_min_ham_num 60
clear_headers
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_  |
Bugzilla
Wiki
Source
Linear Mode
