Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page [Please Help] Mail Log is very large and found below log message

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 10-17-2011, 04:22 AM
Intermediate Member
  
Posts: 22
Unhappy [Please Help] Mail Log is very large and found below log message
Hi all,

It looks like our server had become an open relay server? There are more than 10 messages per second to our mail server, please help and it's urgent, and maillog file is almost too large to open now..

And 1 more question, how do you clear the log message within the maillog file?

Thanks very much for you help in advance.

Maillog size:
-rw------- 1 root root 6386851607 Oct 17 19:22 maillog


Message from Maillog
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[29220]: 0E1819991B13: to=<crazyodb@yahoo.com>, relay=none, delay=2948, delays=2938/10/0/0.01, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.139.175.224] refused to talk to me: 421 4.7.0 [TS01] Messages from 203.185.55.211 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[29220]: 0E1819991B13: to=<crazzkc24@yahoo.com>, relay=none, delay=2948, delays=2938/10/0/0.02, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.139.175.224] refused to talk to me: 421 4.7.0 [TS01] Messages from 203.185.55.211 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/smtp[27218]: connect to homail.com[64.4.6.100]:25: Connection timed out
-bash: Oct: command not found
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/qmgr[27145]: 3B2569991C68: from=<postmaster@domain.com>, size=2750, nrcpt=49 (queue active)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28139]: A1C0A998139B: to=<bselewis2@bellsouth.net>, relay=none, delay=152586, delays=152575/10/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28139]: A1C0A998139B: to=<bsgoodman04@bellsouth.net>, relay=none, delay=152586, delays=152575/10/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/smtp[27212]: connect to cluster8.us.messagelabs.com[216.82.241.99]:25: Connection refused
-bash: Oct: command not found
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/qmgr[27145]: 55DAC99918CD: from=<info@mcycd.gov.ae>, size=2497, nrcpt=50 (queue active)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28829]: 7DECC9981840: to=<david03lewis@bellsouth.net>, relay=none, delay=146369, delays=146358/10/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28829]: 7DECC9981840: to=<david_roylston@bellsouth.net>, relay=none, delay=146369, delays=146358/10/0/0.01, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/error[28829]: 7DECC9981840: to=<david_sachs@bellsouth.net>, relay=none, delay=146369, delays=146358/10/0/0.01, dsn=4.0.0, status=deferred (delivery temporarily suspended: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-203.185.55.211 blocked by ldapu=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See AT&T)
-bash: syntax error near unexpected token `('
[root@ms1 log]# Oct 17 19:20:44 ms1 postfix/smtp[27475]: 90CE99990F5F: to=<3dkstarkey@tampabay.rr.com>, relay=hrndva-smtpin02.mail.
-bash: 3dkstarkey@tampabay.rr.com: No such file or directory
Reply With Quote
  #2 (permalink)  
Old 10-17-2011, 04:41 AM
Zimbra Consultant & Moderator
  
Posts: 20,315
Default
Quote:
Originally Posted by Solt View Post
It looks like our server had become an open relay server?
It isn't unless you've made it one, you can search the internet for a site (actually, lots of them) that will test if your server is an open relay.

The likelihood is that it's possibly a compromised account. Search the forums for the words 'compromised account' and you'll find details on hor to track down the account, you should also implement strong passwords in your server to prevent this in future.
__________________
Regards


Bill
Reply With Quote
  #3 (permalink)  
Old 10-17-2011, 07:09 PM
Intermediate Member
  
Posts: 22
Default
Thanks for your reply.

When I do tail -n 100000 /var/log/maillog | grep "sasl_username="

Most of them are root


Oct 18 10:07:05 ms1 postfix/smtpd[5050]: 1F69B999383F: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:05 ms1 postfix/smtpd[23590]: 2899D999384C: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:05 ms1 postfix/smtpd[9992]: 6E6879993867: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:06 ms1 postfix/smtpd[10520]: 090389993873: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:06 ms1 postfix/smtpd[12651]: 52AF49993B02: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:07 ms1 postfix/smtpd[4990]: 2D6E39993B11: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:07 ms1 postfix/smtpd[6993]: 9A4F69993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:08 ms1 postfix/smtpd[12679]: B451D9993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:08 ms1 postfix/smtpd[13426]: CB8F39993B56: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:08 ms1 postfix/smtpd[2795]: CC7BA9993B5A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:09 ms1 postfix/smtpd[12929]: 307329993B62: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:10 ms1 postfix/smtpd[11491]: E32599993B44: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:11 ms1 postfix/smtpd[4104]: 43EC19993B66: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:11 ms1 postfix/smtpd[4061]: 483979993B69: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:11 ms1 postfix/smtpd[13168]: 5358D9993B6A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:11 ms1 postfix/smtpd[1489]: 6928C9993B6B: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:12 ms1 postfix/smtpd[13424]: A36F79993B6E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:13 ms1 postfix/smtpd[11492]: 963919993B73: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:15 ms1 postfix/smtpd[10448]: 2E7589993B78: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:16 ms1 postfix/smtpd[11144]: B20C899934F5: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:16 ms1 postfix/smtpd[3944]: C18DF999375F: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:18 ms1 postfix/smtpd[12930]: 8A72D9993867: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:18 ms1 postfix/smtpd[13427]: C01379993873: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:18 ms1 postfix/smtpd[9993]: D36D39993B02: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:19 ms1 postfix/smtpd[9992]: 19A6D9993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:19 ms1 postfix/smtpd[10520]: B2C5C999383F: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:19 ms1 postfix/smtpd[23590]: CBF229993B89: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:20 ms1 postfix/smtpd[12310]: 02E2B9993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:20 ms1 postfix/smtpd[12651]: F310B9993B57: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:21 ms1 postfix/smtpd[5050]: 553989993B5A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:22 ms1 postfix/smtpd[4990]: 8294D9993B62: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:22 ms1 postfix/smtpd[12929]: 85AB39993B69: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:22 ms1 postfix/smtpd[6993]: 8E5579993B8C: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:22 ms1 postfix/smtpd[12679]: D22A19993B6B: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:25 ms1 postfix/smtpd[2795]: 054339993B66: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:25 ms1 postfix/smtpd[13426]: 120089993B6E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:25 ms1 postfix/smtpd[4104]: 1B3229993B8E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:25 ms1 postfix/smtpd[13168]: 271869993B91: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:25 ms1 postfix/smtpd[1489]: 6282E9993B95: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:26 ms1 postfix/smtpd[13424]: 5F3539993B44: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:28 ms1 postfix/smtpd[4061]: 0EEFA9993B73: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:28 ms1 postfix/smtpd[10448]: B735F9993B78: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:30 ms1 postfix/smtpd[11491]: 5B39E9993867: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:32 ms1 postfix/smtpd[11492]: 2E500999383F: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:32 ms1 postfix/smtpd[12930]: 5C8459993873: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:32 ms1 postfix/smtpd[9993]: 72ECA9993B02: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:32 ms1 postfix/smtpd[13427]: 9663F9993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:33 ms1 postfix/smtpd[12310]: 6A2809993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:33 ms1 postfix/smtpd[10520]: 910619993B57: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:34 ms1 postfix/smtpd[9992]: AC4B09993B5A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:34 ms1 postfix/smtpd[12651]: EBD7D9993B69: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:36 ms1 postfix/smtpd[5050]: 082599993B66: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:36 ms1 postfix/smtpd[12929]: 218ED9993B8C: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:36 ms1 postfix/smtpd[6993]: 71CED9993CB9: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:38 ms1 postfix/smtpd[2795]: 842AD99935A1: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:38 ms1 postfix/smtpd[4104]: 9930D9993B44: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:38 ms1 postfix/smtpd[1489]: B6E519993B62: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:38 ms1 postfix/smtpd[13168]: B7A2E9993B6E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:38 ms1 postfix/smtpd[3944]: F32FE9993B8E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:39 ms1 postfix/smtpd[13424]: 687D39993B91: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:39 ms1 postfix/smtpd[4990]: F20E49993B95: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:41 ms1 postfix/smtpd[13426]: 31B6F9993CBE: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:41 ms1 postfix/smtpd[11144]: 4E7A99993CC1: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:42 ms1 postfix/smtpd[10448]: 3C4899993CC3: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:44 ms1 postfix/smtpd[16161]: 03A28999375F: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:44 ms1 postfix/smtpd[11492]: 46FDB999383F: client=ipe-26.ipehk.local[10.0.85.216], sasl_method=LOGIN, sasl_username=chloechan
Oct 18 10:07:44 ms1 postfix/smtpd[23590]: 6B2459993867: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:45 ms1 postfix/smtpd[13427]: C466A9993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:45 ms1 postfix/smtpd[12930]: E6E969993B57: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:45 ms1 postfix/smtpd[9993]: E70339993CC5: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:46 ms1 postfix/smtpd[11491]: 3F1149993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:46 ms1 postfix/smtpd[12310]: A2BFF9993B69: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:47 ms1 postfix/smtpd[10520]: 390D09993B5A: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:47 ms1 postfix/smtpd[9992]: 3F8C89993CC6: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:48 ms1 postfix/smtpd[12679]: 71C679993B89: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:48 ms1 postfix/smtpd[5050]: 86CE39993CB9: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:49 ms1 postfix/smtpd[12929]: B6D159993CC8: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:49 ms1 postfix/smtpd[6993]: BF8069993CCA: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:50 ms1 postfix/smtpd[11492]: 416EA9993CCB: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:52 ms1 postfix/smtpd[2795]: 14C0999935A1: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:52 ms1 postfix/smtpd[4104]: 704D79993B62: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:52 ms1 postfix/smtpd[4990]: 725B79993B8E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:52 ms1 postfix/smtpd[1489]: 772FA9993B6E: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:52 ms1 postfix/smtpd[13168]: 7CA889993B95: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:53 ms1 postfix/smtpd[3944]: 9225D9993B91: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:55 ms1 postfix/smtpd[13424]: C01C09993CC3: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:58 ms1 postfix/smtpd[10448]: 5BED099B000E: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:59 ms1 postfix/smtpd[9993]: 47F60999383F: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:59 ms1 postfix/smtpd[11491]: 68ADD9993B15: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:07:59 ms1 postfix/smtpd[10520]: 799169993B3D: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:00 ms1 postfix/smtpd[12930]: 199159993B57: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:00 ms1 postfix/smtpd[16161]: 5896E99B0012: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:00 ms1 postfix/smtpd[13427]: B78AA99B0014: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:02 ms1 postfix/smtpd[4061]: 11CFB99B001B: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:02 ms1 postfix/smtpd[5050]: 292D699B0022: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:02 ms1 postfix/smtpd[12651]: 66D0A9993887: client=h224.64.31.71.dynamic.ip.windstream.net[71.31.64.224], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:03 ms1 postfix/smtpd[12679]: 648C99993B89: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:03 ms1 postfix/smtpd[12310]: C96C39993B69: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:05 ms1 postfix/smtpd[11144]: 0603099935A1: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:05 ms1 postfix/smtpd[11492]: 9D5829993B62: client=168-215-210-172.static.twtelecom.net[168.215.210.172], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:05 ms1 postfix/smtpd[9992]: D00F39993B6E: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
Oct 18 10:08:06 ms1 postfix/smtpd[13426]: 046F69993B91: client=200.146.84.85.static.gvt.net.br[200.146.84.85], sasl_method=LOGIN, sasl_username=root
Reply With Quote
  #4 (permalink)  
Old 10-17-2011, 11:36 PM
Zimbra Consultant & Moderator
  
Posts: 20,315
Default
Quote:
Originally Posted by Solt View Post
Most of them are root
Do you actually have an account name "root" on your mail server? If you have then deactivate it. Have you checked to see which users are sending large numbers of mail (see the daily mail report)? Deactivate them and change the passwords and implement strong password security measures (in the Admin UI) for all users. Check your zimbra server (including other machines that login to your mail server) for any installed rootkit .
__________________
Regards


Bill
Reply With Quote
  #5 (permalink)  
Old 10-17-2011, 11:48 PM
Intermediate Member
  
Posts: 22
Default
Thanks again, there is no root@mydomain but there is an alias setting to forward root@mydomain to my email address.

And from top senders from mail report, these email accounts are not belong to my domain and is there any settings I can stop them(block/blacklist?) to use my mail server for sending emails? Thanks again.

top 50 Senders by message count
-------------------------------
27060 gov.lamidosanusi@cbn.org
10000 info@mcycd.gov.ae
6864 postmaster@domain.com
4691 admin@portal.co.uk
1815 fax@sunbeltwestriverside.com
1675 mail@isass.net
Reply With Quote
  #6 (permalink)  
Old 10-18-2011, 12:00 AM
Zimbra Consultant & Moderator
  
Posts: 20,315
Default
Quote:
Originally Posted by Solt View Post
And from top senders from mail report, these email accounts are not belong to my domain and is there any settings I can stop them(block/blacklist?) to use my mail server for sending emails?
They are not sending email from your server, they are sending mail to your server. You still haven't mentioned what the results of your open relay test are, did you actually try one?
__________________
Regards


Bill
Reply With Quote
  #7 (permalink)  
Old 10-18-2011, 12:16 AM
Intermediate Member
  
Posts: 22
Default
Yup, tested with Check an Open Relay and here is the result.

220 mydomain.com ESMTP Postfix
HELO ortest.checkor.com
250 mydomain.com
RSET
250 2.0.0 Ok
MAIL FROM: test@checkor.com
250 2.1.0 Ok
RCPT TO: test1@checkor.com
554 5.7.1 : Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM:
501 5.5.4 Syntax: MAIL FROM:

RCPT TO: test1@checkor.com
503 5.5.1 Error: need MAIL command

RSET
250 2.0.0 Ok
MAIL FROM: spam@mydomain.com
250 2.1.0 Ok
RCPT TO: test1@checkor.com
554 5.7.1 : Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM: spam@mydomain.com
250 2.1.0 Ok
RCPT TO: test1@checkor.com
554 5.7.1 : Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM: spam@mydomain.com
250 2.1.0 Ok
RCPT TO: test1@mydomain.com
554 5.7.1 : Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM: spam@mydomain.com
250 2.1.0 Ok
RCPT TO: "test1@test.com"@mydomain.com
554 5.7.1 : Relay access denied

RSET
250 2.0.0 Ok
MAIL FROM: spam@mydomain.com
250 2.1.0 Ok
RCPT TO: @mydomain.com:spamtest@checkor.com
554 5.7.1 : Relay access denied
Reply With Quote
  #8 (permalink)  
Old 10-18-2011, 12:21 AM
Intermediate Member
  
Posts: 22
Default
Also tested with Open Relay Test, the result is positive.

"All tested completed! No relays accepted by remote host!"
Reply With Quote
  #9 (permalink)  
Old 10-18-2011, 09:07 AM
Elite Member
  
Posts: 469
Default
Quote:
Originally Posted by Solt View Post
Thanks again, there is no root@mydomain but there is an alias setting to forward root@mydomain to my email address.
If you mean you created an alias pointing root@ to your email address, then these could be hackers logging into your account.

zimbra will allow you to use any alias of your account as the login to your account.

Change your password - or remove the Alias.
Reply With Quote
  #10 (permalink)  
Old 10-19-2011, 08:38 PM
Intermediate Member
  
Posts: 22
Default
Thanks alot, I have changed my password and seems the issue was fixed.

Btw, I am a Man United Fans
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.