Flood of bounce-backs - possible relay/virus problem - need help!

[cohnhead]

Hi all. Thanks in advance for any advice...

I set up an account on my server to act as a catch-all account. Over the last 3 days, this account has been bombarded with over 2000 bounce-backs each day. They are all coming from random domains at a rate of about 1 every 8 minutes. When I checked my zimbra daily mail report, it says the most active sender on my server is postmaster, with 2113 sends yesterday!

Do I have some sort of virus? Or have I left my server open as a relay allowing this activity?

I'm not sure which log files or config settings to share to help diagnose this. Any help would be greatly appreciated.

Thanks as always!

[phoenix]

No, Zimbra is not an open relay. You can test it with some of the open-relay test sites - search google for some.

Bounced email is just a method of getting spam into your machine, if you have a catch-all account for catching the spam (not a wise choice) then why don't you just set-up a filter to delete it? Catch-all accounts are a spammers dream for this very reason.

[cohnhead]

What about the fact that my daily Zimbra mail report (delivered to admin) shows that the "postmaster" -- who doesn't even have an "account" -- has sent over 2000 messages? It doesn't appear to be random spam delivered to a catch-all account.

BTW -- all the incoming bounce-backs are directly to a single email address (which is being caught by the catch-all).

[dijichi2]

two possibilities here:

1) your postmaster account is open for relaying somehow - possibly by a web form or incorrect postfix setup. check your /var/log/zimbra.log for masses of outbound mail. zimbra used to allow relaying from class C - i'm not sure if this was tightened up, if not then it is open as a relay to anyone else on your subnet.

2) someone has chosen your postmaster email as a 'From:' email address in a spam run. this could be sent out from anywhere, most likely a distributed botnet. backscatter is then delivering the bounces to your postmaster account. the send counter for the postmaster account might be high if the zimbra scripts that crunch the mail logs count this as 'sent' by postmaster, even if it's not physically from your server.

[phoenix]

Take my word for it, it's spam. The fact that postmaster doesn't have an account means nothing, who are the bounce messages sent to? Is postmaster in those headers? It doesn't really matter who they're addressed to they're still spam. This isn't an open relay and you don't have a virus. it's SPAM. If you want a complete explanation then do a google search.

The fact you have that many messages in the catch-all account is the very reason you shouldn't have one, spammers love them. What you should be doing with messages that arrive for a non-existent address is bouncing them or losing them (losing them bieing the better of the two).+ If you just bounce them you are contributing to the mail problem.

[cohnhead]

Thanks for the explanations. I appreciate the help and really want to correct this problem the right way.

It was almost a year ago that I set up the catch-all using a Zimbra command-line function. As far as I can tell, I can't correct this via the admin interface. How do I:

a) remove the catch-all?
b) "lose" the messages not addressed to a known account?

[cohnhead]

Also -- I accidentally deleted my /var/log/zimbra.log file. Don't ask how -- it was late last night. I expected the file to be recreated when I restarted the zimbra server. No luck there. How do I recreate that file?