| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
11-14-2011, 07:01 AM
| | Intermediate Member | |
Posts: 23
| |  User Receiving Lots of 554 Emails
Hey Guys,
I need some help getting a mail issue figured out. I have a user that receives a lot of bounced emails throughout the day. From what I can tell, this is a virus either on their network or out in the world somewhere sending spoof emails. How can I tell where this is coming from and/or how do I block it? Code: Nov 11 03:13:32 mail2 amavis[14434]: (14434-05) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20111111T030702-14434: <rd@-removed-.com> -> <george7802@yahoo.com> SIZE=970 BODY=8BITMIME Received: from mail2.-removed-.com ([127.0.0.1]) by localhost (mail2.-removed-.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <george7802@yahoo.com>; Fri, 11 Nov 2011 03:13:32 -0500 (EST)
Nov 11 03:13:32 mail2 amavis[14434]: (14434-05) Checking: Q-cz+4CdAqHe [88.134.115.181] <rd@-removed-.com> -> <george7802@yahoo.com>
Nov 11 03:13:32 mail2 amavis[14434]: (14434-05) Open relay? Nonlocal recips but not originating: george7802@yahoo.com
Nov 11 03:13:33 mail2 amavis[14434]: (14434-05) FWD via SMTP: <rd@-removed-.com> -> <george7802@yahoo.com>,BODY=8BITMIME 250 2.0.0 Ok, id=14434-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7561B264CD7D
Nov 11 03:13:33 mail2 amavis[14434]: (14434-05) Passed CLEAN, [88.134.115.181] [88.134.115.181] <rd@-removed-.com> -> <george7802@yahoo.com>, Message-ID: <20111111081331.E6E01264CD74@mail2.-removed-.com>, mail_id: Q-cz+4CdAqHe, Hits: -2.9, size: 970, queued_as: 7561B264CD7D, 1046 ms
Nov 11 03:13:33 mail2 postfix/smtp[16996]: E6E01264CD74: to=<george7802@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.75/0/0/1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=14434-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7561B264CD7D)
Nov 11 03:13:35 mail2 postfix/smtp[18866]: 7561B264CD7D: to=<george7802@yahoo.com>, relay=mta7.am0.yahoodns.net[67.195.103.232]:25, delay=1.6, delays=0.01/0/0.55/1, dsn=5.0.0, status=bounced (host mta7.am0.yahoodns.net[67.195.103.232] said: 554 delivery error: dd This user doesn't have a yahoo.com account (george7802@yahoo.com) [-5] - mta1094.mail.gq1.yahoo.com (in reply to end of DATA command))  |
11-14-2011, 07:11 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,315
| |
Quote:
Originally Posted by dank  How can I tell where this is coming from and/or how do I block it? | Have a look at the headers - right-click 'Show Original' or get the user to mark itr as Spam.
__________________
Regards
Bill
|
11-14-2011, 07:15 AM
| | Intermediate Member | |
Posts: 23
| |
Is there a way I can tell in the logs? This user does not use the web interface and almost exclusively uses their iPhone for email. |
11-14-2011, 07:57 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,315
| |
Please update your forum profile with the output of the following command (do not post the output in this thread): Quote:
Originally Posted by dank Is there a way I can tell in the logs? This user does not use the web interface and almost exclusively uses their iPhone for email. | If you are the Administrator of this server then you can only trace the message once it's received at your server (and the server that sent it to you), you can use 'zmmsgtrace' (if it's in your version of ZCS) for that, as the Admin you can also view the mailbox of any user by opening that mailbox via the Admin UI.
__________________
Regards
Bill
|
11-14-2011, 08:06 AM
| | Intermediate Member | |
Posts: 23
| |
I updated my profile, I am not familiar with zmmsgtrace. I tried to jump into his inbox, but all of his messages are deleted upon download, so it was empty.
Release 6.0.14_GA_2928.MACOSXx86, Zimbra, Inc. MACOSXx86 FOSS edition.
Last edited by dank; 11-14-2011 at 08:07 AM..
Reason: I'm stupid and can't spell
|
11-14-2011, 08:12 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,315
| |
Quote:
Originally Posted by dank I updated my profile, I am not familiar with zmmsgtrace. | Go to the wiki (link at the top of this page) and search for the word 'zmmsgtrace'. Quote:
Originally Posted by dank I tried to jump into his inbox, but all of his messages are deleted upon download, so it was empty. | That's rather a strange thing to do with an Inbox, what happens if he ever needs a copy of that email? In any case, next time he gets one of these email you should ask him to forward a copy to you - you can then view the headers.
Your ZCS version needs to go in your forum profile as I asked earlier and not in this thread otherwise we have to keep asking '....which version of ZCS.....'.
__________________
Regards
Bill
|
11-15-2011, 11:30 AM
| | Intermediate Member | |
Posts: 23
| |
phoenix, thanks for your help. I was able to locate the offending account and shut down the problem.
__________________
6.0.14_GA_2928.MACOSXx86, Zimbra, Inc. MACOSXx86 FOSS edition.
| | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
