User Receiving Lots of 554 Emails

[dank]

Hey Guys,
I need some help getting a mail issue figured out. I have a user that receives a lot of bounced emails throughout the day. From what I can tell, this is a virus either on their network or out in the world somewhere sending spoof emails. How can I tell where this is coming from and/or how do I block it?

Code:

Nov 11 03:13:32 mail2 amavis[14434]: (14434-05) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20111111T030702-14434: <rd@-removed-.com> -> <george7802@yahoo.com> SIZE=970 BODY=8BITMIME Received: from mail2.-removed-.com ([127.0.0.1]) by localhost (mail2.-removed-.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <george7802@yahoo.com>; Fri, 11 Nov 2011 03:13:32 -0500 (EST)
Nov 11 03:13:32 mail2 amavis[14434]: (14434-05) Checking: Q-cz+4CdAqHe [88.134.115.181] <rd@-removed-.com> -> <george7802@yahoo.com>
Nov 11 03:13:32 mail2 amavis[14434]: (14434-05) Open relay? Nonlocal recips but not originating: george7802@yahoo.com
Nov 11 03:13:33 mail2 amavis[14434]: (14434-05) FWD via SMTP: <rd@-removed-.com> -> <george7802@yahoo.com>,BODY=8BITMIME 250 2.0.0 Ok, id=14434-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7561B264CD7D
Nov 11 03:13:33 mail2 amavis[14434]: (14434-05) Passed CLEAN, [88.134.115.181] [88.134.115.181] <rd@-removed-.com> -> <george7802@yahoo.com>, Message-ID: <20111111081331.E6E01264CD74@mail2.-removed-.com>, mail_id: Q-cz+4CdAqHe, Hits: -2.9, size: 970, queued_as: 7561B264CD7D, 1046 ms
Nov 11 03:13:33 mail2 postfix/smtp[16996]: E6E01264CD74: to=<george7802@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.75/0/0/1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=14434-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7561B264CD7D)
Nov 11 03:13:35 mail2 postfix/smtp[18866]: 7561B264CD7D: to=<george7802@yahoo.com>, relay=mta7.am0.yahoodns.net[67.195.103.232]:25, delay=1.6, delays=0.01/0/0.55/1, dsn=5.0.0, status=bounced (host mta7.am0.yahoodns.net[67.195.103.232] said: 554 delivery error: dd This user doesn't have a yahoo.com account (george7802@yahoo.com) [-5] - mta1094.mail.gq1.yahoo.com (in reply to end of DATA command))

[phoenix]

How can I tell where this is coming from and/or how do I block it?

Have a look at the headers - right-click 'Show Original' or get the user to mark itr as Spam.

[dank]

Is there a way I can tell in the logs? This user does not use the web interface and almost exclusively uses their iPhone for email.

[phoenix]

Please update your forum profile with the output of the following command (do not post the output in this thread):

Code:

zmcontrol -v

Is there a way I can tell in the logs? This user does not use the web interface and almost exclusively uses their iPhone for email.

If you are the Administrator of this server then you can only trace the message once it's received at your server (and the server that sent it to you), you can use 'zmmsgtrace' (if it's in your version of ZCS) for that, as the Admin you can also view the mailbox of any user by opening that mailbox via the Admin UI.

[dank]

I updated my profile, I am not familiar with zmmsgtrace. I tried to jump into his inbox, but all of his messages are deleted upon download, so it was empty.

Release 6.0.14_GA_2928.MACOSXx86, Zimbra, Inc. MACOSXx86 FOSS edition.

[phoenix]

I updated my profile, I am not familiar with zmmsgtrace.

Go to the wiki (link at the top of this page) and search for the word 'zmmsgtrace'.

I tried to jump into his inbox, but all of his messages are deleted upon download, so it was empty.

That's rather a strange thing to do with an Inbox, what happens if he ever needs a copy of that email? In any case, next time he gets one of these email you should ask him to forward a copy to you - you can then view the headers.

Your ZCS version needs to go in your forum profile as I asked earlier and not in this thread otherwise we have to keep asking '....which version of ZCS.....'.

[dank]

phoenix, thanks for your help. I was able to locate the offending account and shut down the problem.