Zimbra

phoenix · #11 (**permalink**) 01-03-2012, 11:32 PM

Quote:

Originally Posted by Rk_Raj

They are telling that lots of spam mails are comming from our server.

Who is telling you that spam is coming from your server? How do they know? What evidence do you have that spam is coming from your server? You need to provide some more details than just 'our server sends spam', do some investigation in the log files to see what's happening. Check the headers of some of these 'spam'' emails to see what they are. Ask for some evidence from the person telling you that you're sending spam

Rk_Raj · #12 (**permalink**) 01-04-2012, 07:56 PM

If those mails are not sent from our mail server then what is that from<> and why it is comming in the daily mail admin report.

Here is the example of log,

Dec 18 11:27:56 mail postfix/smtpd[13350]: disconnect from ims-m12.mx.aol.com[64.12.207.145]
Dec 18 11:27:58 mail postfix/cleanup[23374]: 196B2224585: message-id=<8CE8B60E2EA1278-C28-DF80@webmail-d085.sysops.aol.com>
Dec 18 11:37:54 mail postfix/smtpd[26177]: connect from imr-da04.mx.aol.com[205.188.105.146]
Dec 18 11:37:55 mail postfix/smtpd[26177]: 5FEC2224585: client=imr-da04.mx.aol.com[205.188.105.146]
Dec 18 11:37:56 mail postfix/qmgr[4127]: 5FEC2224585: from=<geaneym@aol.com>, size=8945, nrcpt=1 (queue active)
Dec 18 11:37:57 mail postfix/qmgr[4127]: 0372B224586: from=<geaneym@aol.com>, size=9535, nrcpt=1 (queue active)
Dec 18 11:38:01 mail postfix/smtpd[26177]: disconnect from imr-da04.mx.aol.com[205.188.105.146]
Dec 18 11:38:01 mail postfix/qmgr[4127]: EDFCF224587: from=<geaneym@aol.com>, size=10349, nrcpt=1 (queue active)
Dec 18 12:13:22 mail postfix/smtp[27432]: 2C50C22458E: to=<GeaneyM@aol.com>, relay=127.0.0.1[127.0.0.1]:9026, delay=1.1, delays=1.1/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok (2.0.0 Ok: queued as D4DED22458F ))
Dec 18 12:13:27 mail postfix/smtp[27456]: D4DED22458F: to=<GeaneyM@aol.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.9, delays=0.04/0/0/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=16624-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B90D822458E)
Dec 18 12:13:29 mail postfix/smtp[14070]: > smtp.netcare.com[208.165.242.182]:25: RCPT TO:<GeaneyM@aol.com> ORCPT=rfc822;GeaneyM@aol.com
Dec 18 12:13:30 mail postfix/smtp[14070]: B90D822458E: to=<GeaneyM@aol.com>, relay=smtp.netcare.com[208.165.242.182]:25, delay=2.6, delays=0.01/0.02/1.5/1.1, dsn=2.0.0, status=sent (250 2.0.0 smtp.netcare.com Ok: queued as ACC1329EEE)
Dec 18 13:52:52 mail postfix/smtp[10766]: 9B307224595: to=<a2877cake@aol.com>, relay=127.0.0.1[127.0.0.1]:9026, delay=4.8, delays=4.7/0/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok (2.0.0 Ok: queued as 3728B224596 ))
Dec 18 13:52:52 mail postfix/smtp[10766]: 9B307224595: to=<a28nyc@aol.com>, relay=127.0.0.1[127.0.0.1]:9026, delay=4.8, delays=4.7/0/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok (2.0.0 Ok: queued as 3728B224596 ))
Dec 18 13:52:52 mail postfix/smtp[10766]: 9B307224595: to=<a2chuck@aol.com>, relay=127.0.0.1[127.0.0.1]:9026, delay=4.8, delays=4.7/0/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok (2.0.0 Ok: queued as 3728B224596 ))
Dec 18 13:52:52 mail postfix/smtp[10766]: 9B307224595: to=<a2consultants@aol.com>, relay=127.0.0.1[127.0.0.1]:9026, delay=4.8, delays=4.7/0/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok (2.0.0 Ok: queued as 3728B224596 ))
Dec 18 13:52:52 mail postfix/smtp[10766]: 9B307224595: to=<a2e2@aol.com>, relay=127.0.0.1[127.0.0.1]:9026, delay=4.8, delays=4.7/0/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok (2.0.0 Ok: queued as 3728B224596 ))

Please explain me what these logs says. Not only aol.com like these there are yahoo.com, gmail.com etc., smtp.netcare.com is our. mail relay service provider

phoenix · #13 (**permalink**) 01-05-2012, 12:01 AM

I told you earlier that Zimbra is not an open relay unless you've made any modification to make it one, have you made any changes that would cause this? Have you actually checked some of the on-line test sites that will test your server to see if it's an open relay? Have you checked to see if there's any compromised accounts on your server? Have you actually checked to see if there's any infected machines on your LAN?