Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: People spamming via my zimbra server

  1. #11
    gaithoben is offline New Member
    Join Date
    Dec 2012
    Location
    Nairobi
    Posts
    4
    Rep Power
    2

    Default

    After a quick through of the top 50 sender, i find nothing irregular. But i find the following in var/log/mail.log.. What is uni-hannover.de? this is the only IP i see.

    Jan 24 23:27:48 mail postfix/smtpd[10101]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:27:48 mail postfix/smtpd[10101]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:27:48 mail postfix/smtpd[10101]: SSL_accept error from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: -1
    Jan 24 23:27:48 mail postfix/smtpd[10101]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:27:48 mail postfix/smtpd[10101]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:28:03 mail zmmailboxdmgr[10334]: status requested
    Jan 24 23:28:03 mail zmmailboxdmgr[10334]: status OK
    Jan 24 23:28:28 mail zmmailboxdmgr[10546]: status requested
    Jan 24 23:28:28 mail zmmailboxdmgr[10546]: status OK
    Jan 24 23:28:28 mail zmmailboxdmgr[10554]: status requested
    Jan 24 23:28:28 mail zmmailboxdmgr[10554]: status OK
    Jan 24 23:29:24 mail postfix/smtpd[10101]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:24 mail postfix/smtpd[10101]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:24 mail postfix/smtpd[10101]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:24 mail postfix/smtpd[10702]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:24 mail postfix/smtpd[10702]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:24 mail postfix/smtpd[10101]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:24 mail postfix/smtpd[10101]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10702]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:25 mail postfix/smtpd[10101]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10101]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10101]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:25 mail postfix/smtpd[10703]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10703]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10702]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10702]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10702]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10702]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10101]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10101]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10101]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10101]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:25 mail postfix/smtpd[10702]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:25 mail postfix/smtpd[10703]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$


    Jan 24 23:29:26 mail postfix/smtpd[10704]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:26 mail postfix/smtpd[10702]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10702]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10703]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10703]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10702]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10702]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10703]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:26 mail postfix/smtpd[10101]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10101]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10704]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10704]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10702]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:26 mail postfix/smtpd[10101]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:26 mail postfix/smtpd[10101]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10704]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10704]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10702]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10702]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10101]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:27 mail postfix/smtpd[10704]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:27 mail postfix/smtpd[10702]: connect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10702]: setting up TLS connection from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10703]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10703]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10702]: Anonymous TLS connection established from tls-research6.dcsec.uni-hannover.de[130.75.16.49]: TLSv1 with cipher DHE-RSA-AES25$
    Jan 24 23:29:27 mail postfix/smtpd[10702]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10702]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10101]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:27 mail postfix/smtpd[10101]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:28 mail postfix/smtpd[10704]: lost connection after CONNECT from tls-research6.dcsec.uni-hannover.de[130.75.16.49]
    Jan 24 23:29:28 mail postfix/smtpd[10704]: disconnect from tls-research6.dcsec.uni-hannover.de[130.75.16.49]

  2. #12
    hhemof is offline Junior Member
    Join Date
    Oct 2011
    Posts
    5
    Rep Power
    3

    Default Thank you for help

    Thanks alot dear Raj. you made my day too. it was my problem too.
    Thank you for help.

    Quote Originally Posted by raj View Post
    Glad to help

    Raj

  3. #13
    mscag is offline Intermediate Member
    Join Date
    Aug 2011
    Posts
    16
    Rep Power
    3

    Default Is "sasl_username=" enough for counting ?

    Hi,

    We have been counting the "sasl_username=" occurrences in "/var/log/mail.log" in order to detect compromised accounts for a while. Is "sasl_username=" enough for counting the number of messages sent ? Our script using this method reported around 200 messages today, but unfortunately we found oourselves in some blacklists.

    "pflogsumm" reported 240,000 messages.

    What is it that we are missing ?

    Regards.

  4. #14
    chauvetp is offline Elite Member
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    284
    Rep Power
    7

    Default

    Quote Originally Posted by mscag View Post
    Hi,

    We have been counting the "sasl_username=" occurrences in "/var/log/mail.log" in order to detect compromised accounts for a while. Is "sasl_username=" enough for counting the number of messages sent ? Our script using this method reported around 200 messages today, but unfortunately we found oourselves in some blacklists.

    "pflogsumm" reported 240,000 messages.

    What is it that we are missing ?

    Regards.
    You only see that sasl_username line when the SMTP connection is started. During that session there could be one recipient, dozens, hundreds, or even thousands. The sasl_username can be used to determine what username was used, but not (directly) the number of recipients or messages.
    ---
    Paul Chauvet
    State University of New York at New Paltz

  5. #15
    mscag is offline Intermediate Member
    Join Date
    Aug 2011
    Posts
    16
    Rep Power
    3

    Default

    I see,

    Our script is counting these lines every hour and reporting through mail and sms when the counter reaches a treshold value. The pflogsumm tools seems to be analyzing the data only for "yesterday" and "today", where as we need to be informed not later then the next hour.

    Is there a (simple) way of obtaining the total number of messages sent by each account from mail.log ? Or is there a method to make pflogsumm report per hour ?

    Regards.

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZCS7 Beta only Listens on IPv6
    By tobru in forum Installation
    Replies: 2
    Last Post: 03-25-2011, 03:31 AM
  2. Zimbra 6 on Ubuntu 8.04 x64 reverting to IPv6
    By nimble7 in forum Installation
    Replies: 1
    Last Post: 11-30-2010, 12:03 AM
  3. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 03:30 PM
  4. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 11:16 AM
  5. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 01:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •