People spamming via my zimbra server

[jbuwa]

I am having so much spam going through my server I cannot keep up with deblacklisting.

I dont understand how this is happening. I have access restricted to sending email via registered account logins and not MTA trusted networks.

Here is the most recent spam sent via my zimbra server today:

Jan 8 04:22:11 newmail postfix/qmgr[29990]: 98E4E1120431: from=<office@massory.lv>, size=2474, nrcpt=3 (queue active)
Jan 8 06:49:01 newmail postfix/qmgr[29990]: 0C96011204D8: from=<office@massory.lv>, size=1818, nrcpt=3 (queue active)

Jan 8 06:49:01 newmail amavis[8211]: (08211-16) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20120108T060644-08211: <office@massory.lv> -> <sgtkmitth@aol.com>,<serviicess@live.com>,<fiasalg ill@yahoo.com> SIZE=1818

Received: from mail.edited.com ([127.0.0.1]) by localhost (mail.edited.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Sun, 8 Jan 2012 06:49:01 -0500 (EST)
Jan 8 06:49:01 newmail amavis[8211]: (08211-16) Checking: weSXnkG5+Lwk [38.99.171.107] <office@massory.lv> -> <edited@aol.com>,<edited@live.com>,<edited@yahoo.c om>

Jan 8 06:49:06 newmail amavis[8211]: (08211-16) FWD via SMTP: <office@massory.lv> -> <edited@aol.com>,<edited@live.com>,<edited@yahoo.c om>,BODY=7BIT 250 2.6.0 Ok, id=08211-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4B3F411204D9

Does anyone know what is happening here? I have to stop it and I do not have this issue with my non zimbra servers?

Thanks
John

[raj]

looks like one or more of your account password is compromised and someone is relaying SPAM using SMTP-AUTH, soyou need to find out which account(s).
Most of the time SPAMMER lot in as many as times possible to you will see lots of login attempts
run the following and see which account repeat itself a lot..chances are that is the account..all you need to do is change password to something strong.

Quote:

tail -n 100000 /var/log/maillog | grep "sasl_username=" > /tmp/smtpauthlogins.txt

if your want to find out in older maillog.gz then you can use zgrep
* /tmp/smtpauthlogins.txt file will have your output


Raj

[jbuwa]

Quote:

Originally Posted by raj

looks like one or more of your account password is compromised and someone is relaying SPAM using SMTP-AUTH, soyou need to find out which account(s).
Most of the time SPAMMER lot in as many as times possible to you will see lots of login attempts
run the following and see which account repeat itself a lot..chances are that is the account..all you need to do is change password to something strong.


if your want to find out in older maillog.gz then you can use zgrep
* /tmp/smtpauthlogins.txt file will have your output


Raj

If the account was authenticated prior to sending why wouldn't zimbra log the account that sent the messages? Why would you have to guess based on login attempts ? If they have the login userids and passwords there wouldn't be that many attempts.

[raj]

Quote:

Originally Posted by jbuwa

If the account was authenticated prior to sending why wouldn't zimbra log the account.

it does..those are the lines my command will extract for you
PS: once SPAMMER is Authenticated then they can use ANY "FROM" Address to send email..those are the lines you mentioned in your orignal post
You need to FIND the actual SMTP-AUTH user using my command

Quote:

Why would you have to guess based on login attempts

not guessing..once you see a HUGE list of logins..you will KNOW

Quote:

If they have the login userids and passwords there wouldn't be that many attempts.

YES there will be these are not the "failed" logins..thease will be reall sucess login which they using to RELAY email..once they have access thy will try to login AS MANY AS time till you dont stop them.
PS: generally they use many logins coz they send email outs in busts of 10-12mails

Raj