Spam storm on my ZCS... ideas welcome!

[raj]

hmm..then you have machine internal to your network relaying.
post the output of zimbraMtaMyNetworks

Quote:

su - zimbra
zmprov gs `zmhostname` | grep zimbraMtaMyNetworks

if you see your firewalls ip connecting that means your firewall is a GATEWAY of your network and when any internal machine uses your mailservers public hostname its routed internaly from firewall, apearing to come from your firewall.
so looks like one of your internal server which is in your "zimbraMtaMyNetworks" is openly relaying mail that is why you dont see any "sasl_username"

Raj

[Labsy]

Quote:

Originally Posted by raj

if you see your firewalls ip connecting that means your firewall is a GATEWAY of your network and when any internal machine uses your mailservers public hostname its routed internaly from firewall, apearing to come from your firewall.

Excellent!

As soon as I changed SERVER SETTINGS --> MTA --> MTA Trusted Networks
from 127.0.0.1 123.456.789.0/24 (my public C-class network)
to 127.0.0.1 123.456.789.126/32 (my ZIMBRA IP)
...most of spam/deferred queue went back to normal.

Now all I need to do is to find source of open contact forms and such in my web hosting environment.

Thank you very much, Raj, for excellent tip!

[raj]

glad you figured it out..you should never ever open the public ip's as that makes your server open relay on internet
i am still not sure what your network topology is.
can you tell me if your mailserver is behind firewall NATED as i dont see LOCAL_IP of this machine in your answer?..or this machine is in DMZ on public ip?
whats the output of ifconfig and are you running any SPLIT DNS?

Raj

[Labsy]

Hi Raj,

thank you for interest

Well, my topology is quite simple, still maybe non standard:
- have 3 ranges of public IP addresses (2 subnets of 16 IP, and one C-class of public IP addresses)
- these public IP ranges and servers are NOT opened directly to public, but are behind firewall...
- ...with STATIC mapping and 1-to-1 port forwarding and ports opened

So it is kind of protected DMZ, without NAT.

Since I also host my own DNS inside this plant, all my servers are configured to use my "internal" DNS, which are also "public" DNS.
So there is no need for SplitDNS (local IP = public IP)

REGARDING PROBLEM
I have many WEB servers behind FIREWALL, whose IP is 123.456.789.1
Well, I only know that at least one of those web servers hosts at least one web form, which is sending out SPAM. Or is somehow compromised with spamming code.
So there I face the problem - how to find traces of spamming activity among hundreds of log files, located each inside of web space of hundreds of web sites, on dozens of web servers... which are some Windows, some Linux, some 10 yrs odl, some new, hehe

I blocked them by closing "trusted network" mask in Zimbra server from /24 down to /32, and I run scanners on all web servers right now, to find the malicious code.
But I am afraid that those are not viruses, but rather open web forms, or PHP scripts, which AV and Anti* scanners won't detect.

It's out of topic this discussion now, but hey, it's interesting, dynamic...and I am stuck

*** EDIT ***
Hey, wait...maybe I have an idea!
Since I also host my own AntiSpam mail filtering cluster, I might redirect PHP SendMail on global level to use my own mail servers?
I'll dig on this, and report back. Maybe someone would find this usefull.