My Zimbra Sending Spam to The world

[Mido3mad]

Hi all,

the problem is 1 of our mail account has been hacked and we see this account sending spam and some domains block us from sending mails to it

we change the password and locked the account

but there is anther account called aa@bb.mydomain.com still sending spam --

I dont have username called aa or domain called bb

and I test my mail system and its not open relay


can Anybody help me please what is the reason of that?

[Yves Pires]

check /opt/zimbra/log/audit.log

you need to check which account have too many logins entries even at 0:00 to 6:00 am

[Mido3mad]

I Check this audit and found hacked account was sending messages and I Locked this account

the problem is that zimbra sending spam from accounts not listed in my list of accounts ,strange accounts like aa@bb.mydomain.com ( i dont have bb domain )

us@mydomain.com ( i dont have this account in my list )

So they dont login to the mail and i dont know how they sending messages without be from my users

[shanxt]

If the logs are showing that the spam is originating from your server, then it's definitely being sent by the server. It's possible that they are spoofing the header messages of the emails. To check this, search for the 'sasl_username' keyword, or try reading an email from the queue and analyse its header files. Also find the IP from your Zimbra or firewall logs, and ban the IP.

To read the mail from queue, take a look at the 'postcat' command.

[Mido3mad]

Thanks for you answer
The Problem has been solved by

Going to /opt/zimbra/conf/zmmta.cf

and change smtpd_reject_recipents value to yes ( after any upgrade you should do the same )
then restart postfix and the spam stop now