Results 1 to 8 of 8

Thread: i'm in a big spam trouble ! pls help me !

  1. #1
    lananhbin is offline Senior Member
    Join Date
    Aug 2009
    Posts
    64
    Rep Power
    5

    Default i'm in a big spam trouble ! pls help me !

    my domain is abc.cd.ef
    my FQDN of mail server is z.abc.cd.ef

    in my system, there is a user fedexexpressdelivery@z.abc.cd.ef is sending spam. but i cant find that user to disable it. pls tell me how !

    thanks in advance !

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Did you look at any of the forum threads on this topic? How do you know that's the 'user' that's sending spam? The information you've posted doesn't actually give any details about the problem, you're going to have to look at the log files to determine what the problem actually is.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    lananhbin is offline Senior Member
    Join Date
    Aug 2009
    Posts
    64
    Rep Power
    5

    Default

    i log in web mail of zimbra and that user is sending randomly thousand of emails. thats emails make my system crash !
    ex : my domain is abc.cd.ef so my user email is : lananh@abc.cd.ef
    but the email sending spam is fedexexpressdeliverry@z.abc.cd.ef . and z.abc.cd.ef is the FQDN of my mail server.
    i cant find that user !
    p.s: i searched but i cant find any solution

    Quote Originally Posted by phoenix View Post
    Did you look at any of the forum threads on this topic? How do you know that's the 'user' that's sending spam? The information you've posted doesn't actually give any details about the problem, you're going to have to look at the log files to determine what the problem actually is.
    Last edited by lananhbin; 03-29-2013 at 04:15 AM.

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by lananhbin View Post
    i log in web mail of zimbra and that user is sending randomly thousand of emails. thats emails make my system crash !
    ex : my domain is abc.cd.ef so my user email is : lananh@abc.cd.ef
    I understand that.

    Quote Originally Posted by lananhbin View Post
    but the email sending spam is fedexexpressdeliverry@z.abc.cd.ef . and z.abc.cd.ef is the FQDN of my mail server.
    i cant find that user !
    You still haven't said how you know this 'user' is sending spam, where did you get that email address from? If you got this from the log files then you should see the IP address of the client that's submitting the email. If you have no user with that name on your ser then you've either got a compromised account or a spam bot on your network that's submitting mail through your server.

    Quote Originally Posted by lananhbin View Post
    p.s: i searched but i cant find any solution
    There are plenty of solutions in the forums, I'd suggest you look at some of those threads that discuss 'compromised accounts' and try some of the suggestions you'll find. You will additionally need to look at your log files to find the source of this problem, merely repeating the suspected user name does not give enough information anyone to advise you - you're going to have to do some digging in the log files.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    lananhbin is offline Senior Member
    Join Date
    Aug 2009
    Posts
    64
    Rep Power
    5

    Default

    i disconnect the network then i loged in my admin page. i can see the user send emails most. i cant find that user on my system. i didnt

    i have some information.

    there are few email from the ip : 101.221.201.127 send to my system.with:
    sender : fedexexpressdeliverry@z.abc.cd.ef . it's the same name with the account sending spam on my system.
    from host : unknown
    origin domain : smtp-amavis:[127.0.0.1]:10024

    that's all i have now. i cant find the local ip or user on my system sending mail !

    if i'm under "spam bot" attract, what should i do ? i searched with keyword you gave but i still cant find any solution ! pls help me ! thanks

  6. #6
    vavai's Avatar
    vavai is offline Special Member
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    148
    Rep Power
    7

    Default

    Hi,

    The simple temporary solution (or call it a first aid ), just tell Zimbra to banned all mail sending from your FQDN instead of from your domain.

    Code:
    su - zimbra
    vi /opt/zimbra/conf/salocal.cf.in
    add the following line :

    blacklist_from *@z.abc.cd.ef

    and then save it (with :wq!, because this file is read-only) follow by :

    Code:
    zmmtactl restart && zmamavisdctl restart
    The permanent solution : investigate your logs (start from /var/log/zimbra.log) and find out the origin (IP, sender, SASL login) of spam messages
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  7. #7
    lananhbin is offline Senior Member
    Join Date
    Aug 2009
    Posts
    64
    Rep Power
    5

    Default

    thanks vavai ! althrough i did the other way. I blocked the 101.221.201.127 , add more rules to my MTA ...and now (maybe) i solved my trouble . but i still cant find the compromised accounts

    p.s: thanks phoenix so much

  8. #8
    pyperdown is offline Active Member
    Join Date
    Dec 2005
    Posts
    28
    Rep Power
    9

    Default

    You need to look at your zimbra.log files, possibly going back a couple of days. If it's not in the current log you may need to look at zimbra.log.0, or zimbra.log.[1-4].gz

    This fragment checks the log file, and counts the number of connections in each recorded timestamp minute ie


    5 12:48 ignorant_user
    32 12:53 ignorant_user


    And so on.

    zgrep -i "auth ok" /var/log/zimbra.log | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -nr

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 08-17-2012, 12:01 PM
  2. Replies: 0
    Last Post: 06-20-2012, 12:59 AM
  3. Replies: 9
    Last Post: 07-01-2009, 09:20 AM
  4. X-Spam-Flag issue- same score < kill but flagged as spam?
    By jameztcc in forum Administrators
    Replies: 6
    Last Post: 06-15-2009, 07:09 PM
  5. Replies: 2
    Last Post: 12-20-2006, 08:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •