Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Massive amount of emails sending from my email server

  1. #11
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    Really thanks.

    This is the message I seen from audit.log, it seems it is the suspected account which I have closed, however the email still sending out from our server, however there is still massive amount of active email queue.

    2013-04-03 18:00:55,404 WARN [btpool0-257://ms1.ipeee.com:7071/service/admin/soap/] [name=test@ipeee.com;ip=10.0.85.21;] security - cmd=Auth; account=test@ipeee.
    com.hk; protocol=soap; error=authentication failed for test, account(or domain) status is closed;
    Sorry, am really not good in programming and Linux, do you mean save those code to a script named pfdel.pl? And where should I put this script?

  2. #12
    vavai's Avatar
    vavai is offline Special Member
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Quote Originally Posted by Solt View Post
    Really thanks.
    Sorry, am really not good in programming and Linux, do you mean save those code to a script named pfdel.pl? And where should I put this script?
    Save the above code with name : pfdel (without .pl is okay). Any folder are okay, let's say it was /opt :

    Code:
    cd /opt
    vi pfdel
    copy paste the above code, save it (with ESC, :wq) and then :
    Code:
    chmod +x /opt/pfdel
    /opt/pfdel test@ipeee.com.hk
    /opt/pfdel MAILER-DAEMON
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  3. #13
    swrightsls is offline Senior Member
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Default

    Hi,

    You may want to look back at your mailbox.log for connections to this account from IP in the ranges:

    74.115.0.0 - 74.115.7.255 (proxy/anon site that attacks start from - anchorfree.com)
    41.71.128.0 - 41.71.255.255 (Nigerian IPs that spam is sent from)
    41.138.184.0 - 41.138.191.255 " "

    If this is anything like our experience in the last few days, they are using direct SOAP calls to place the spam message in account signatures, then sending massive amounts of spam as a blank message using a script.

    Our solution was to identify all accounts affected & reset passwords, but also block all of the IP ranges at our firewall. I have not had any reply to my abuse reports to owners of the address blocks...
    Release 7.1.4_GA_2555.UBUNTU8_64 UBUNTU8_64 NETWORK edition, Patch 7.1.4_P1

  4. #14
    vavai's Avatar
    vavai is offline Special Member
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Hi swrightsls,
    Quote Originally Posted by swrightsls View Post
    Hi,

    You may want to look back at your mailbox.log for connections to this account from IP in the ranges:

    74.115.0.0 - 74.115.7.255 (proxy/anon site that attacks start from - anchorfree.com)
    41.71.128.0 - 41.71.255.255 (Nigerian IPs that spam is sent from)
    41.138.184.0 - 41.138.191.255 " "

    If this is anything like our experience in the last few days, they are using direct SOAP calls to place the spam message in account signatures, then sending massive amounts of spam as a blank message using a script.

    Our solution was to identify all accounts affected & reset passwords, but also block all of the IP ranges at our firewall. I have not had any reply to my abuse reports to owners of the address blocks...
    Thank you for your tips. Noted, in case dealing with similar issue.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  5. #15
    liverpoolfcfan's Avatar
    liverpoolfcfan is online now Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    6

    Default

    Quote Originally Posted by Solt View Post
    Really thanks.

    This is the message I seen from audit.log, it seems it is the suspected account which I have closed, however the email still sending out from our server, however there is still massive amount of active email queue.

    2013-04-03 18:00:55,404 WARN [btpool0-257://ms1.ipeee.com:7071/service/admin/soap/] [name=test@ipeee.com;ip=10.0.85.21;] security - cmd=Auth; account=test@ipeee.com.hk; protocol=soap; error=authentication failed for test, account(or domain) status is closed;

    Sorry, am really not good in programming and Linux, do you mean save those code to a script named pfdel.pl? And where should I put this script?
    I am not sure about the possibilities for spoofing the address of the client - but certainly in a normal instance the [name=test@ipeee.com;ip=10.0.85.21;] tells you the IP address of the client. In this case the IP Address is an internal IP address - i.e. Not one that can be routed publicly - so you should be looking for an infected system on your own network.

  6. #16
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    Thanks, the suspected account has been closed, and the internal IP address is my email server.

    Still no clue how to solve this yet

    Text1.txt

  7. #17
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    I have blocked 2 ips from firewall and seems it is now temporary solved, thanks so much.

    Now time to request unblock


    Another question, did you guys setup any RBLs in the admin console?

  8. #18
    vavai's Avatar
    vavai is offline Special Member
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Quote Originally Posted by Solt View Post
    I have blocked 2 ips from firewall and seems it is now temporary solved, thanks so much.

    Now time to request unblock


    Another question, did you guys setup any RBLs in the admin console?
    Yes, I did. My default setup using b.barracudacentral.org and zen.spamhaus.org as default RBL set.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  9. #19
    liverpoolfcfan's Avatar
    liverpoolfcfan is online now Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    6

    Default

    Quote Originally Posted by Solt View Post
    Thanks, the suspected account has been closed, and the internal IP address is my email server.

    Still no clue how to solve this yet
    Does this server have apache or other web server running in front of zimbra ?

    If NOT, Check your /opt/zimbra/log/access_log_2013-0403 file and look to see if you are getting external requests for pages on your server that are not zimbra pages. Perhaps there is a rogue page that has been planted on the server ?

    If YES, then check the web server logs for a similar issue.

    Or if you cannot find any rogue pages, check for the IP addresses that are making all the requests to try to identify external ones.

    Finally, if someone had gotten the password for the test account - and you have the mail submission port 587 publicly available - then they could simply have been authenticating directly to smtpd and sending mail from there. They would not show up in the access logs - but you would see the AuthRequests from smtpd in the mailbox.log file

  10. #20
    Solt is offline Active Member
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    We have Zenosis which is running on the same server as email server, don't know if it is related, I will check the log, thanks.

    Quote Originally Posted by liverpoolfcfan View Post
    Does this server have apache or other web server running in front of zimbra ?

    If NOT, Check your /opt/zimbra/log/access_log_2013-0403 file and look to see if you are getting external requests for pages on your server that are not zimbra pages. Perhaps there is a rogue page that has been planted on the server ?

    If YES, then check the web server logs for a similar issue.

    Or if you cannot find any rogue pages, check for the IP addresses that are making all the requests to try to identify external ones.

    Finally, if someone had gotten the password for the test account - and you have the mail submission port 587 publicly available - then they could simply have been authenticating directly to smtpd and sending mail from there. They would not show up in the access logs - but you would see the AuthRequests from smtpd in the mailbox.log file

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 1
    Last Post: 11-28-2011, 11:43 AM
  2. [SOLVED] Massive email sending
    By feiticeir0 in forum Administrators
    Replies: 4
    Last Post: 05-09-2011, 02:59 AM
  3. Error sending massive emails
    By rhein_onizuka in forum Administrators
    Replies: 0
    Last Post: 04-18-2011, 10:01 PM
  4. Replies: 0
    Last Post: 12-28-2010, 08:43 AM
  5. Are we getting hit with massive amount of spam?
    By wdman in forum Administrators
    Replies: 11
    Last Post: 06-25-2010, 08:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •