Results 1 to 9 of 9

Thread: Zimbra Server is sending Spam with non-existent accounts in one of the domains

  1. #1
    miguel.a.velasco is offline Junior Member
    Join Date
    Sep 2009
    Posts
    7
    Rep Power
    5

    Default Zimbra Server is sending Spam with non-existent accounts in one of the domains

    Hello all,

    Today Ive seen in /var/log/zimbra.log that our Zimbra Server is sending a lot of emails out using many accounts that non exist in the server. Here youve an example of the log for the account lana_cantu@mydomain.com that non exist in my server:

    May 2 19:18:13 server amavis[27993]: (27993-10) FWD via SMTP: <lana_cantu@mydomain.com> -> <travish3006@yahoo.com>,BODY=7BIT 250 2.0.0 Ok, id=27993-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6D8A1688324
    May 2 19:18:13 server postfix/error[29088]: B6D8A1688324: to=<travish3006@yahoo.com>, relay=none, delay=0.01, delays=0/0/0/0, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.136.217.203] refused to talk to me: 421 4.7.1 [TS03] All messages from 82.98.151.39 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
    May 2 19:18:13 server amavis[27993]: (27993-10) Passed CLEAN, [127.0.0.1] [127.0.0.1] <lana_cantu@mydomain.com> -> <travish3006@yahoo.com>, Message-ID: <201305021718.r42HIDR1001752@server.mydomain.com >, mail_id: SQ3PXC9+id3m, Hits: -, size: 977, queued_as: B6D8A1688324, 70 ms
    May 2 19:18:13 server postfix/smtp[1750]: 9CFB71688315: to=<travish3006@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.12, delays=0.05/0/0/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=27993-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6D8A1688324)
    May 2 19:18:13 server postfix/qmgr[23022]: 9CFB71688315: removed
    May 2 19:18:14 server postfix/smtp[24274]: AA24D1688322: to=<travisgulley@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.67.27]:25, delay=3.3, delays=0.01/0/0.28/3, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.67.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/a...py?answer=6596 r5si847676wij.23 - gsmtp (in reply to RCPT TO command))
    May 2 19:18:14 server postfix/cleanup[589]: 0D3411688325: message-id=<20130502171814.0D3411688325@server.mydomain.co m>
    May 2 19:18:14 server postfix/qmgr[23022]: 0D3411688325: from=<>, size=3979, nrcpt=1 (queue active)
    May 2 19:18:14 server postfix/bounce[32259]: AA24D1688322: sender non-delivery notification: 0D3411688325
    May 2 19:18:14 server postfix/qmgr[23022]: AA24D1688322: removed
    May 2 19:18:14 server postfix/error[24068]: 0D3411688325: to=<lana_cantu@mydomain.com>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.0.0, status=bounced (mydomain.com)
    May 2 19:18:14 server postfix/qmgr[23022]: 0D3411688325: removed
    May 2 19:18:14 server postfix/smtp[23894]: 358FB1688320: to=<travish2008@hotmail.com>, relay=mx3.hotmail.com[65.55.92.152]:25, delay=1.3, delays=0/0/0.57/0.68, dsn=2.0.0, status=sent (250 <201305021718.r42HICUx001749@server.mydomain.com > Queued mail for delivery)
    May 2 19:18:14 server postfix/qmgr[23022]: 358FB1688320: removed
    May 2 19:18:17 server clamd[1697]: SelfCheck: Database status OK.
    May 2 19:18:19 server sendmail[32258]: r42HH4M1032258: from=maggie_padilla@mydomain.com, size=404, class=0, nrcpts=1, msgid=<201305021717.r42HH4M1032258@server.mydomain .com>, relay=www-data@localhost
    May 2 19:18:19 server sendmail[32258]: r42HH4M1032258: to=tamilanda13@gmaill.com, delay=00:01:15, mailer=esmtp, pri=30404, dsn=4.4.3, stat=queued
    May 2 19:18:28 server sendmail[1759]: r42HIS63001759: Authentication-Warning: server.mydomain.com: www-data set sender to lana_cantu@mydomain.com using -f
    May 2 19:18:28 server sendmail[1759]: r42HIS63001759: from=lana_cantu@mydomain.com, size=401, class=0, nrcpts=1, msgid=<201305021718.r42HIS63001759@server.mydomain .com>, relay=www-data@localhost
    May 2 19:18:28 server postfix/smtpd[23798]: connect from localhost.localdomain[127.0.0.1]
    May 2 19:18:28 server postfix/smtpd[23798]: setting up TLS connection from localhost.localdomain[127.0.0.1]
    May 2 19:18:28 server postfix/smtpd[23798]: Anonymous TLS connection established from localhost.localdomain[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    May 2 19:18:28 server sendmail[1759]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
    May 2 19:18:28 server postfix/smtpd[23798]: E400F1688315: client=localhost.localdomain[127.0.0.1]
    May 2 19:18:28 server postfix/cleanup[589]: E400F1688315: message-id=<201305021718.r42HIS63001759@server.mydomain.co m>
    May 2 19:18:28 server postfix/qmgr[23022]: E400F1688315: from=<lana_cantu@mydomain.com>, size=963, nrcpt=1 (queue active)
    May 2 19:18:28 server sendmail[1759]: r42HIS63001759: to=1doodoo26tx@hotmail.com, ctladdr=lana_cantu@mydomain.com (502/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30401, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as E400F1688315)
    May 2 19:18:28 server amavis[22015]: (22015-12) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20130502T190859-22015: <lana_cantu@mydomain.com> -> <1doodoo26tx@hotmail.com> SIZE=963 BODY=8BITMIME Received: from server.mydomain.com ([127.0.0.1]) by localhost (server.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <1doodoo26tx@hotmail.com>; Thu, 2 May 2013 19:18:28 +0200 (CEST)
    May 2 19:18:28 server postfix/smtpd[23798]: disconnect from localhost.localdomain[127.0.0.1]
    May 2 19:18:29 server amavis[22015]: (22015-12) Checking: BHSai9fpAH0e [127.0.0.1] <lana_cantu@mydomain.com> -> <1doodoo26tx@hotmail.com>
    May 2 19:18:29 server amavis[22015]: (22015-12) Open relay? Nonlocal recips but not originating: 1doodoo26tx@hotmail.com


    **Where the address lana_cantu@mydomain.com is not really in my server. Now the server is in the Yahoo and Hotmail Blacklist and all the emails are SPAMED.

    All the issues Ive donde today trying to solve the problem are:

    1.- Chek if the server is Open Relay with some internet tester and Its not
    2.- Verify that is configured with the right networks, following the link ZimbraMtaMyNetworks - Zimbra :: Wiki. And its OK:
    [zimbra@server ~]$ zmprov getServer server.mydomain.com | grep zimbraMtaMyNetworks
    zimbraMtaMyNetworks: 127.0.0.0/8 82.98.15X.XX/32
    --> but the problem is that the email server is sending mails out from 127.0.0.1 ....
    3.- check the right Auth system:
    $ zmprov getServer server.mydomain.com | grep -i auth
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: server.mydomain.com
    zimbraMtaAuthTarget: TRUE
    zimbraMtaAuthURL: http://server.mydomain.com:80/service/soap/
    zimbraMtaSaslAuthEnable: yes
    zimbraMtaTlsAuthOnly: TRUE

    What could more may do?? It a huge problem for my company because the mail server is banned by Yahoo and Hotmail

    Please, any help would be really appreciated

    Regards,
    Miguel A.Velasco

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    One of two (or three) things could be happening. There's either a compromised account (search the forum for details on how to find it) or you've modified Zimbra to be an open relay (use any internet open-relay checking site to verify), you might also have a compromised machine on your network. You really should give details of the ZCS release & version installed and for how long this has been happening and whether you've made any changes to your server (such as the anti-spam system) that may have affected it and also whether you have strong password set on your server.

    NTW, why are you not using HTTPS for the web UI login? You're open to a security breach not doing that.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    miguel.a.velasco is offline Junior Member
    Join Date
    Sep 2009
    Posts
    7
    Rep Power
    5

    Default

    Thanks Phoenix for your quick reply.

    Firstly, here you have my zimbra release: 7.1.1_GA_3196.FOSS 27 de Mayo 2011

    I forgot to tell that the first issue I did today was changing the password of all email accounts but the Zimbra server is still spamming out. Ive looked for information in Zimbra Forum about "compromised account" and Ive done the following issues:

    1.- Run the following as root: tail -n 100000 /var/log/maillog | grep "sasl_username=" > smtpauthlogins.txt . And there is not sasl_username repeating a lot.
    2.- tail -n1000 /var/log/secure | grep 'auth_zimbra:'. And there is nothing

    About the open Relay Ive checked my zimbra server from different internet testers ant the result is that its not an open relay

    About how long its happening, I think it from 10 days more or less

    About the changing in my server about anti-spam system I dont remember any particular one.

    About the HTTPS in web GUI youre right and Ill change it.

    Do you need any thing else to check whats going on? If yes, please let me know.

    Could you please help me??

    Thanks very much for your time
    Miguel A.Velasco

    Regards,
    Miguel

  4. #4
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    Is it possible you have an infected computer on your trusted network?
    Last edited by phoenix; 09-20-2013 at 11:26 AM.

  5. #5
    miguel.a.velasco is offline Junior Member
    Join Date
    Sep 2009
    Posts
    7
    Rep Power
    5

    Default

    Thank Bill for yor reply.
    What do you mean with a comuter?? . This server is hosted in provider and I dont know any information about the server that are in the same LAN ...

    Now my zimbra trusted network is just 127.0.0.1 and the ip of the server ...
    [zimbra@server ~]$ zmprov getServer server.mydomain.com | grep zimbraMtaMyNetworks
    zimbraMtaMyNetworks: 127.0.0.0/8 82.98.15X.XX/32

    **Where 82.98.15X.XX is the server ip address


    Thanks for yor time.

  6. #6
    Neofrek is offline Starter Member
    Join Date
    Sep 2013
    Posts
    1
    Rep Power
    1

    Default I have the exact same issue

    Quote Originally Posted by miguel.a.velasco View Post
    Thank Bill for yor reply.
    What do you mean with a comuter?? . This server is hosted in provider and I dont know any information about the server that are in the same LAN ...

    Now my zimbra trusted network is just 127.0.0.1 and the ip of the server ...
    [zimbra@server ~]$ zmprov getServer server.mydomain.com | grep zimbraMtaMyNetworks
    zimbraMtaMyNetworks: 127.0.0.0/8 82.98.15X.XX/32

    **Where 82.98.15X.XX is the server ip address


    Thanks for yor time.
    Did anyone found a solution for this?

    I'm having the exact same problem.

    Regards

  7. #7
    vheroes is offline Junior Member
    Join Date
    Apr 2013
    Posts
    8
    Rep Power
    2

    Default My problem

    Quote Originally Posted by Neofrek View Post
    Did anyone found a solution for this?

    I'm having the exact same problem.

    Regards
    I have the same problem. Event i cant delete the spammer user.
    I am really confuse with this problem, really need help. asap.

  8. #8
    babyporch is offline Active Member
    Join Date
    Jan 2009
    Location
    Palermo
    Posts
    43
    Rep Power
    6

    Default

    Time ago, i had a similar problem. I resolved blacklisting the Email and spam stop to go out. After i discovered the compromised account with a full logs analisys. Finally i removed the server from RBLs.

  9. #9
    vheroes is offline Junior Member
    Join Date
    Apr 2013
    Posts
    8
    Rep Power
    2

    Default

    I was having this problem like this before. But i manage to reset the spammer account password. and the account never spamming again. but this time, i cant delete the account. Am so confusing, our IP is blakclisted. Pliss someone help me out.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 2
    Last Post: 09-19-2012, 12:31 AM
  2. Replies: 0
    Last Post: 12-28-2010, 08:43 AM
  3. [SOLVED] Replying mails from non existent domains
    By micasrafael in forum Administrators
    Replies: 4
    Last Post: 08-05-2010, 12:32 AM
  4. spam and ham accounts for all domains?
    By cornbread in forum Users
    Replies: 5
    Last Post: 03-28-2008, 10:29 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •