Results 1 to 7 of 7

Thread: Zimbra server sending out lots of spam

  1. #1
    nitsew is offline Intermediate Member
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default Zimbra server sending out lots of spam

    Hey Folks,

    I awoke this morning to a phone call from one of our techs telling me that people weren't receiving mail. I logged into Zimbra, and between the 'deferred', 'active', and 'incoming' queues, there were over 100,000 messages tied up in our server. All of the sender addresses were non-existent accounts such as du@mydomain.com, rc@mydomain.com, bosib@mydomain.com, etc. I doublechecked mxtoolbox.com, and the mail server is not set for open relay, which I verified by trying to send mail on 25 from my machine at home. Here is a sampling of zimbra.log: [I have changed references to our domain to 'mydomain.com']

    Code:
    Aug 29 06:46:57 mail postfix/smtps/smtpd[16241]: 7CE51AC4DC4: filter: RCPT from catv-176-63-242-182.catv.broadband.hu[176.63.242.182]: <doxyn@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<doxyn@mydomain.com> to=<wayne_bernard13@yahoo.com> proto=ESMTP helo=<igfurxsxvp>
    Aug 29 06:46:57 mail opendkim[17668]: 32333AC4DD9: no signing table match for 'dyqyp@mydomain.com'
    Aug 29 06:46:57 mail postfix/error[11878]: DCE74AA2FD3: to=<bella_flaky@yahoo.com>, relay=none, delay=1331, delays=1331/0.05/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta7.am0.yahoodns.net[98.138.112.37]:25: Connection timed out)
    Aug 29 06:46:57 mail amavis[16220]: (16220-02-5) Checking: xSLg0CnThemb ORIGINATING [142.217.3.4] <sijed@mydomain.com> -> <jaimebarbosa82@gmail.com>,<qehwkj2@jnwrwerj.com>,<lovely_boy271@yahoo.com>,<ricewilliams75@yahoo.com>
    Aug 29 06:46:57 mail postfix/smtps/smtpd[19139]: AF5FDAC4DC9: filter: RCPT from 142-217-3-4.telebecinternet.net[142.217.3.4]: <raco@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<raco@mydomain.com> to=<gatornick22@yahoo.com> proto=ESMTP helo=<wukujrnj>
    Aug 29 06:46:57 mail amavis[16330]: (16330-01-12) FWD from <dyqyp@mydomain.com> -> <ajitchaudhari07@gmail.com>,<dochennis@gmail.com>,<umer987@hotmail.com>,<www.kriangkrai_s@hotmail.com>,<asa_collier_04@yahoo.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9
    Aug 29 06:46:57 mail postfix/cleanup[15873]: F204BAC3ABF: message-id=<20130829114649.F204BAC3ABF@mail.mydomain.com>
    Aug 29 06:46:57 mail amavis[16334]: (16334-02-6) ESMTP::10026 /opt/zimbra/data/amavisd/tmp/amavis-20130829T064652-16334-eCxJSNDy: <micyte@mydomain.com> -> <mitchmonster@comcast.ne>,<bopulichev@gmail.com>,<dirtyrolex@gmail.com>,<reissp@gmail.com>,<luisperes1998@hotmail.com>,<hoodi-40@outlook.com>,<mbaker727783@yahoo.com> Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP; Thu, 29 Aug 2013 06:46:57 -0500 (CDT)
    Aug 29 06:46:57 mail postfix/smtps/smtpd[647]: NOQUEUE: filter: RCPT from unknown[176.15.166.111]: <didu@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<didu@mydomain.com> to=<juanmoreno_49@yahoo.com> proto=ESMTP helo=<yhtojprbhm>
    Aug 29 06:46:57 mail postfix/smtps/smtpd[647]: 42FB9AC4DDA: client=unknown[176.15.166.111], sasl_method=LOGIN, sasl_username=asampson
    Aug 29 06:46:57 mail amavis[16330]: (16330-01-12) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [88.245.52.143]:51672 [88.245.52.143] <dyqyp@mydomain.com> -> <ajitchaudhari07@gmail.com>,<dochennis@gmail.com>,<umer987@hotmail.com>,<www.kriangkrai_s@hotmail.com>,<asa_collier_04@yahoo.com>, Queue-ID: 17F9BA67F04, Message-ID: <20130829100149.17F9BA67F04@mail.mydomain.com>, mail_id: 6vuHgIIWjLhs, Hits: -, size: 594, queued_as: 32333AC4DD9, 171 ms
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<ajitchaudhari07@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<dochennis@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<umer987@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<www.kriangkrai_s@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/smtp[16223]: 17F9BA67F04: to=<asa_collier_04@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=12, delay=6309, delays=5936/372/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 32333AC4DD9)
    Aug 29 06:46:57 mail postfix/qmgr[17648]: 53864AA3E70: from=<du@mydomain.com>, size=1012, nrcpt=3 (queue active)
    Aug 29 06:46:57 mail postfix/qmgr[17648]: 17F9BA67F04: removed
    Aug 29 06:46:57 mail amavis[16333]: (16333-01-13) ESMTP::10026 /opt/zimbra/data/amavisd/tmp/amavis-20130829T064652-16333-f2erIBw_: <piwyba@mydomain.com> -> <joey1974@comcast.net>,<pradip.sarkar1979@gmail.com>,<ulli.meissner@gmx.de>,<johncarlson123@hotmail.com>,<johnboy926@msn.com>,<ayyup_x@yahoo.com>,<chibab4lyf@yahoo.com>,<ionakiddo@yahoo.com> Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP; Thu, 29 Aug 2013 06:46:57 -0500 (CDT)
    Aug 29 06:46:57 mail postfix/error[11863]: 058A3AA3A86: to=<dambreaks@yahoo.com>, relay=none, delay=351, delays=351/0.03/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta7.am0.yahoodns.net[98.138.112.37]:25: Connection timed out)
    Aug 29 06:46:57 mail amavis[16334]: (16334-02-6) Checking: SExjRDsJzodb ORIGINATING [146.255.140.127] <micyte@mydomain.com> -> <mitchmonster@comcast.ne>,<bopulichev@gmail.com>,<dirtyrolex@gmail.com>,<reissp@gmail.com>,<luisperes1998@hotmail.com>,<hoodi-40@outlook.com>,<mbaker727783@yahoo.com>
    Aug 29 06:46:57 mail postfix/qmgr[17648]: 92CCCA89B22: from=<fuhax@mydomain.com>, size=1428, nrcpt=6 (queue active)
    Aug 29 06:46:57 mail opendkim[17668]: 635B1AC4DE1: no signing table match for 'su@mydomain.com'
    Aug 29 06:46:57 mail amavis[15790]: (15790-02-16) Checking: 6gWevoKA4XXu ORIGINATING_POST/MYNETS [127.0.0.1] <se@mydomain.com> -> <fmgregobrwn@aol.com>,<garysentez@aol.com>,<darlox@free.fr>,<aposyl@hotmail.com>,<cnc00@hotmail.com>,<dodo2010@yahoo.com>
    Aug 29 06:46:57 mail postfix/smtp[15160]: C6EA4AC256E: to=<andrew04walker@sympatico.ca>, relay=mxmta.sympatico.ca[67.69.240.23]:25, delay=845, delays=727/115/2/0.14, dsn=2.0.0, status=sent (250 ok:  Message 325277331 accepted)
    Aug 29 06:46:57 mail postfix/error[11847]: 92CCCA89B22: to=<michaeladinero@yahoo.com>, relay=none, delay=4386, delays=4386/0.04/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta7.am0.yahoodns.net[98.138.112.37]:25: Connection timed out)
    Aug 29 06:46:57 mail postfix/qmgr[17648]: DE793A62381: from=<zoc@mydomain.com>, size=1361, nrcpt=5 (queue active)
    Aug 29 06:46:57 mail amavis[16220]: (16220-02-6) Checking: RzKIqo_YKQfY ORIGINATING [84.198.12.130] <noh@mydomain.com> -> <sdffggdfg@aol.com>,<dhagi66@gmail.com>,<evansarthur@hotmail.com>,<brothers.kevin44@yahoo.com>,<infineon_01@yahoo.com>,<wadewolf22@yahoo.com>
    Aug 29 06:46:57 mail amavis[16406]: (16406-01-4) ESMTP::10032 /opt/zimbra/data/amavisd/tmp/amavis-20130829T064655-16406-snZPTJCx: <hys@mydomain.com> -> <harikrishnanedm@gmail.com>,<phillipsr88@gmail.com>,<astro_insomniac@hotmail.com>,<ccsjsimonian@yahoo.com>,<vicmack777@yahoo.com> SIZE=1049 Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP; Thu, 29 Aug 2013 06:46:57 -0500 (CDT)
    Aug 29 06:46:57 mail postfix/error[11969]: D16ECA84A49: to=<iusman4178@yahoo.com>, relay=none, delay=20258, delays=20258/0.04/0/0.04, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mta7.am0.yahoodns.net[98.138.112.37]:25: Connection timed out)
    Aug 29 06:46:57 mail postfix/smtps/smtpd[21953]: BF2B1AC4DB7: filter: RCPT from d54c60c82.access.telenet.be[84.198.12.130]: <hygi@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hygi@mydomain.com> to=<warrington79@tahoo.com> proto=ESMTP helo=<wpipjvp>
    Aug 29 06:46:57 mail amavis[15867]: (15867-02-9) Checking: hgNkA205u4EL ORIGINATING_POST/MYNETS [127.0.0.1] <wipi@mydomain.com> -> <aaronvanmann@aim.com>,<apoindex1337@comcast.net>,<c.ohara388@gmail.com>,<arguellesrandy@hotmail.com>,<sergioa1176@yahoo.com>
    Aug 29 06:46:57 mail postfix/qmgr[17648]: D08ECA8984C: from=<fiq@mydomain.com>, size=1351, nrcpt=5 (queue active)
    Aug 29 06:46:57 mail postfix/smtp[15699]: 15CC4A86D25: to=<deepanshugoel.goel4@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[173.194.74.27]:25, delay=15946, delays=1660/14261/24/0.85, dsn=4.7.0, status=deferred (host alt2.gmail-smtp-in.l.google.com[173.194.74.27] said: 421-4.7.0 [198.209.243.122      10] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. b4si1371892qar.65 - gsmtp (in reply to end of DATA command))
    Aug 29 06:46:57 mail amavis[16330]: (16330-01-13) FWD from <su@mydomain.com> -> <brawnarama85@gmail.com>,<da132y4n@gmail.com>,<kyen3026@gmail.com>,<prokslove@gmail.com>,<patatecool@msn.com>,<gazerbo@tiscali.co.uk>,<antwonlawrence@yahoo.com>,<j.cabales@yahoo.com>,<kelvin.kesley@yahoo.com>,<t_espino@yahoo.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 635B1AC4DE1
    Aug 29 06:46:57 mail postfix/smtps/smtpd[19139]: AF5FDAC4DC9: filter: RCPT from 142-217-3-4.telebecinternet.net[142.217.3.4]: <raco@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<raco@mydomain.com> to=<waldron2014@hotmail.com> proto=ESMTP helo=<wukujrnj>
    Aug 29 06:46:57 mail postfix/smtp[8177]: 2760EA87AC2: to=<jaisahani1212@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.77.27]:25, delay=15384, delays=1107/14266/4.6/7.2, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.77.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 g7si1879492oez.116 - gsmtp (in reply to RCPT TO command))
    Aug 29 06:46:57 mail postfix/smtp[15699]: 15CC4A86D25: to=<jegvva@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[173.194.74.27]:25, delay=15946, delays=1660/14261/24/0.85, dsn=4.7.0, status=deferred (host alt2.gmail-smtp-in.l.google.com[173.194.74.27] said: 421-4.7.0 [198.209.243.122      10] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. b4si1371892qar.65 - gsmtp (in reply to end of DATA command))
    Aug 29 06:46:57 mail amavis[16330]: (16330-01-13) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [212.91.169.114]:4113 [212.91.169.114] <su@mydomain.com> -> <brawnarama85@gmail.com>,<da132y4n@gmail.com>,<kyen3026@gmail.com>,<prokslove@gmail.com>,<patatecool@msn.com>,<gazerbo@tiscali.co.uk>,<antwonlawrence@yahoo.com>,<j.cabales@yahoo.com>,<kelvin.kesley@yahoo.com>,<t_espino@yahoo.com>, Queue-ID: 705F9AC36EF, Message-ID: <20130829113641.705F9AC36EF@mail.mydomain.com>, mail_id: NhH2fo2kRWhp, Hits: -, size: 690, queued_as: 635B1AC4DE1, 205 ms
    Aug 29 06:46:57 mail postfix/smtp[16223]: 705F9AC36EF: to=<brawnarama85@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=13, delay=617, delays=245/372/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 635B1AC4DE1)
    The logs almost make it look like it is relaying mail, even though it says that it isn't. I have disabled 25 outbound on our firewall for the moment, until I can get this cleared up... So far, I am not a member of any blacklists, just temporarily suspended from many of the major mail providers.

    Any help would be greatly appreciated! If you need any additional info/logs from me, please let me know.

    Thanks,

    Weston




    edit: adding more logs

    Code:
    Aug 29 14:06:40 mail postfix/qmgr[28128]: 567199A3E02: from=<go@mydomain.com>, size=1075, nrcpt=4 (queue active)
    Aug 29 14:06:40 mail postfix/smtp[7256]: D06108E683E: to=<kircks@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=141, delays=3.1/138/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 567199A3E02)
    Aug 29 14:06:40 mail postfix/smtp[7256]: D06108E683E: to=<cozine5b@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=141, delays=3.1/138/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 567199A3E02)
    Aug 29 14:06:40 mail postfix/smtp[7256]: D06108E683E: to=<dprice131313@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=141, delays=3.1/138/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 567199A3E02)
    Aug 29 14:06:40 mail postfix/smtp[7256]: D06108E683E: to=<hong.kong63@ymail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=141, delays=3.1/138/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 567199A3E02)
    Aug 29 14:06:40 mail postfix/qmgr[28128]: D06108E683E: removed
    Aug 29 14:06:40 mail postfix/smtps/smtpd[14695]: 06DE79A3BB4: filter: RCPT from unknown[93.84.18.254]: <sogo@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<sogo@mydomain.com> to=<mossivan@yahoo.com> proto=ESMTP helo=<yrvonjdoq>
    Last edited by nitsew; 08-29-2013 at 12:09 PM.

  2. #2
    nitsew is offline Intermediate Member
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Is there a way I can tell the server to not even queue a message where the sender is not a valid address on our system?

  3. #3
    nitsew is offline Intermediate Member
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Sorry to keep replying to my own thread... but it looks as if one of our accounts was compromised, and is being used to auth with SMTP to send spam. *Maybe*

    Is there an easy way to see if there is an account being used for authentication over and over? I am looking through the logs, but a little guidance would be most appreciated.

    Thanks!

  4. #4
    JakeMS's Avatar
    JakeMS is offline Active Member
    Join Date
    Jul 2013
    Location
    /dev/urandom
    Posts
    33
    Rep Power
    2

    Default

    Hi, I would suggest to look into /opt/zimbra/log/audit.log to see if you see anything odd.

  5. #5
    nitsew is offline Intermediate Member
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Hi JakeMS,

    Thanks for the reply! I have looked/grepped/etc through the file, and don't see anything too out of the ordinary. Most of it just looks like normal auth. I can't really find a user that has an extremely high number of connections... I just bit the bullet and forced a password change for all users... so with any luck, once they all change them tomorrow, it will help. Hard to say... I found another thread where someone was having something similar happening: Problem: server being used for sending spam I will try to keep the thread updated with my results. Any other suggestions are also greatly appreciated.

    Thanks again for the reply,

    Weston

  6. #6
    nitsew is offline Intermediate Member
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Ok... I found yet another thread, and found this gem of a command:

    tail -n 100000 /var/log/mail.log | grep "sasl_username=" > smtpauthlogins.txt

    This showed many many connection attempts from several IPs for one user. I changed the password for that user, and now we wait.

  7. #7
    krolen is offline Special Member
    Join Date
    Sep 2007
    Location
    Stockport
    Posts
    106
    Rep Power
    7

    Default

    that proved very helpful for me too -) i also blocked the ip's on our firewall.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 8
    Last Post: 10-01-2013, 12:28 AM
  2. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 10:26 AM
  3. Mac OS X Install and LOTS of Spam
    By BarefootPanda in forum Administrators
    Replies: 0
    Last Post: 06-30-2008, 11:32 AM
  4. Lots of spam. Ideas?
    By fernandoflorez in forum Administrators
    Replies: 5
    Last Post: 01-25-2007, 09:41 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •