Results 1 to 6 of 6

Thread: spams causing huge deferred email and slow performance

  1. #1
    bhwong is offline Elite Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    499
    Rep Power
    6

    Default spams causing huge deferred email and slow performance

    Our Zimbra server has been flooded with tens of thousands of spams, causing email delivery to be delayed up to 30 min and very slow Zimbra performance.

    Deleting of deferred email does not work and generate an error instead. Is there anyway I can delete email from the command line? I found these but not sure if it's working or safe:

    # /opt/zimbra/postfix/sbin/postqueue -p | awk '/user@example.com/ {print $1}' > /tmp/user.txt
    # /opt/zimbra/postfix/sbin/postsuper -d - < /tmp/user.txt

    mailq | tail +2 | grep -v ’^ *(’ | awk ´BEGIN { RS = "" }
    # $7=sender, $8=recipient1, $9=recipient2
    { if ($8 == "user@example.com" && $9 == "")
    print $1 }
    ´ | tr -d ’*!’ | postsuper -d -

    Is there anyway to reject or delete email from a particular domain or email address in the configuration?

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    As usual there's a total lack of information about the problem or the ZCS version that's in use or even what you've done to try and resolve the problem. I suggest you go to the wiki and read the article on Improving the Anti-Spam system in ZCS or try some of the many forum threads on the topic.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    bhwong is offline Elite Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    499
    Rep Power
    6

    Default

    I think this is quite a straight forward issue that is not restricted to a particular version of ZCS where an Zimbra account has been compromised and used by spammer for spamming. What other info is required?

    Is there any new commands in version 7.26 that will help to remove or block those spams such that ZCS version will be useful here?

    Also will anti-spam be useful against internal sender from sending out spam? Or log where the origin IP is shown? https://bugzilla.zimbra.com/show_bug.cgi?id=50112

  4. #4
    bhwong is offline Elite Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    499
    Rep Power
    6

    Default

    We have managed to resolve this ourselves before Zimbra Support response to us. We notice multiple attempt to login to a particular email account from the Zimbra.log and the spamming begin when this end. I believe this is the period where the spammer successfully cracked the password. We have reset it's password and also disable POP3 in that domain CoS so that compromised accounts cannot send out email without keeping a copy on Zimbra.

    Zimbra support has also given me the command to remove deferred emails base on domain. You can run the following command (as root):

    /opt/zimbra/postfix/sbin/mailq | tail -n +2 | \
    grep -v '^ *(' | awk 'BEGIN { RS = "" } { if ($8 ~ /@domain.com/) print $1 }' | tr -d '*!' | \
    /opt/zimbra/postfix/sbin/postsuper -d -

    where domain.com is the domain you want to remove.

    I have also take this opportunity to request for some enhancements that are particular useful in dealing with this issue. Please help to vote for them if you think these are also useful for your use :

    1. add an alert on multiple login failure on any accounts into the daily email report or email such alerts immediately:
      https://bugzilla.zimbra.com/show_bug.cgi?id=88527,
    2. block IP address where the multiple login failure origin:
      https://bugzilla.zimbra.com/show_bug.cgi?id=53635
    3. have the origin IP shown in the Zimbra Admin Console showing source IP of the sender instead of completely useless info of 127.0.0.1 as origin ip for all email transactions:
      https://bugzilla.zimbra.com/show_bug.cgi?id=77949
    4. option to block IP, domain and email addresses in the MTA settings:
      https://bugzilla.zimbra.com/show_bug.cgi?id=75039
    5. option to prevent faking of sender domain or only allow outgoing email where sender domain must match the hosted domain in the server, also block all incoming emails with invalid domains, including valid domains that do not match their origin IP addresses:
      https://bugzilla.zimbra.com/show_bug.cgi?id=53852


    btw, zimbra.log was over 1GB and most notepads could not open it, including my fav notepad-plug-plus.org. Fortunately Programmer's Notepad 2 can handle such gaint filesize.
    Last edited by bhwong; 04-02-2014 at 07:13 PM.

  5. #5
    simonb is offline Trained Alumni
    Join Date
    Sep 2005
    Posts
    48
    Rep Power
    9

    Default

    We sometimes get compromised accounts which are difficult to trace from just looking at the logs.

    I just discovered a neat way to tag each sent mail with a header showing the authenticated user that sent it.

    As user Zimbra (Zimbra 8.x)...
    Code:
    postconf -e 'smtpd_sasl_authenticated_header = yes'
    zmmtactl restart
    Now emails will contain a header such as...
    Code:
    Received: from simon.example.com (unknown [88.211.82.2])
    	(Authenticated sender: simon)
    	by mail.example.com (Postfix) with ESMTPSA id 9E2C0200108
    	for <simon@example.com>; Mon, 14 Apr 2014 13:13:23 +0100 (BST)
    Hope that helps.

  6. #6
    bhwong is offline Elite Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    499
    Rep Power
    6

    Default

    Simon, this look really helpful! Does it works with version 7? What will be the cons of enabling this since such useful feature is disabled by default?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. LMTP causing mail to be deferred
    By jlamos in forum Installation
    Replies: 7
    Last Post: 01-13-2011, 08:55 AM
  2. slow performance with IE7
    By tiger2000 in forum Users
    Replies: 1
    Last Post: 05-07-2009, 09:48 AM
  3. Slow IMAP performance after upgrade to 5.x?
    By DanCody in forum Administrators
    Replies: 3
    Last Post: 04-10-2009, 04:25 PM
  4. LDAP crashing and DNS issues causing many deferred emails.
    By chamber42000 in forum Administrators
    Replies: 1
    Last Post: 07-14-2008, 08:33 AM
  5. Slow performance when backing up.
    By inigoml in forum Administrators
    Replies: 0
    Last Post: 10-28-2006, 10:24 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •