Zimbra

jclawson · #1 (**permalink**) 04-11-2008, 02:01 PM

I was looking at my mail queue and noticed some peculiar entries in my deferred queue.

The recipient is from some weird domain that I do not host and the sender is service@paypal.com. The Origin IP is 127.0.0.1 and origin host localhost.localdomain.

It appears that MY server is trying to send email as service.paypal.com. If this is correct how can I determine who / how this is being sent and put a stop to it?

I looked at my mail stats summary emails and it sys that paypal.com is the top sender.

Thanks for your help.

phoenix · #2 (**permalink**) 04-11-2008, 10:53 PM

Welcome to the forums.

That would be spam that's being sent to you. There's an article in the wiki that gives some tips for improving the anti-spam system, read that and make any modification you see fit. There are also several threads in the forums on making improvements, search for them.

jclawson · #3 (**permalink**) 04-11-2008, 11:02 PM

I am confused by the information the queue shows. It appears that it is being sent to a different domain. These emails are being deferred by the other server because of various reasons... it doesn't exist... grey listing... etc. The TO email address is not for a domain that I host.

It appears to me that someone is using my server to send mail to other people because it says the email originated from localhost.localdomain.

How do you know this mail is being delivered TO me instead of FROM me?

Thanks for the spam tip though. I will definitely check that out.

phoenix · #4 (**permalink**) 04-11-2008, 11:27 PM

Quote:

Originally Posted by jclawson

How do you know this mail is being delivered TO me instead of FROM me?

Unless you have made changes to your Zimbra install, by default it is not an Open Relay and is not being used by a spammer. It is likely that the mail is being sent to you, if you wish the check if you're a relay there are plenty of test sites that will test your server. Try these for starters:

Mail Relay Test - Email Relaying, Testing and Tracking
Anonymous Relay Test
Mail relay testing

LMStone · #5 (**permalink**) 04-12-2008, 07:51 AM

Quote:

Originally Posted by jclawson

I am confused by the information the queue shows. It appears that it is being sent to a different domain. These emails are being deferred by the other server because of various reasons... it doesn't exist... grey listing... etc. The TO email address is not for a domain that I host.

It appears to me that someone is using my server to send mail to other people because it says the email originated from localhost.localdomain.

How do you know this mail is being delivered TO me instead of FROM me?

Thanks for the spam tip though. I will definitely check that out.

A lot of that header info can be forged; it's clearly a spammer.

Sometimes a spammer's email server will HELO with 127.0.0.1 or even your server's own IP. The section in that wiki article that I wrote referring to adding HELO checks (to screen for private IPs) to Postfix will get rid of these kinds of emails.

Even if you don't make those changes to your system, since Postfix can't deliver these messages, they will just hang around in the deferred queue and eventually get purged.

Hope that helps,
Mark

Rich Graves · #6 (**permalink**) 04-12-2008, 08:26 AM

If zimbra is reporting 127.0.0.1 as source of spam, that's a bug.

You haven't provided enough information to allow more than guessing.

There are several other possibilities, such as vacation autoreplies to spam, spam hitting an account that forwards, a non-zimbra server on your subnet as a source of spam (zimbra allows relaying from your localnets by default), a bug in a formail script (is zimbra running on a shared host?), and the increasingly prevalent abuse of usernames & passwords compromised by phishing or dictionary attacks to actually log on and send spam.

In my ISAC role I'd be particularly interested in the last possibility. I have not yet heard of that affecting zimbra sites, just a lot of exchange, squirrelmail, and horde/imp sites. Please post or PM to me the full headers of a message in queue. I don't remember if the admin web lets you get that, but su - zimbra ; postcat postfix/spool/deferred/2/25ADB34DF or somesuch will work.

Rich Graves · #7 (**permalink**) 04-12-2008, 11:23 AM

Redacted version:

~zimbra/postfix/sbin/postcat FILENAME will display full headers without the binary junk.

127.0.0.1 is just an artifact of the way that zimbra's amavisd talks to itself.

Looks like the mail originated at ********* which is a compromised Exchange server. Google for that IP address turns up a phishing complaint more than a month ago.

Do you have a user that forwards to the intended final recipient ************?

ldapsearch -h mail.*****.com -x zimbraprefmailforwardingaddress=**********

Could also be a filter rule or distribution list. To search for any reference to that domain anywhere,

openldap/sbin/slapcat -f conf/slapd.conf|less -p**********

If it's not a forward, then it's a bug, misconfiguration, or stolen password.

The time on insertion was ***********. Look through /var/log/zimbra.log around that time to make sure they haven't stolen one of your users' passwords and used it to relay.

jclawson · #8 (**permalink**) 04-12-2008, 02:08 PM

Just so future visitors can figure this one out. I believe the culprit was a dictionary password. I was getting a lot of connections like:

Apr 11 06:46:13 mail postfix/smtpd[7404]: 721FE74024A: client=unknown[***********], sasl_method=PLAIN, sasl_username=****

The above ip is the compromised exchange server ip.

I am probably going to write a shell script that creates a report of login user to ip address so it will be easy to pick out when an account may have been compromised.

Thanks again for all of your help.

Zimbra

Downloads

Product Information

Toolbox

Why Join?