my zimbra smtp used by someone

[snake_eyes]

Hello,

I'm receiving a lot of messages (return failure), someone is using my mail.domain.com to send spam mails, so how I can take the necessary action with matter?

Cheers,

[phoenix]

Quote:

Originally Posted by snake_eyes

I'm receiving a lot of messages (return failure), someone is using my mail.domain.com to send spam mails, so how I can take the necessary action with matter?

You've given no examples of what the messages are, no headers or other information. If they really are NDR then search the forums or wiki (or google/yahoo) for backscatter spam, this is not someone using your server but rather someone using NDR as a means of getting mail to you. You should also look in the wiki for details on improving the anti-spam system - you are using 'smtpd_reject_unlisted_recipients yes' aren't you? This is not a Zimbra problem but rather a side effect of running a mail server.

Further details and reading: Spam Links - backscatter
ndr spam - Yahoo! Search Results

[snake_eyes]

sorry for delay to reply to the topic..

I have the always_bcc in the main.cf, there is an out@domain.com and as you know it will catch all the outbound traffic, I checked the out@domain.com and I founded that there are too many messages from myaccount@domain.com to someaccount@hotmail.com or from admin@domain.com to user@yahoo.com or support@domain.com to another@gmail.com, so is there anything must I do to trace and stop this kind of messages?

[snake_eyes]

I got some message header:

Quote:

From: "Medusa Maritime s.a / PLS ADD OUR ADRESS '' chartering@medusamaritime.com '' NOT smtp"
To: "Medusa Maritime s.a / PLS ADD OUR ADRESS '' chartering@medusamaritime.com '' NOT smtp"
Sent: Thursday, January 21, 2010 2:31:17 PM GMT +03:00 Iraq
Subject: NEED VSL OPEN WEST/ CENTRAL MED BALE- 170/190K CBFT

Please note that I added the always_bcc=out@domain.com in the main.cf of postfix, so when I login into out@domain.com I founded a lot of messages such as the above header...

So how I can stop them?

[uxbod]

If you are never going to email yourself from outside then you could make a change to the Postfix configuration and add the following

Code:

check_sender_access hash:/etc/postfix/spoofprotection,

under smtpd_recipient_restrictions; with the following in the file

Code:

yourdomain		REJECT we never email ourself from outside so go away!

and then

Code:

postmap spoofprotection

[snake_eyes]

what do you mean by if we are never email ourself from outside? so I couldn't receive any email from the same domain? or what? your explanation plz....

[snake_eyes]

still the same problem, I activated the DSPAM in the server still when I login in into the archive@mydomain.com "Which is alwasy_bcc in the postfix" I see some messages that sent from xx@somedomain.com to xxx@anotherdomain.com

it shouldn't be in the mailbox...

Any help plz?

[uxbod]

Quote:

Originally Posted by snake_eyes

what do you mean by if we are never email ourself from outside? so I couldn't receive any email from the same domain? or what? your explanation plz....

If you are never going to send a email from your domain too your domain directly from the Internet then your domain should never be listed as the from domain.

[uxbod]

Quote:

Originally Posted by snake_eyes

still the same problem, I activated the DSPAM in the server still when I login in into the archive@mydomain.com "Which is alwasy_bcc in the postfix" I see some messages that sent from xx@somedomain.com to xxx@anotherdomain.com

it shouldn't be in the mailbox...

Any help plz?

So they are in your archive account and but not in the mailbox ? If that is the case then this is the expected behaviour. I believe in 6.0.5 you can now direct any emails that have been marked as SPAM into a different HSM mail store.

[snake_eyes]

but I don't know if the messages are spam or someone attack the SMTP of the server... how can I check this scenario via log or something else...