Create a Rule for that all mail contains my domain in sender or reciver

[afunez2009]

Hello

My server is used for some yahoo mails to send masive email, i been deleting all those emails

But i want to make a rule for limite that all my emails contains my domain in sender or reciver, because i see that masive mails not contain my domain in sender or reciver.

Thanks a lot

[phoenix]

Quote:

Originally Posted by afunez2009

My server is used for some yahoo mails to send masive email, i been deleting all those emails

Are you saying that your server is being used to send spam?

[afunez2009]

Quote:

Originally Posted by phoenix

Are you saying that your server is being used to send spam?

Yes i think this is true, my server is using for send spam

I need some thing to solve this situation, the idea of the rule is for this.

Thanks

[phoenix]

Have you checked to see if your server is an open relay (it isn't by default), I'd suggest you try the test on this page: Open Relay Test There are dozens more if you want another test service. See what that shows and post back here if it's open or not. If it's not an open relay then it's possible that your server (or more specifically, an account) has been compromised, if that's the case you should make sure that you are using best practice for your user login passwords. There's also a couple of threads in the forums that cover how to check if you have a compromised account, have a search for those and check your server.

[afunez2009]

Quote:

Originally Posted by phoenix

Have you checked to see if your server is an open relay (it isn't by default), I'd suggest you try the test on this page: Open Relay Test There are dozens more if you want another test service. See what that shows and post back here if it's open or not. If it's not an open relay then it's possible that your server (or more specifically, an account) has been compromised, if that's the case you should make sure that you are using best practice for your user login passwords. There's also a couple of threads in the forums that cover how to check if you have a compromised account, have a search for those and check your server.

Hello

I make a relay test, with the following result:
All tested completed! No relays accepted by remote host!

Tell me what is the next step?

Thanks for your help

[uxbod]

How do you know that it is your server which is sending the email ? You mention you have deleted a lot of email; is that due to NDRs (Non Delivery Reports) ending up in your Inbox ? We need a little more detail about the emails to be able to help you.

[afunez2009]

Quote:

Originally Posted by uxbod

How do you know that it is your server which is sending the email ? You mention you have deleted a lot of email; is that due to NDRs (Non Delivery Reports) ending up in your Inbox ? We need a little more detail about the emails to be able to help you.

I check the Zimbra Administrator GUI Tool and check many emails that are sending to domains from domains that not my domains for example:
From: xxx@yahoo.com to xxx@comcast.com, this is my point that my domain is not included in from or to, for that i want to create a rule.

Thanks for your help

[vavai]

I've also experience with this problem on one of my client Zimbra server. Zimbra is not an open relay by default, and it's true but it is not enough to protect Zimbra from sending massive fake email from client on the trusted network. I think the problem are on the workstation, that has infected by trojan or virus that sending massive mails to outside by relaying to Zimbra. Most of the email recipient are fake and Zimbra will deferred the mails but the proses taken too much resources.

I suggest the following suggestion :

1. Tracking the deferred mail source and find the IP who send the fake mail.

ex :

Code:

su - zimbra
mailq

Check the queue ID and open the message source with postcat :

Code:

/opt/zimbra/postfix/sbin/postcat
/opt/zimbra/postfix/spool/deferred/groupID/queueID

Ex :

Code:

/opt/zimbra/postfix/sbin/postcat
/opt/zimbra/postfix/spool/deferred/D/D125A828AF0

If you find the original IP who send the massive email, scan it with your updated anti virus/trojan.

Other solution are creating the SpamAssasin rule as you mentioned on the thread title, but it was not my knowledge :-(

[afunez2009]

Quote:

Originally Posted by vavai

I've also experience with this problem on one of my client Zimbra server. Zimbra is not an open relay by default, and it's true but it is not enough to protect Zimbra from sending massive fake email from client on the trusted network. I think the problem are on the workstation, that has infected by trojan or virus that sending massive mails to outside by relaying to Zimbra. Most of the email recipient are fake and Zimbra will deferred the mails but the proses taken too much resources.

I suggest the following suggestion :

1. Tracking the deferred mail source and find the IP who send the fake mail.

ex :

Code:

su - zimbra
mailq

Check the queue ID and open the message source with postcat :

Code:

/opt/zimbra/postfix/sbin/postcat
/opt/zimbra/postfix/spool/deferred/groupID/queueID

Ex :

Code:

/opt/zimbra/postfix/sbin/postcat
/opt/zimbra/postfix/spool/deferred/D/D125A828AF0

If you find the original IP who send the massive email, scan it with your updated anti virus/trojan.

Other solution are creating the SpamAssasin rule as you mentioned on the thread title, but it was not my knowledge :-(

I check the codes that you say, and check de pc's for the antivirus / antispam / antispyware.
The problem is that yahoo set all my emails to permenently deferred, i attach the error.

Some body helpme to create the SpamAssasain rule, to prevent future problems


This is the info after mailq command:
2424D1C0416 1455038 Tue Apr 6 09:33:57 cenitf@caribe.hn
(delivery temporarily suspended: connect to g.mx.mail.yahoo.com[98.137.54.238]: server refused to talk to me: 421 4.7.1 [TS03] All messages from 63.245.12.194 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
gmolinap04@yahoo.com


Thanks