Outgoing Spam Flood

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
FredKarno
Posts: 49
Joined: Sat Oct 10, 2015 5:40 am

Outgoing Spam Flood

Post by FredKarno »

Help!
I'm running ZCS 8.6.0 and suddenly today I've started receiving hundreds of failed delivery and out of office emails. On checking the server queues I can see loads of outbound emails allegedly from me but with "Origin IPs" from unknown servers and loads of random destinations. I locked my account and the spam stopped. I changed my password, re-enabled my account and the spam started again (confirmed by the bandwidth reports on my firewall).
Where do I start?
I have opened a case with Zimbra but they have put it at Sev4 so I don't think they'll be in touch very soon....
Help!!!
(and thanks)
User avatar
stefaniu.criste
Posts: 41
Joined: Wed Feb 12, 2014 5:40 am
Location: Romania
ZCS/ZD Version: 8.8.8_GA_1728 20180614052922 201806
Contact:

Re: Outgoing Spam Flood

Post by stefaniu.criste »

Some necessary steps
- lock your account
- limit the outgoing emails using cbpolicyd and set a very low limit for your account
- unlock your account and watch behaviour
- check server for rootkits
- change all server passwords
- scan your computer for viruses/trojans
- change your email account password from a known safe computer
Stefaniu Criste - managing partner
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
iomarmochtar
Posts: 41
Joined: Sat Sep 13, 2014 3:54 am
Location: Indonesia
Contact:

Re: Outgoing Spam Flood

Post by iomarmochtar »

Adding the previous suggestion list
  • User two factor auth (if using zimbra NE)
Stealthmig
Posts: 1
Joined: Mon Aug 14, 2017 11:03 pm

Re: Outgoing Spam Flood

Post by Stealthmig »

Sorry to jump on this thread but I'm in the similar situation and I'm a Zimbra/Linux noob. I have been recently placed in partially in charge of a ZCS 8.7.0 GS 1659.FOSS. I'm in the process of reading the documentation to begin to understand this program. I have notice spam spikes of over 114,000 emails in the period of an hour an averages between 50,000 - 70,000 on other spikes. I saw the replies on installing the cbpolicyd. I will request that to be installed but is there a way to determine whose/which email account or where they are coming from. We have several locations throughout North/South America with those users having email account on our server. Which antivirus would you recommended and is it free? Any help is greatly appreciated.
Post Reply