Help!
I'm running ZCS 8.6.0 and suddenly today I've started receiving hundreds of failed delivery and out of office emails. On checking the server queues I can see loads of outbound emails allegedly from me but with "Origin IPs" from unknown servers and loads of random destinations. I locked my account and the spam stopped. I changed my password, re-enabled my account and the spam started again (confirmed by the bandwidth reports on my firewall).
Where do I start?
I have opened a case with Zimbra but they have put it at Sev4 so I don't think they'll be in touch very soon....
Help!!!
(and thanks)
Outgoing Spam Flood
- stefaniu.criste
- Posts: 41
- Joined: Wed Feb 12, 2014 5:40 am
- Location: Romania
- ZCS/ZD Version: 8.8.8_GA_1728 20180614052922 201806
- Contact:
Re: Outgoing Spam Flood
Some necessary steps
- lock your account
- limit the outgoing emails using cbpolicyd and set a very low limit for your account
- unlock your account and watch behaviour
- check server for rootkits
- change all server passwords
- scan your computer for viruses/trojans
- change your email account password from a known safe computer
- lock your account
- limit the outgoing emails using cbpolicyd and set a very low limit for your account
- unlock your account and watch behaviour
- check server for rootkits
- change all server passwords
- scan your computer for viruses/trojans
- change your email account password from a known safe computer
Stefaniu Criste - managing partner
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
-
- Posts: 41
- Joined: Sat Sep 13, 2014 3:54 am
- Location: Indonesia
- Contact:
Re: Outgoing Spam Flood
Adding the previous suggestion list
- User two factor auth (if using zimbra NE)
- Regularly scan any weak password using this script https://github.com/iomarmochtar/zmbr_weakpwd_scanner
-
- Posts: 1
- Joined: Mon Aug 14, 2017 11:03 pm
Re: Outgoing Spam Flood
Sorry to jump on this thread but I'm in the similar situation and I'm a Zimbra/Linux noob. I have been recently placed in partially in charge of a ZCS 8.7.0 GS 1659.FOSS. I'm in the process of reading the documentation to begin to understand this program. I have notice spam spikes of over 114,000 emails in the period of an hour an averages between 50,000 - 70,000 on other spikes. I saw the replies on installing the cbpolicyd. I will request that to be installed but is there a way to determine whose/which email account or where they are coming from. We have several locations throughout North/South America with those users having email account on our server. Which antivirus would you recommended and is it free? Any help is greatly appreciated.