Spam troubleshooting

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
synet2k
Posts: 6
Joined: Sat Sep 13, 2014 3:24 am

Spam troubleshooting

Post by synet2k »

Hi,

Few hours ago, my server being use to send out spam. I'm trying to find out how they got in. I've attached log below, any help would be appreciated, thank you.


Jun 7 21:21:27 mail postfix/submission/smtpd[13631]: warning: hostname 191-53-104-103.vga-wr.mastercabo.com.br does not resolve to address 191.53.104.103: Name or service not known
Jun 7 21:21:27 mail postfix/submission/smtpd[13631]: connect from unknown[191.53.104.103]
Jun 7 21:21:27 mail postfix/submission/smtpd[13629]: warning: hostname 5G-static.90.47.KONFER.net does not resolve to address 178.23.90.47
Jun 7 21:21:27 mail postfix/submission/smtpd[13629]: connect from unknown[178.23.90.47]
Jun 7 21:21:28 mail postfix/submission/smtpd[13629]: Anonymous TLS connection established from unknown[178.23.90.47]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Jun 7 21:21:29 mail saslauthd[12160]: zmauth: authenticating against elected url 'https://mail.mydomain.com:7073/service/admin/soap/' ...
Jun 7 21:21:29 mail slapd[9203]: slap_queue_csn: queueing 0x8ab2640 20180607132129.187495Z#000000#000#000000
Jun 7 21:21:29 mail slapd[9203]: slap_graduate_commit_csn: removing 0x8ab2640 20180607132129.187495Z#000000#000#000000
Jun 7 21:21:29 mail saslauthd[12160]: zmpost: url='https://mail.mydomain.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"><change token="10299"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_10a063a1bee94cf55dc94430e3da9174f16cce30_69643d33363a64666236336663642d373162382d343737342d383232622d6161393562653137626563313b6578703d31333a313532383535303438393138363b747970653d363a7a696d6272613b753d313a613b7469643d31303a313330383635393631353b76657273696f6e3d31333a382e382e385f47415f323030393b</authToken><lifetime>172799998</lifetime><skin>harmony</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jun 7 21:21:29 mail saslauthd[12160]: auth_zimbra: thaxxxx@mydomain.com auth OK
Jun 7 21:21:30 mail postfix/submission/smtpd[13629]: NOQUEUE: filter: RCPT from unknown[178.23.90.47]: <thaxxxx@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<thaxxxx@mydomain.com> to=<mail38@rexstartnow.com> proto=ESMTP helo=<[127.0.0.1]>
Jun 7 21:21:30 mail postfix/submission/smtpd[13629]: 0C62C3C8429: client=unknown[178.23.90.47], sasl_method=PLAIN, sasl_username=thaxxxx@mydomain.com
Jun 7 21:21:30 mail postfix/submission/smtpd[13631]: Anonymous TLS connection established from unknown[191.53.104.103]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Jun 7 21:21:30 mail postfix/cleanup[13694]: 0C62C3C8429: message-id=<8CD7FB4C-2698-6E9A-8E56-CBB5C584536C@mydomain.com>
Jun 7 21:21:30 mail postfix/qmgr[12265]: 0C62C3C8429: from=<thaxxxx@mydomain.com>, size=635, nrcpt=1 (queue active)
Jun 7 21:21:30 mail amavis[1203]: (01203-08) ESMTP [127.0.0.1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20180607T210526-01203-aHgtmrjg: <thaxxxx@mydomain.com> -> <mail38@rexstartnow.com> Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <mail38@rexstartnow.com>; Thu, 7 Jun 2018 21:21:30 +0800 (+08)
Jun 7 21:21:30 mail amavis[1203]: (01203-08) Checking: UQ9pce45jlSl ORIGINATING [178.23.90.47] <thaxxxx@mydomain.com> -> <mail38@rexstartnow.com>
Jun 7 21:21:30 mail postfix/dkimmilter/smtpd[13698]: connect from localhost.localdomain[127.0.0.1]
Jun 7 21:21:30 mail postfix/dkimmilter/smtpd[13698]: E673D3CA983: client=localhost.localdomain[127.0.0.1]
Jun 7 21:21:30 mail postfix/cleanup[13694]: E673D3CA983: message-id=<8CD7FB4C-2698-6E9A-8E56-CBB5C584536C@mydomain.com>
Jun 7 21:21:31 mail postfix/qmgr[12265]: E673D3CA983: from=<thaxxxx@mydomain.com>, size=1157, nrcpt=1 (queue active)
Jun 7 21:21:31 mail postfix/dkimmilter/smtpd[13698]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jun 7 21:21:31 mail amavis[1203]: (01203-08) UQ9pce45jlSl FWD from <thaxxxx@mydomain.com> -> <mail38@rexstartnow.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as E673D3CA983
Jun 7 21:21:31 mail amavis[1203]: (01203-08) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [178.23.90.47]:4828 [178.23.90.47] <thaxxxx@mydomain.com> -> <mail38@rexstartnow.com>, Queue-ID: 0C62C3C8429, Message-ID: <8CD7FB4C-2698-6E9A-8E56-CBB5C584536C@mydomain.com>, mail_id: UQ9pce45jlSl, Hits: -, size: 635, queued_as: E673D3CA983, 167 ms
Jun 7 21:21:31 mail postfix/smtp[13696]: 0C62C3C8429: to=<mail38@rexstartnow.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.3, delays=1.1/0.01/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as E673D3CA983)
Jun 7 21:21:31 mail postfix/qmgr[12265]: 0C62C3C8429: removed
Top
Post Reply

Return to “Administrators”