BulkEmail Going from Zimbra account

charles07 · Post by **charles07** » Thu Nov 22, 2018 2:49 pm

For the past few days Zimbra is digging my head out. Company CEO mail is receiving 70,000 to 1lakh mails in few minutes. Upon checking we found;
1. bulk email was sent from this id. We could see them in the sent mail. User was receiving failed and denied replies from those sent IDs
2. Contacted support and they said, someone used this mail id and send the mails. They asked us to perform steps in below two Wiki
https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
3. They said it was something with sasl_username
4. We deleted mailque, cleaned inbox, applied above settings, changed user password
5. Next day, same thing happens
6. This time support says, "user password was compromised". I don't trust that anyways
7. PFA a screenshot wherein a local IP "10.x.x.x" seen in mail que
8. Our network is 192.168.x.x, how's that "10.x.x.x" connecting to zimbra server in DMZ that too after VLAN and firewall
9. We don't have 10.x.x.x network

Anyone any idea, why this is happening and how Can I stop it.

..