Zimbra Forums

my domain is abc.cd.ef

my FQDN of mail server is z.abc.cd.ef
in my system, there is a user fedexexpressdelivery@z.abc.cd.ef is sending spam. but i cant find that user to disable it. pls tell me how !
thanks in advance !

Did you look at any of the forum threads on this topic? How do you know that's the 'user' that's sending spam? The information you've posted doesn't actually give any details about the problem, you're going to have to look at the log files to determine what the problem actually is.

i log in web mail of zimbra and that user is sending randomly thousand of emails. thats emails make my system crash !

ex : my domain is abc.cd.ef so my user email is : lananh@abc.cd.ef

but the email sending spam is fedexexpressdeliverry@z.abc.cd.ef . and z.abc.cd.ef is the FQDN of my mail server.

i cant find that user !

p.s: i searched but i cant find any solution
[quote user="10330phoenix"]Did you look at any of the forum threads on this topic? How do you know that's the 'user' that's sending spam? The information you've posted doesn't actually give any details about the problem, you're going to have to look at the log files to determine what the problem actually is.[/QUOTE]

[quote user="lananhbin"]i log in web mail of zimbra and that user is sending randomly thousand of emails. thats emails make my system crash !

ex : my domain is abc.cd.ef so my user email is : lananh@abc.cd.ef[/QUOTE]I understand that.
[quote user="lananhbin"]but the email sending spam is fedexexpressdeliverry@z.abc.cd.ef . and z.abc.cd.ef is the FQDN of my mail server.

i cant find that user ![/QUOTE]You still haven't said how you know this 'user' is sending spam, where did you get that email address from? If you got this from the log files then you should see the IP address of the client that's submitting the email. If you have no user with that name on your ser then you've either got a compromised account or a spam bot on your network that's submitting mail through your server.
[quote user="lananhbin"]p.s: i searched but i cant find any solution[/QUOTE]There are plenty of solutions in the forums, I'd suggest you look at some of those threads that discuss 'compromised accounts' and try some of the suggestions you'll find. You will additionally need to look at your log files to find the source of this problem, merely repeating the suspected user name does not give enough information anyone to advise you - you're going to have to do some digging in the log files.

i disconnect the network then i loged in my admin page. i can see the user send emails most. i cant find that user on my system. i didnt
i have some information.
there are few email from the ip : 101.221.201.127 send to my system.with:

sender : fedexexpressdeliverry@z.abc.cd.ef . it's the same name with the account sending spam on my system.

from host : unknown

origin domain : smtp-amavis:[127.0.0.1]:10024
that's all i have now. i cant find the local ip or user on my system sending mail !
if i'm under "spam bot" attract, what should i do ? i searched with keyword you gave but i still cant find any solution ! pls help me ! thanks

Hi,
The simple temporary solution (or call it a first aid ), just tell Zimbra to banned all mail sending from your FQDN instead of from your domain.
su - zimbra

vi /opt/zimbra/conf/salocal.cf.in


add the following line :
blacklist_from *@z.abc.cd.ef
and then save it (with :wq!, because this file is read-only) follow by :
zmmtactl restart && zmamavisdctl restart
The permanent solution : investigate your logs (start from /var/log/zimbra.log) and find out the origin (IP, sender, SASL login) of spam messages

thanks vavai ! althrough i did the other way. I blocked the 101.221.201.127 , add more rules to my MTA ...and now (maybe) i solved my trouble . but i still cant find the compromised accounts
p.s: thanks phoenix so much

You need to look at your zimbra.log files, possibly going back a couple of days. If it's not in the current log you may need to look at zimbra.log.0, or zimbra.log.[1-4].gz
This fragment checks the log file, and counts the number of connections in each recorded timestamp minute ie


5 12:48 ignorant_user

32 12:53 ignorant_user


And so on.
zgrep -i "auth ok" /var/log/zimbra.log | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -nr