Hi, I have problem, my server is listed in spamhaus. I need solve this, but my problem is that I don't know how. I need know that log files see to discover who is o from that IP are the attack.
Now I blocked all access to smtp port(25) from any IP incluided LAN, only access permit from webmail zimbra.
What files logs I need see, and any example?, please
Can you help me!
Sorry, but my english is not good.
My mail server is listed in black list, I need know how solve.
-
- Advanced member
- Posts: 74
- Joined: Fri Sep 12, 2014 10:44 pm
My mail server is listed in black list, I need know how solve.
You will want to look at:
/var/log/maillog
/opt/zimbra/log/audit.log
/var/log/maillog
/opt/zimbra/log/audit.log
-
- Posts: 4
- Joined: Sat Sep 13, 2014 2:58 am
My mail server is listed in black list, I need know how solve.
Hi mvalenzuela.cl,
I suggest you to see the mail queue from CLI executing: "/opt/zimbra/postfix/sbin/postqueue -p" (without quotes), if you see a large count of mails in queue you have to catch the account who send spam and search this account in /var/log/maillog or /var/log/zimbra.log, now find the source ip where the spammer is sending mail.
If your server is clean and it is in the same network of the pc's that means one of your pc's is infected with virus spammer.
Regards.
I suggest you to see the mail queue from CLI executing: "/opt/zimbra/postfix/sbin/postqueue -p" (without quotes), if you see a large count of mails in queue you have to catch the account who send spam and search this account in /var/log/maillog or /var/log/zimbra.log, now find the source ip where the spammer is sending mail.
If your server is clean and it is in the same network of the pc's that means one of your pc's is infected with virus spammer.
Regards.
-
- Posts: 29
- Joined: Sat Sep 13, 2014 3:02 am
My mail server is listed in black list, I need know how solve.
Go to your admin control panel and under server settings check Enable authentication option is checked or not.. if not check that one first (why because it will cat as anonymous SMTP) . check your mail activity my observing Daily mail report (which will generate daily at admin@ account mailbox)
If every thing looks good you may apply for unblock..
URL: Blocklist Removal Center - The Spamhaus Project
If every thing looks good you may apply for unblock..
URL: Blocklist Removal Center - The Spamhaus Project
-
- Advanced member
- Posts: 56
- Joined: Sat Sep 13, 2014 2:05 am
My mail server is listed in black list, I need know how solve.
First you need to block spammer, then remove your IP from blacklists
cat /var/log/mail.log | grep "sasl_method=PLAIN" | cut -d: -f5 | sort | uniq -c | sort -n
40 client=unknown[200.103.xxx.xx], sasl_method=PLAIN, sasl_username=spammer
12262 client=200-103-.ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
12669 client=200-103-ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
20384 client=200-103-ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
28182 client=200-103-ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
52460 client=200-103-ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
to block acc: zmprov ma user@domain.com zimbraAccountStatus closed
cat /var/log/mail.log | grep "sasl_method=PLAIN" | cut -d: -f5 | sort | uniq -c | sort -n
40 client=unknown[200.103.xxx.xx], sasl_method=PLAIN, sasl_username=spammer
12262 client=200-103-.ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
12669 client=200-103-ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
20384 client=200-103-ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
28182 client=200-103-ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
52460 client=200-103-ctame706.dsl.brasiltelecom.net.br[200.103.xxx.xxx], sasl_method=PLAIN, sasl_username=spammer
to block acc: zmprov ma user@domain.com zimbraAccountStatus closed