Hello Everyone!
First of all i already read topic with "open relay" and "compromised account"
So our server not opened for relay and i dont see anything strange here:
tail -n 100000 /var/log/mail.log | grep "sasl_username=" > smtpauthlogins.txt
zmcontrol -v
Release 8.0.3.GA.5664.UBUNTU12.64 UBUNTU12_64 FOSS edition.
This is from dailyreport:
zmdailyreport from 2014-07-08 00:00:00 to 2014-07-09 00:00:00
492 messages found for 628 total recipients (628 unique)
........
Most active senders
7 kelly_campos@ourdomain.com
5 rosalinda_ramsey@ourdomain.com
5 mayra_fox@ourdomain.com
5 delia_ferguson@ourdomain.com
4 imelda_dunlap@ourdomain.com
4 debora_hubbard@ourdomain.com
4 glenna_stafford@ourdomain.com
4 britney_randall@ourdomain.com
4 irene_coleman@ourdomain.com
4 kasey_dillard@ourdomain.com
4 bernice_calhoun@ourdomain.com
4 georgette_howard@ourdomain.com
4 tanisha_gamble@ourdomain.com
3 gracie_floyd@ourdomain.com
3 betty_schwartz@ourdomain.com
3 ernestine_pittman@ourdomain.com
3 freida_avila@ourdomain.com
3 glenna_guy@ourdomain.com
3 connie_underwood@ourdomain.com
3 robert_hess@ourdomain.com
3 jolene_alvarado@ourdomain.com
.......
Problem that all of this accounts does not exist. And what this report gives? Because sometime it say:
zmdailyreport from 2014-07-03 00:00:00 to 2014-07-04 00:00:00
No messages found
Is any other way to find what's going on? Appreciate for any help.
Zimbra is sending a Spam
-
- Posts: 11
- Joined: Sat Sep 13, 2014 3:07 am
Zimbra is sending a Spam
What i have done so far:
1) Zimbra updated to 8.0.7
2) Passwords for users accounts was changed
3) port 7071 was blocked for internet
[QUOTE]
zmcontrol -v
Release 8.0.7.GA.6021.UBUNTU12.64 UBUNTU12_64 FOSS edition.
[/QUOTE]
Still cant identify compromised account. Used solutions from this topic. But without success.
From which logs coming this "Most active senders" that i mentioned in my original post.
1) Zimbra updated to 8.0.7
2) Passwords for users accounts was changed
3) port 7071 was blocked for internet
[QUOTE]
zmcontrol -v
Release 8.0.7.GA.6021.UBUNTU12.64 UBUNTU12_64 FOSS edition.
[/QUOTE]
Still cant identify compromised account. Used solutions from this topic. But without success.
From which logs coming this "Most active senders" that i mentioned in my original post.
Zimbra is sending a Spam
[quote user="essential_mix"]Problem that all of this accounts does not exist. And what this report gives?[/quote]That list is a list of address that are sending to you not being sent by you - this has been mentioned in the forums before although I seem to remember it was a long time ago.
-
- Posts: 11
- Joined: Sat Sep 13, 2014 3:07 am
Zimbra is sending a Spam
[quote user="10330phoenix"]That list is a list of address that are sending to you not being sent by you - this has been mentioned in the forums before although I seem to remember it was a long time ago.[/QUOTE]
Thank you for your reply. In this case why this address in logs used with FROM statement
This errors from the same dailyreport:
2014-07-14 00:07:01 bounced (Host or domain name not found. Name service error for name=nokiamail.cow type=A: Host not found)
from=tracie_rollins@ourdomain.com to=felix.lebethe@nokiamail.cow
2014-07-14 00:07:28 bounced (Host or domain name not found. Name service error for name=ve.nettuno type=A: Host not found)
from=elnora_reyes@ourdomain.com to=fortuny@ve.nettuno
2014-07-14 00:07:37 bounced (Host or domain name not found. Name service error for name=gmail.com.fr type=A: Host not found)
from=janelle_hopkins@ourdomain.com to=honore7923@gmail.com.fr
2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.53]: Connection timed out)
from=<> to=johnville@gmail.ie
2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.53]: Connection timed out)
from=arline_barrett@ourdomain.com to=johnville@gmail.ie
2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.54]: Connection timed out)
from=<> to=johnville@gmail.ie
2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.54]: Connection timed out)
from=arline_barrett@ourdomain.com to=johnville@gmail.ie
2014-07-14 00:09:28 bounced (Name service error for name=myspace.com type=MX: Malformed or unexpected name server reply)
from=shelby_whitfield@ourdomain.com to=johnvmiller1@myspace.com
Thank you for your reply. In this case why this address in logs used with FROM statement
This errors from the same dailyreport:
2014-07-14 00:07:01 bounced (Host or domain name not found. Name service error for name=nokiamail.cow type=A: Host not found)
from=tracie_rollins@ourdomain.com to=felix.lebethe@nokiamail.cow
2014-07-14 00:07:28 bounced (Host or domain name not found. Name service error for name=ve.nettuno type=A: Host not found)
from=elnora_reyes@ourdomain.com to=fortuny@ve.nettuno
2014-07-14 00:07:37 bounced (Host or domain name not found. Name service error for name=gmail.com.fr type=A: Host not found)
from=janelle_hopkins@ourdomain.com to=honore7923@gmail.com.fr
2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.53]: Connection timed out)
from=<> to=johnville@gmail.ie
2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.53]: Connection timed out)
from=arline_barrett@ourdomain.com to=johnville@gmail.ie
2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.54]: Connection timed out)
from=<> to=johnville@gmail.ie
2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.54]: Connection timed out)
from=arline_barrett@ourdomain.com to=johnville@gmail.ie
2014-07-14 00:09:28 bounced (Name service error for name=myspace.com type=MX: Malformed or unexpected name server reply)
from=shelby_whitfield@ourdomain.com to=johnvmiller1@myspace.com
Zimbra is sending a Spam
[quote user="essential_mix"]Thank you for your reply. In this case why this address in logs used with FROM statement[/QUOTE]Again, this has been answered previously and is all over the internet. It's because you are the target not the sender of that spam. It's called NDR Spam or backscatter spam - if you search the forums or the internet for those phrases you'll get more information on the subject than you really want.
-
- Posts: 11
- Joined: Sat Sep 13, 2014 3:07 am
Zimbra is sending a Spam
Hello again!
I have made 2 changes:
1) Rejecting false "mail from" addresses
2) Discarding Emails Sent to Invalid Addresses
But we are still going to blacklists.
What else i can check?
I have made 2 changes:
1) Rejecting false "mail from" addresses
2) Discarding Emails Sent to Invalid Addresses
But we are still going to blacklists.
What else i can check?
Zimbra is sending a Spam
If the only issue is that your server was passing along mail from backscatters, how long since you made those changes? Have you been re-added to a blacklist since then or have you just not been removed yet?
Also, make sure you do not have users that are compromised. It doesn't matter what changes you make with postfix, if a user gives out their password in response to a phishing email, then the spammers are going to go in and use accounts on your system to send spam.
Also, make sure you do not have users that are compromised. It doesn't matter what changes you make with postfix, if a user gives out their password in response to a phishing email, then the spammers are going to go in and use accounts on your system to send spam.
Zimbra is sending a Spam
[quote user="essential_mix"]But we are still going to blacklists. [/quote]You won't get off a blacklist immediately, you'll have to wait a while.
[quote user="essential_mix"]What else i can check?[/QUOTE]Do you use any RBLs on your server and if you do, which ones?
[quote user="essential_mix"]What else i can check?[/QUOTE]Do you use any RBLs on your server and if you do, which ones?
Zimbra is sending a Spam
I strongly advise reading over SpamAssassin Customizations - Zimbra :: Wiki as well.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/