Zimbra is sending a Spam

essential_mix · Post by **essential_mix** » Wed Jul 09, 2014 4:32 pm

Hello Everyone!

First of all i already read topic with "open relay" and "compromised account"

So our server not opened for relay and i dont see anything strange here:

tail -n 100000 /var/log/mail.log | grep "sasl_username=" > smtpauthlogins.txt

zmcontrol -v

Release 8.0.3.GA.5664.UBUNTU12.64 UBUNTU12_64 FOSS edition.

This is from dailyreport:

zmdailyreport from 2014-07-08 00:00:00 to 2014-07-09 00:00:00
492 messages found for 628 total recipients (628 unique)

........

Most active senders

7 kelly_campos@ourdomain.com

5 rosalinda_ramsey@ourdomain.com

5 mayra_fox@ourdomain.com

5 delia_ferguson@ourdomain.com

4 imelda_dunlap@ourdomain.com

4 debora_hubbard@ourdomain.com

4 glenna_stafford@ourdomain.com

4 britney_randall@ourdomain.com

4 irene_coleman@ourdomain.com

4 kasey_dillard@ourdomain.com

4 bernice_calhoun@ourdomain.com

4 georgette_howard@ourdomain.com

4 tanisha_gamble@ourdomain.com

3 gracie_floyd@ourdomain.com

3 betty_schwartz@ourdomain.com

3 ernestine_pittman@ourdomain.com

3 freida_avila@ourdomain.com

3 glenna_guy@ourdomain.com

3 connie_underwood@ourdomain.com

3 robert_hess@ourdomain.com

3 jolene_alvarado@ourdomain.com

.......

Problem that all of this accounts does not exist. And what this report gives? Because sometime it say:

zmdailyreport from 2014-07-03 00:00:00 to 2014-07-04 00:00:00

No messages found

Is any other way to find what's going on? Appreciate for any help.

essential_mix · Post by **essential_mix** » Tue Jul 15, 2014 10:38 am

What i have done so far:

1) Zimbra updated to 8.0.7

2) Passwords for users accounts was changed

3) port 7071 was blocked for internet
[QUOTE]

zmcontrol -v

Release 8.0.7.GA.6021.UBUNTU12.64 UBUNTU12_64 FOSS edition.

[/QUOTE]
Still cant identify compromised account. Used solutions from this topic. But without success.

From which logs coming this "Most active senders" that i mentioned in my original post.

phoenix · Post by **phoenix** » Tue Jul 15, 2014 11:05 am

[quote user="essential_mix"]Problem that all of this accounts does not exist. And what this report gives?[/quote]That list is a list of address that are sending to you not being sent by you - this has been mentioned in the forums before although I seem to remember it was a long time ago.

essential_mix · Post by **essential_mix** » Tue Jul 15, 2014 12:28 pm

[quote user="10330phoenix"]That list is a list of address that are sending to you not being sent by you - this has been mentioned in the forums before although I seem to remember it was a long time ago.[/QUOTE]
Thank you for your reply. In this case why this address in logs used with FROM statement

This errors from the same dailyreport:

2014-07-14 00:07:01 bounced (Host or domain name not found. Name service error for name=nokiamail.cow type=A: Host not found)

from=tracie_rollins@ourdomain.com to=felix.lebethe@nokiamail.cow

2014-07-14 00:07:28 bounced (Host or domain name not found. Name service error for name=ve.nettuno type=A: Host not found)

from=elnora_reyes@ourdomain.com to=fortuny@ve.nettuno

2014-07-14 00:07:37 bounced (Host or domain name not found. Name service error for name=gmail.com.fr type=A: Host not found)

from=janelle_hopkins@ourdomain.com to=honore7923@gmail.com.fr

2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.53]: Connection timed out)

from=<> to=johnville@gmail.ie

2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.53]: Connection timed out)

from=arline_barrett@ourdomain.com to=johnville@gmail.ie

2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.54]: Connection timed out)

from=<> to=johnville@gmail.ie

2014-07-14 00:09:07 deferred (connect to gmail.ie[74.125.239.54]: Connection timed out)

from=arline_barrett@ourdomain.com to=johnville@gmail.ie

2014-07-14 00:09:28 bounced (Name service error for name=myspace.com type=MX: Malformed or unexpected name server reply)

from=shelby_whitfield@ourdomain.com to=johnvmiller1@myspace.com

phoenix · Post by **phoenix** » Tue Jul 15, 2014 12:38 pm

[quote user="essential_mix"]Thank you for your reply. In this case why this address in logs used with FROM statement[/QUOTE]Again, this has been answered previously and is all over the internet. It's because you are the target not the sender of that spam. It's called NDR Spam or backscatter spam - if you search the forums or the internet for those phrases you'll get more information on the subject than you really want.

essential_mix · Post by **essential_mix** » Mon Jul 28, 2014 12:05 pm

Hello again!
I have made 2 changes:

1) Rejecting false "mail from" addresses

2) Discarding Emails Sent to Invalid Addresses
But we are still going to blacklists.
What else i can check?

chauvetp · Post by **chauvetp** » Mon Jul 28, 2014 2:13 pm

If the only issue is that your server was passing along mail from backscatters, how long since you made those changes? Have you been re-added to a blacklist since then or have you just not been removed yet?
Also, make sure you do not have users that are compromised. It doesn't matter what changes you make with postfix, if a user gives out their password in response to a phishing email, then the spammers are going to go in and use accounts on your system to send spam.

phoenix · Post by **phoenix** » Tue Jul 29, 2014 2:36 am

[quote user="essential_mix"]But we are still going to blacklists. [/quote]You won't get off a blacklist immediately, you'll have to wait a while.
[quote user="essential_mix"]What else i can check?[/QUOTE]Do you use any RBLs on your server and if you do, which ones?

quanah · Post by **quanah** » Wed Jul 30, 2014 1:41 am

I strongly advise reading over SpamAssassin Customizations - Zimbra :: Wiki as well.