hi, I'm having a very strange problem.
I have a lot of spam being sent from an account. I changed the password, blocked the account and clear all deferred messages from admin console. but I keep seeing new outgoing mail being deferred on the console and on mail.log from this account.
these line keeps showing up on mail.log:
zimbra@mail:~$ zmcontrol -v
Release 8.7.11.GA.1854.UBUNTU16.64 UBUNTU16_64 FOSS edition.
Apr 2 19:44:35 mail postfix/qmgr[30254]: 895193EA0C8: from=<user@mydomain>, size=1363, nrcpt=1 (queue active)
Apr 2 19:44:35 mail postfix/smtp[22262]: 585343B386C: to=<tototo3478@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=29, delay=365247, delays=363473/1774/0/0.16, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 3EF2F5A95FD)
any ideas? don't know where to start looking.
thanks in advance
hacked account keeps sending after password changed and blocked
Re: hacked account keeps sending after password changed and blocked
I've seen that kind of behaviour on a 8.6 - which was unpatched for a while,
Those connections come from external?
Do you have 8.7.11 Patch 1 installed?
Those connections come from external?
Do you have 8.7.11 Patch 1 installed?
Re: hacked account keeps sending after password changed and blocked
hi! thanks for your reply.
I've just patched my installation but doesn't solve the problem.
from the undelivered mail returned to sender I can see that mails come from external connections:
Received: from [127.0.0.1] (unknown [200.66.125.225])
by mail.mydomain (Postfix) with ESMTPSA id 9EACA48DF5A
for <kpistole@bellsouth.net>; Thu, 29 Mar 2018 22:37:15 -0300 (-03)
From: user@mydomain
I've just patched my installation but doesn't solve the problem.
from the undelivered mail returned to sender I can see that mails come from external connections:
Received: from [127.0.0.1] (unknown [200.66.125.225])
by mail.mydomain (Postfix) with ESMTPSA id 9EACA48DF5A
for <kpistole@bellsouth.net>; Thu, 29 Mar 2018 22:37:15 -0300 (-03)
From: user@mydomain
- tonster
- Zimbra Employee
- Posts: 313
- Joined: Fri Feb 21, 2014 10:14 am
- Location: Ypsilanti, MI
- ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016
Re: hacked account keeps sending after password changed and blocked
You need to make sure you restart postfix if you change a password and have spam being sent. Most spammers use persistent connections and it can take awhile for one to drop and stop the flow of spam.
Sent from my SM-G950U using Tapatalk
Sent from my SM-G950U using Tapatalk