Mail server sending spam from zimbra@mydomain.com

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Mail server sending spam from zimbra@mydomain.com

Post by mateusscheper »

I saw a lot of emails being sent from zimbra@mydomain.com to neplaceviata007@outlook.com.
I don't have a mailbox called zimbra@mydomain.com. How is this possible?

Code: Select all

mail postfix/smtpd[5947]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <zimbra@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<zimbra@mydomain.com> to=<neplaceviata007@outlook.com> proto=ESMTP helo=<mydomain.com>

I also saw three processes from zimbra user which the commands were just "-bash". How to debug this?

EDIT: I just saw a crontab running on user zimbra:

Code: Select all

* * * * * /tmp/.scr/sn2/./-bash
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: Mail server sending spam from zimbra@mydomain.com

Post by Klug »

Which version of ZCS are your running?

viewtopic.php?f=15&t=65932
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Re: Mail server sending spam from zimbra@mydomain.com

Post by mateusscheper »

Klug wrote:Which version of ZCS are your running?

viewtopic.php?f=15&t=65932
8.7.11_GA_1854.FOSS.
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: Mail server sending spam from zimbra@mydomain.com

Post by Klug »

mateusscheper wrote:8.7.11_GA_1854.FOSS.
You should be running 8.7.11_GA_3800 (that's Patch P11).

Your server might be compromised, you should check the thread above.
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Re: Mail server sending spam from zimbra@mydomain.com

Post by mateusscheper »

Okay, I updated to 8.7.11_GA_3800.NETWORKING.

One question: I'm seeing a process that just says "[cpuset]" and it's consuming 100% of one of my cores. It's running for 71 min+ and I just restarted zimbra in order to update. Could this be related?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Mail server sending spam from zimbra@mydomain.com

Post by phoenix »

It's already been mentioned that you may have a compromised (i.e. hacked) server, read the thread that's been posted in the link earlier to confirm if it has or not.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Re: Mail server sending spam from zimbra@mydomain.com

Post by mateusscheper »

phoenix wrote:It's already been mentioned that you may have a compromised (i.e. hacked) server, read the thread that's been posted in the link earlier to confirm if it has or not.
Yes. I already clean it following this link.

My question now is about the cpuset thing.
ps aux | grep cpuset:

Code: Select all

zimbra    9277  100  0.0 135988  3112 ?        R    11:10 264:59 [cpuset]
Is this part of Zimbra or should I worry?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Mail server sending spam from zimbra@mydomain.com

Post by L. Mark Stone »

If you cleaned it but didn't patch it, you will just get reinfected.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Re: Mail server sending spam from zimbra@mydomain.com

Post by mateusscheper »

I did clean and I did patch.
I just wondered if this 100% cpu would be related to this particular issue.
In any case, I killed it and restarted Zimbra yesterday. Everything seems normal so far.

Thank you for your help.
Post Reply