Account sending spam via webmail

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
yvespires
Posts: 20
Joined: Tue Jan 03, 2017 1:15 pm

Account sending spam via webmail

Post by yvespires »

Cant identify compromised account sending spam thru webmail, any ideas?

Code: Select all

root@myserver:~# /opt/zimbra/common/sbin/postcat -q 1E1E23614A2
*** ENVELOPE RECORDS deferred/1/1E1E23614A2 ***
message_size:            3779            3128              25               0            3779               0
message_arrival_time: Mon Oct 28 00:35:03 2019
create_time: Mon Oct 28 00:35:03 2019
named_attribute: log_ident=1E1E23614A2
named_attribute: rewrite_context=remote
sender: resgate-safra01@safra.com
named_attribute: log_client_name=localhost
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=37232
named_attribute: log_message_origin=localhost[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost
named_attribute: reverse_client_name=localhost
named_attribute: client_address=127.0.0.1
named_attribute: client_port=37232
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;cassius@abcrede.com.br
original_recipient: cassius@abcrede.com.br
done_recipient: cassius@abcrede.com.br
named_attribute: dsn_orig_rcpt=rfc822;lbissoli@acessa.com.br
original_recipient: lbissoli@acessa.com.br
done_recipient: lbissoli@acessa.com.br
named_attribute: dsn_orig_rcpt=rfc822;aurea@bnl.com.br
original_recipient: aurea@bnl.com.br
done_recipient: aurea@bnl.com.br
named_attribute: dsn_orig_rcpt=rfc822;branco@branco.com.br
original_recipient: branco@branco.com.br
done_recipient: branco@branco.com.br
named_attribute: dsn_orig_rcpt=rfc822;cedipi@cedipi.com.br
original_recipient: cedipi@cedipi.com.br
done_recipient: cedipi@cedipi.com.br
named_attribute: dsn_orig_rcpt=rfc822;03209262@facsumare.com.br
original_recipient: 03209262@facsumare.com.br
done_recipient: 03209262@facsumare.com.br
named_attribute: dsn_orig_rcpt=rfc822;aciaccdl@inetsafe.com.br
original_recipient: aciaccdl@inetsafe.com.br
done_recipient: aciaccdl@inetsafe.com.br
named_attribute: dsn_orig_rcpt=rfc822;acarolina2081@itelefonica.com.br
original_recipient: acarolina2081@itelefonica.com.br
done_recipient: acarolina2081@itelefonica.com.br
named_attribute: dsn_orig_rcpt=rfc822;acel.celso@itelefonica.com.br
original_recipient: acel.celso@itelefonica.com.br
done_recipient: acel.celso@itelefonica.com.br
named_attribute: dsn_orig_rcpt=rfc822;acl.cd@itelefonica.com.br
original_recipient: acl.cd@itelefonica.com.br
done_recipient: acl.cd@itelefonica.com.br
named_attribute: dsn_orig_rcpt=rfc822;adelaniaps@itelefonica.com.br
original_recipient: adelaniaps@itelefonica.com.br
done_recipient: adelaniaps@itelefonica.com.br
named_attribute: dsn_orig_rcpt=rfc822;albertino1@itelefonica.com.br
original_recipient: albertino1@itelefonica.com.br
done_recipient: albertino1@itelefonica.com.br
named_attribute: dsn_orig_rcpt=rfc822;ale.cesar.marques@itelefonica.com.br
original_recipient: ale.cesar.marques@itelefonica.com.br
done_recipient: ale.cesar.marques@itelefonica.com.br
named_attribute: dsn_orig_rcpt=rfc822;alfe3@itelefonica.com.br
original_recipient: alfe3@itelefonica.com.br
done_recipient: alfe3@itelefonica.com.br
named_attribute: dsn_orig_rcpt=rfc822;atendimento@jogosantigos.com.br
original_recipient: atendimento@jogosantigos.com.br
recipient: atendimento@jogosantigos.com.br
named_attribute: dsn_orig_rcpt=rfc822;abraga@jornaldasgravadoras.com.br
original_recipient: abraga@jornaldasgravadoras.com.br
done_recipient: abraga@jornaldasgravadoras.com.br
named_attribute: dsn_orig_rcpt=rfc822;andre@malbanet.com.br
original_recipient: andre@malbanet.com.br
done_recipient: andre@malbanet.com.br
named_attribute: dsn_orig_rcpt=rfc822;anisio@metalink.com.br
original_recipient: anisio@metalink.com.br
done_recipient: anisio@metalink.com.br
named_attribute: dsn_orig_rcpt=rfc822;batalhaliga@netcomp.com.br
original_recipient: batalhaliga@netcomp.com.br
recipient: batalhaliga@netcomp.com.br
named_attribute: dsn_orig_rcpt=rfc822;a.dias@resotec.com.br
original_recipient: a.dias@resotec.com.br
done_recipient: a.dias@resotec.com.br
named_attribute: dsn_orig_rcpt=rfc822;andersonaluz@superig.com.br
original_recipient: andersonaluz@superig.com.br
done_recipient: andersonaluz@superig.com.br
named_attribute: dsn_orig_rcpt=rfc822;calilmello@superig.com.br
original_recipient: calilmello@superig.com.br
done_recipient: calilmello@superig.com.br
named_attribute: dsn_orig_rcpt=rfc822;lalberto@transamerica.com.br
original_recipient: lalberto@transamerica.com.br
done_recipient: lalberto@transamerica.com.br
named_attribute: dsn_orig_rcpt=rfc822;camiju@web2go.com.br
original_recipient: camiju@web2go.com.br
done_recipient: camiju@web2go.com.br
named_attribute: dsn_orig_rcpt=rfc822;argumentomonica@yawl.com.br
original_recipient: argumentomonica@yawl.com.br
done_recipient: argumentomonica@yawl.com.br
*** MESSAGE CONTENTS deferred/1/1E1E23614A2 ***
Received: from localhost (localhost [127.0.0.1])
        by myserver.domain.net.br (Postfix) with ESMTP id 1E1E23614A2;
        Mon, 28 Oct 2019 00:35:03 -0300 (-03)
Received: from myserver.domain.net.br ([127.0.0.1])
        by localhost (myserver.domain.net.br [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id OwOf041tOPEN; Mon, 28 Oct 2019 00:35:02 -0300 (-03)
Received: from localhost (localhost [127.0.0.1])
        by myserver.domain.net.br (Postfix) with ESMTP id BC47C3614CC;
        Mon, 28 Oct 2019 00:35:02 -0300 (-03)
X-Virus-Scanned: amavisd-new at domain.net.br
Received: from myserver.domain.net.br ([127.0.0.1])
        by localhost (myserver.domain.net.br [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id nYMhtXUwb9zJ; Mon, 28 Oct 2019 00:35:02 -0300 (-03)
Received: from WIN-325QVDACF6R (unknown [192.99.188.79])
        by myserver.domain.net.br (Postfix) with ESMTPA id A504C360E61;
        Mon, 28 Oct 2019 00:34:57 -0300 (-03)
From: "Banco Safra." <resgate-safra01@safra.com>
Subject: Aviso Importante Banco Safra,Voce Possui 279.607 Mil Pontos Safra a
 Expirar Dia 31/10/2019,Resgate Seus Pontos e Evite Sua
 =?ISO-8859-1?Q?Expira=E7=E3o.?=
To: acarolina2081@itelefonica.com.br
Content-Type: text/html;
Reply-To: resgate-safra01@safra.com
Date: Mon, 28 Oct 2019 01:42:07 -0200
X-Priority: 3
X-Library: Indy 8.0.25
Message-Id: <20191028033457.A504C360E61@myserver.domain.net.br>
Post Reply