Newbie, here.
Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails
Successfully performed in-place upgrade from community (v.8.8) to Enterprise ZCS (v.9.0) two months ago.
I have had constant DDOS and SPAM attacks on the ZCS server.
Gotten blacklisted by several organizations, several times.
Help! Please.
Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails
Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails
Two things to start with: have you checked if your server is an open relay; have you checked if your server (or LAN) has been hacked? Have you also checked the log files to see any suspicious activity on your server? What research have you done to find the 'culprit' on your server or internal network?
Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails
Via https://mxtoolbox.com, I checked whether server is open relay:
Test results state "Not an open relay"
Test Result
SMTP Banner Check Reverse DNS does not match SMTP Banner More Info
SMTP Reverse DNS Mismatch OK - 123.123.123.125 resolves to myemaildomain.net
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP TLS OK - Supports TLS.
SMTP Connection Time 0.281 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 0.826 seconds - Good on Transaction Time
Server does not appear to be hacked.
I will check logs now.
Test results state "Not an open relay"
Test Result
SMTP Banner Check Reverse DNS does not match SMTP Banner More Info
SMTP Reverse DNS Mismatch OK - 123.123.123.125 resolves to myemaildomain.net
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP TLS OK - Supports TLS.
SMTP Connection Time 0.281 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 0.826 seconds - Good on Transaction Time
Server does not appear to be hacked.
I will check logs now.
Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails
As newbie....
What are some telltale signs in logs?
What are some telltale signs in logs?
Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails
Located culprit in /var/log/zimbra.log file:
There are 100k entries like these.
I'm not yet sure what to do besides changing the password for our user, email-user@myemaildomain.net.
I changed pwd. Need to protect against recurrence.
Let me know if you have additional suggestions.
Thanks for your help.
Jun 7 03:41:04 emailserver amavis[23502]: (23502-10) Checking: BzMdnRnP-50a ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <romania@ksp.com>
Jun 7 03:41:04 emailserver postfix/smtps/smtpd[37439]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<dolgov@pinro.ru> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:04 emailserver postfix/smtps/smtpd[37439]: C64B720D798CB: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
Jun 7 03:41:04 emailserver amavis[23502]: (23502-10) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:55000 [92.38.149.172] <support@myemaildomain.net> -> <romania@ksp.com>, Queue-ID: 4A36B20DB1DF3, Message-ID: <20210607070838.D201D693D8D5AB78@myemaildomain.net>, mail_id: BzMdnRnP-50a, Hits: -, size: 9111, queued_as: C195720A76C13, 453 ms
Jun 7 03:41:04 emailserver amavis[23502]: (23502-11) Checking: 9kuxxXeLCKYW ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <saudiarabia@ksp.com>
Jun 7 03:41:05 emailserver amavis[23502]: (23502-11) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:54958 [92.38.149.172] <support@myemaildomain.net> -> <saudiarabia@ksp.com>, Queue-ID: 4CF1820C387E8, Message-ID: <20210607070847.D0536A4932DED9B1@myemaildomain.net>, mail_id: 9kuxxXeLCKYW, Hits: -, size: 9139, queued_as: 0958E20A15580, 244 ms
Jun 7 03:41:05 emailserver amavis[23502]: (23502-11-2) Checking: sZhI6cdYJdrt ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <southkorea@ksp.com>
Jun 7 03:41:05 emailserver amavis[23502]: (23502-11-2) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:55075 [92.38.149.172] <support@myemaildomain.net> -> <southkorea@ksp.com>, Queue-ID: 4D69A20DB1DF7, Message-ID: <20210607070847.D13C8494EA7ED524@myemaildomain.net>, mail_id: sZhI6cdYJdrt, Hits: -, size: 9141, queued_as: 4786B20C387E8, 250 ms
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[923]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<kalastyle@kalastyle.com> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[923]: 66E4220DA8427: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2622]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<jessica@titouhospitality.com> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2622]: CB07120DB1DC0: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2654]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<hbo@niva.no> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2654]: EE17E20DB1DC4: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
Jun 7 03:41:06 emailserver amavis[24204]: (24204-04) Passed CLEAN {RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:38798 [92.38.149.172] <support@myemaildomain.net> -> <pharmameet@memeetings.com>, Queue-ID: F404A20DB1DEF, Message-ID: <20210607053826.6E13D708CC8FD469@myemaildomain.net>, mail_id: I5vWQPHYz7Em, Hits: -97.74, size: 9772, queued_as: 0524120DB1DC5, 3978 ms
Jun 7 03:41:06 emailserver postfix/smtps/smtpd[37439]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<dmagas@deloitte.com> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:06 emailserver postfix/smtps/smtpd[37439]: 7F44A20DB1DCC: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
There are 100k entries like these.
I'm not yet sure what to do besides changing the password for our user, email-user@myemaildomain.net.
I changed pwd. Need to protect against recurrence.
Let me know if you have additional suggestions.
Thanks for your help.
Jun 7 03:41:04 emailserver amavis[23502]: (23502-10) Checking: BzMdnRnP-50a ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <romania@ksp.com>
Jun 7 03:41:04 emailserver postfix/smtps/smtpd[37439]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<dolgov@pinro.ru> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:04 emailserver postfix/smtps/smtpd[37439]: C64B720D798CB: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
Jun 7 03:41:04 emailserver amavis[23502]: (23502-10) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:55000 [92.38.149.172] <support@myemaildomain.net> -> <romania@ksp.com>, Queue-ID: 4A36B20DB1DF3, Message-ID: <20210607070838.D201D693D8D5AB78@myemaildomain.net>, mail_id: BzMdnRnP-50a, Hits: -, size: 9111, queued_as: C195720A76C13, 453 ms
Jun 7 03:41:04 emailserver amavis[23502]: (23502-11) Checking: 9kuxxXeLCKYW ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <saudiarabia@ksp.com>
Jun 7 03:41:05 emailserver amavis[23502]: (23502-11) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:54958 [92.38.149.172] <support@myemaildomain.net> -> <saudiarabia@ksp.com>, Queue-ID: 4CF1820C387E8, Message-ID: <20210607070847.D0536A4932DED9B1@myemaildomain.net>, mail_id: 9kuxxXeLCKYW, Hits: -, size: 9139, queued_as: 0958E20A15580, 244 ms
Jun 7 03:41:05 emailserver amavis[23502]: (23502-11-2) Checking: sZhI6cdYJdrt ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <southkorea@ksp.com>
Jun 7 03:41:05 emailserver amavis[23502]: (23502-11-2) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:55075 [92.38.149.172] <support@myemaildomain.net> -> <southkorea@ksp.com>, Queue-ID: 4D69A20DB1DF7, Message-ID: <20210607070847.D13C8494EA7ED524@myemaildomain.net>, mail_id: sZhI6cdYJdrt, Hits: -, size: 9141, queued_as: 4786B20C387E8, 250 ms
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[923]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<kalastyle@kalastyle.com> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[923]: 66E4220DA8427: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2622]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<jessica@titouhospitality.com> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2622]: CB07120DB1DC0: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2654]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<hbo@niva.no> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2654]: EE17E20DB1DC4: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
Jun 7 03:41:06 emailserver amavis[24204]: (24204-04) Passed CLEAN {RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:38798 [92.38.149.172] <support@myemaildomain.net> -> <pharmameet@memeetings.com>, Queue-ID: F404A20DB1DEF, Message-ID: <20210607053826.6E13D708CC8FD469@myemaildomain.net>, mail_id: I5vWQPHYz7Em, Hits: -97.74, size: 9772, queued_as: 0524120DB1DC5, 3978 ms
Jun 7 03:41:06 emailserver postfix/smtps/smtpd[37439]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<dmagas@deloitte.com> proto=ESMTP helo=<us75.seed4.me>
Jun 7 03:41:06 emailserver postfix/smtps/smtpd[37439]: 7F44A20DB1DCC: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net
- axslingr
- Outstanding Member
- Posts: 256
- Joined: Sat Sep 13, 2014 2:20 am
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18
Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails
Definitely change the account password, then implement Zimbra's DoSFilter, Fail2ban, and cbpolicyd for rate limiting.
https://www.missioncriticalemail.com/20 ... -together/
https://www.missioncriticalemail.com/20 ... sion-only/
https://wiki.zimbra.com/wiki/Cluebringer_Policy_Daemon
https://www.missioncriticalemail.com/20 ... -together/
https://www.missioncriticalemail.com/20 ... sion-only/
https://wiki.zimbra.com/wiki/Cluebringer_Policy_Daemon
Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails
After reviewing zimbra.log, I provided some log excerpts to tech support.
They provided following wiki articles:
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
[the next one essentially repeats above article]
http://wiki.zimbra.com/wiki/Rejecting_f ... _addresses
These steps resolved our issue.
Thanks for suggestions. They were essential to tracking down and resolving problem.
They provided following wiki articles:
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
[the next one essentially repeats above article]
http://wiki.zimbra.com/wiki/Rejecting_f ... _addresses
These steps resolved our issue.
Thanks for suggestions. They were essential to tracking down and resolving problem.