spam issue every 5min from random email ids+@mydomain.com

[Wam1988]

Hi friends,

if i repeat a similar post pls bare with me. i did search few times couldnt see a similar problem asked before

i`ve a zimbra server : Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P14.

recently i found a compromised account in my server and i deleted the mail box. after that im still getting attack in a different way.
about 20+ emails sending from every 5 min from random email IDs (domain is my own domain) ex: 12344@mydomain.com , 224342@mydomain.com etc,

when i query the sasl_auth name, i cant find it, empty, & I have done already below remedies and no luck what so ever.

Enforcing a match between FROM address and sasl username
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
my_network only contains server network ip address
https://wiki.zimbra.com/wiki/Compromise ... _spam_mail

any help to see this much appreciated,

[phoenix]

You need to upgrade your ZCS version and never run older versions of software. Your system has probably been exploited, do an internet search for this (and read the details of this exploit):

Code: Select all

zimbra compromised server bot