How to track down a spike in emails

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
mmcspadden
Posts: 5
Joined: Tue Jan 25, 2022 4:09 pm

How to track down a spike in emails

Post by mmcspadden »

We are running Zimbra 8.8.15 on Ubuntu Server. We also have the zpush project running on another server for the activesync capabilities if that is relevant. A while ago I identified that our email server would have 1 or two spikes a day where the average email count went from a few hundred to 5-10K and then back down. We do not send this many emails in our company, no mailing lists or sales campaigns going on. I assumed it was being used as a spam server and I changed the admin password, disabled open relay, made sure it was up to date. The spikes seemed to go away for a day or two, and then came back. The server is behind the firewall and is fairly well locked down. My two guesses are that someone in the company is doing something they shouldn't or else there is some issue with the way zimbra counts or some legit service is making it look like a ton of emails went out.

Has anyone run into this before? Is there an easy way to see all the accounts and how many emails they have sent out in like the last 24 hours? I found a CLI option, but it only listed the emails for the accounts one at a time, and there was no way to count the total.

Any help would be appreciated. The screenshot is from today.
Screenshot_54.png
Screenshot_54.png (24.54 KiB) Viewed 6841 times
User avatar
vavai
Advanced member
Advanced member
Posts: 174
Joined: Thu Nov 14, 2013 2:41 pm
Location: Indonesia
ZCS/ZD Version: 0
Contact:

Re: How to track down a spike in emails

Post by vavai »

Hi,

Everyday Zimbra send daily report statistics, sent to admin and contains how many emails sent, received and who is top sender and also statistics per hour. Check it out on zimbra admin mailbox

You can also generate it by run pflogsumm. Pflogsumm shipped with zimbra and usually on libexec folder
mmcspadden
Posts: 5
Joined: Tue Jan 25, 2022 4:09 pm

Re: How to track down a spike in emails

Post by mmcspadden »

Hi Vavai,
Thanks for the tip. I found the report which has some good information, but unfortunately it does not show the same spike. See the screenshot for the 25th. On the graph there is a spike of like 12,000 emails, but in the report it does not even show a hundred for emails for the same time period. While I see over 6000 emails from our domain being sent, none of the top senders has more than 100. Any other suggestions. I'm really worried this thing is being used to send spam, but I can't find any evidence other than the spike in emails in the graph. Maybe that is wrong somehow?

Edit - I forgot to include the screenshots.
Attachments
Screenshot_56.png
Screenshot_56.png (9.5 KiB) Viewed 6483 times
Screenshot_57.png
Screenshot_57.png (8.29 KiB) Viewed 6483 times
mmcspadden
Posts: 5
Joined: Tue Jan 25, 2022 4:09 pm

Re: How to track down a spike in emails

Post by mmcspadden »

*Bump*

Anybody? I'm still seeing these spikes in emails, usually a couple per day where it blasts out several thousand emails at a time. We are not sending these legitimately.
User avatar
wentum
Advanced member
Advanced member
Posts: 53
Joined: Fri Apr 04, 2014 10:49 am
Location: Pforzheim (Germany)
ZCS/ZD Version: Release 9.0.0.GA.3924 _P30
Contact:

Re: How to track down a spike in emails

Post by wentum »

mmcspadden wrote:*Bump*

Anybody? I'm still seeing these spikes in emails, usually a couple per day where it blasts out several thousand emails at a time. We are not sending these legitimately.
Hello mmcspadden,

maybe pflogsumm will be your friend... (I don't like these graphics things)

Try this one at cmd and it will probably give you some hints: pflogsumm /var/log/mail.log|less

pflogsumm is available in about any distri I know...

HTH
Joerg
Post Reply