Abnormal sending of mail from zimbra @

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
vsparacio
Posts: 3
Joined: Mon Jan 24, 2022 3:22 pm

Abnormal sending of mail from zimbra @

Post by vsparacio »

Hello everyone, the service I use as a relay tells me that hundreds of emails have been arriving from my mail server for a few days, so I went to see the logs and found the following:

Jan 26 16:55:52 mail postfix/smtp[2643]: 7B3FD2EE06B8: to=<zimbra@mymailserveronpublicdns.com>, relay=www.relayservices.com[11.22.33.44]:25, delay=0.5, delays=0.03/0/0.33/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E03024C2B4)

i can't figure out how to block this anomaly. The server is working fine but the relay service provider rightly asks me to fix ...

Thank you. :roll:
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Abnormal sending of mail from zimbra @

Post by JDunphy »

Does this help at all?

Code: Select all

grep -i RelayedOutbound /var/log/zimbra.log | grep -v dkim_s | awk '{printf "sender %s recipients: %s\n",$14,$16}'
It should give you a list of recipients names per sender. Look for a lot of recipients from the same account.

Another technique is to look for bounces per sender. Focus on accounts with high number of bounces.

I found another tool that I must of wrote (can't remember doing that now) but it takes your users and tells how many emails they sent. I set it to a single log for you but if you look at the line that says for (glob you can have it look at all your logs over a week or so.

Code: Select all

cat totalEmail.pl
#!/usr/bin/perl

use Data::Dumper qw(Dumper);

%sender_list = ();  #ip list

chdir "/var/log";
#for (glob 'zimbra.log*') 
for (glob 'zimbra.log') 
{

  # audit.log is always todays stuff
  #print "***** Opening file $_","\n";
  if ($_ eq 'zimbra.log')
  {
     $audit_log = 1;
     open (IN, sprintf("cat %s |", $_))
       or die("Can't open pipe from command 'zcat $filename' : $!\n");
  }
  else
  {
     $audit_log = 0;
     open (IN, sprintf("zcat %s |", $_))
       or die("Can't open pipe from command 'zcat $filename' : $!\n");
  } 

  while (<IN>) 
  {
	if (m#RelayedOutbound#)
	{ 
		my $recipcnt = 0;

		next if (m#dkim_s#);	# messasges are listed twice (first via clamav then dkim signed)

		($sender, $recipients) = m#[^<]+<([^>]+)>[^<]+(.*)\s+Queue-ID#;
                $recipcnt = $recipients =~ tr/,/,/;
		$sender_list{$sender} += $recipcnt;	# count number or recipients

		#print "sender $sender, recipients $recipients count: $sender_list{$sender}\n";
	}
   }
close (IN);
}

# print out totals per sender
printSenders();

sub printSenders 
{
   my $sender = ();

   for $sender (sort {$sender_list{$b} <=> $sender_list{$a}} keys %sender_list)
   {
      print "$sender sent: $sender_list{$sender}\n";
   }
}
HTH,

Jim
vsparacio
Posts: 3
Joined: Mon Jan 24, 2022 3:22 pm

Re: Abnormal sending of mail from zimbra @

Post by vsparacio »

Thanks Jim but is there a way to stop this constant sending of these emails by this sender? I tried to stop the services several times and also to restart the server but it didn't help ....
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Abnormal sending of mail from zimbra @

Post by JDunphy »

Other than suspending the account? I guess you could lower the max recipient threshold they are using per send if there are multiple recipients which would stop delivery.

Perhaps I don't understand the question. I was thinking you had a compromised account and the outgoing email was unauthorized.
If it is going to the same address, you could use a transportmap and discard it to the recipient with something like this:

Code: Select all

user@somedomain.com  discard
If you still want to deliver them but batch them up for single connection delivery vs real-time, send it through another relay (any $3-5/month VPS can do the job). Add relay:port instead of discard above. I do that for some customers who like to forward email and their company email server doesn't like us sending too fast. I deliver them over to a sendmail relay and then have cron clean out the queues every 15 mins. That relay will then push all the queued email with a single connection.

You zimbra solution would probably be to configure policyD and rate limit or other.
Ref: https://serverfault.com/questions/93457 ... ch-account

Just throwing ideas out in case one of them makes sense for your environment.

Jim
JoeAshley
Posts: 9
Joined: Sat Jan 25, 2020 7:07 pm

Re: Abnormal sending of mail from zimbra @

Post by JoeAshley »

I was searching and came across your thread here..... I am having a similar issue however I am a home user with my own Zimbra server and I have noticed 1000s of email leaving the server from time to time. This should NOT happen. Admittedly I have a few IoT devices and I was wondering if I can allow on an IP by IP basis what can send through my Zimbra server. This is what I have in my MTA trusted networks 127.0.0.0/8 10.0.0.112/32
JoeAshley
Posts: 9
Joined: Sat Jan 25, 2020 7:07 pm

Re: Abnormal sending of mail from zimbra @

Post by JoeAshley »

I am still looking for an answer here. My server should ONLY send about 25 email per week but I am seeing almost 1000 per day. All of the web tools I can find are telling me I am NOT an open relay, yet zabbix is telling me otherwise. Any help is appreciated
Post Reply