Hello everyone, the service I use as a relay tells me that hundreds of emails have been arriving from my mail server for a few days, so I went to see the logs and found the following:
Jan 26 16:55:52 mail postfix/smtp[2643]: 7B3FD2EE06B8: to=<zimbra@mymailserveronpublicdns.com>, relay=www.relayservices.com[11.22.33.44]:25, delay=0.5, delays=0.03/0/0.33/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E03024C2B4)
i can't figure out how to block this anomaly. The server is working fine but the relay service provider rightly asks me to fix ...
Thank you.
Abnormal sending of mail from zimbra @
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Abnormal sending of mail from zimbra @
Does this help at all?
It should give you a list of recipients names per sender. Look for a lot of recipients from the same account.
Another technique is to look for bounces per sender. Focus on accounts with high number of bounces.
I found another tool that I must of wrote (can't remember doing that now) but it takes your users and tells how many emails they sent. I set it to a single log for you but if you look at the line that says for (glob you can have it look at all your logs over a week or so.
HTH,
Jim
Code: Select all
grep -i RelayedOutbound /var/log/zimbra.log | grep -v dkim_s | awk '{printf "sender %s recipients: %s\n",$14,$16}'
Another technique is to look for bounces per sender. Focus on accounts with high number of bounces.
I found another tool that I must of wrote (can't remember doing that now) but it takes your users and tells how many emails they sent. I set it to a single log for you but if you look at the line that says for (glob you can have it look at all your logs over a week or so.
Code: Select all
cat totalEmail.pl
#!/usr/bin/perl
use Data::Dumper qw(Dumper);
%sender_list = (); #ip list
chdir "/var/log";
#for (glob 'zimbra.log*')
for (glob 'zimbra.log')
{
# audit.log is always todays stuff
#print "***** Opening file $_","\n";
if ($_ eq 'zimbra.log')
{
$audit_log = 1;
open (IN, sprintf("cat %s |", $_))
or die("Can't open pipe from command 'zcat $filename' : $!\n");
}
else
{
$audit_log = 0;
open (IN, sprintf("zcat %s |", $_))
or die("Can't open pipe from command 'zcat $filename' : $!\n");
}
while (<IN>)
{
if (m#RelayedOutbound#)
{
my $recipcnt = 0;
next if (m#dkim_s#); # messasges are listed twice (first via clamav then dkim signed)
($sender, $recipients) = m#[^<]+<([^>]+)>[^<]+(.*)\s+Queue-ID#;
$recipcnt = $recipients =~ tr/,/,/;
$sender_list{$sender} += $recipcnt; # count number or recipients
#print "sender $sender, recipients $recipients count: $sender_list{$sender}\n";
}
}
close (IN);
}
# print out totals per sender
printSenders();
sub printSenders
{
my $sender = ();
for $sender (sort {$sender_list{$b} <=> $sender_list{$a}} keys %sender_list)
{
print "$sender sent: $sender_list{$sender}\n";
}
}
Jim
Re: Abnormal sending of mail from zimbra @
Thanks Jim but is there a way to stop this constant sending of these emails by this sender? I tried to stop the services several times and also to restart the server but it didn't help ....
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Abnormal sending of mail from zimbra @
Other than suspending the account? I guess you could lower the max recipient threshold they are using per send if there are multiple recipients which would stop delivery.
Perhaps I don't understand the question. I was thinking you had a compromised account and the outgoing email was unauthorized.
If it is going to the same address, you could use a transportmap and discard it to the recipient with something like this:
If you still want to deliver them but batch them up for single connection delivery vs real-time, send it through another relay (any $3-5/month VPS can do the job). Add relay:port instead of discard above. I do that for some customers who like to forward email and their company email server doesn't like us sending too fast. I deliver them over to a sendmail relay and then have cron clean out the queues every 15 mins. That relay will then push all the queued email with a single connection.
You zimbra solution would probably be to configure policyD and rate limit or other.
Ref: https://serverfault.com/questions/93457 ... ch-account
Just throwing ideas out in case one of them makes sense for your environment.
Jim
Perhaps I don't understand the question. I was thinking you had a compromised account and the outgoing email was unauthorized.
If it is going to the same address, you could use a transportmap and discard it to the recipient with something like this:
Code: Select all
user@somedomain.com discard
You zimbra solution would probably be to configure policyD and rate limit or other.
Ref: https://serverfault.com/questions/93457 ... ch-account
Just throwing ideas out in case one of them makes sense for your environment.
Jim
Re: Abnormal sending of mail from zimbra @
I was searching and came across your thread here..... I am having a similar issue however I am a home user with my own Zimbra server and I have noticed 1000s of email leaving the server from time to time. This should NOT happen. Admittedly I have a few IoT devices and I was wondering if I can allow on an IP by IP basis what can send through my Zimbra server. This is what I have in my MTA trusted networks 127.0.0.0/8 10.0.0.112/32
Re: Abnormal sending of mail from zimbra @
I am still looking for an answer here. My server should ONLY send about 25 email per week but I am seeing almost 1000 per day. All of the web tools I can find are telling me I am NOT an open relay, yet zabbix is telling me otherwise. Any help is appreciated