Determining the origin of SPAM

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
eaperezh
Advanced member
Advanced member
Posts: 86
Joined: Fri Sep 12, 2014 10:05 pm

Determining the origin of SPAM

Post by eaperezh »

Good day, today one of our systems got 90k+ spam emails and the corresponding bounces,etc,etc.
I have implemented fail2ban and it is working very well (i think)
but I am starting to deal with this massive (2 emails per ip, receiving thousands of ip addresses)
Zimbra is on the local LAN, behind a firewall. A relay server is used to receive/send emails to the outside world.
Not sure how other blocking mechs I can implement to avoid this.

Ideas are welcomed.

Code: Select all

[root@mail ~]# /opt/zimbra/common/sbin/postcat -q D8156D229FEA5
*** ENVELOPE RECORDS deferred/D/D8156D229FEA5 ***
message_size:            6952             811               2               0            6952               0
message_arrival_time: Mon Jan 30 07:34:52 2023
create_time: Mon Jan 30 07:34:52 2023
named_attribute: log_ident=D8156D229FEA5
named_attribute: rewrite_context=remote
sender: removedforsecurity@iphe.gob.pa
named_attribute: encoding=7bit
named_attribute: log_client_name=localhost
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=38806
named_attribute: log_message_origin=localhost[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost
named_attribute: reverse_client_name=localhost
named_attribute: client_address=127.0.0.1
named_attribute: client_port=38806
named_attribute: server_address=127.0.0.1
named_attribute: server_port=10025
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;stivyroussy14@gmail.com
original_recipient: stivyroussy14@gmail.com
recipient: stivyroussy14@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;nonafetherston@outlook.com
original_recipient: nonafetherston@outlook.com
recipient: nonafetherston@outlook.com
*** MESSAGE CONTENTS deferred/D/D8156D229FEA5 ***
Received: from localhost (localhost [127.0.0.1])
        by mail.iphe.gob.pa (Postfix) with ESMTP id D8156D229FEA5;
        Mon, 30 Jan 2023 07:34:52 -0500 (EST)
Received: from mail.iphe.gob.pa ([127.0.0.1])
        by localhost (mail.iphe.gob.pa [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id 5T9mYhnxUIVh; Mon, 30 Jan 2023 07:34:52 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
        by mail.iphe.gob.pa (Postfix) with ESMTP id 89292D220CE05;
        Mon, 30 Jan 2023 07:34:52 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.iphe.gob.pa 89292D220CE05
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iphe.gob.pa;
        s=ACE18908-54E0-11EA-87B6-F58DDAA3460F; t=1675082092;
        bh=f/Lr+L5j1SCjMAHOJiiuQt8U1MwTZQjJnyG4SS7rk0s=;
        h=From:Mime-Version:Message-Id:Date:To;
        b=ZN7OZ4oYoIDxP6JpO3+pass9sF6xB0b5ezeU8bfOj+FsqWZw3hPE59UFj99lQfrdw
         nqqj4Md+7c3Rb86v68gMj5jo6KKQc/5dTBNSCoaOpy3ieqh8jwNy1yhoeiV541dFUb
         o1JvvcLoOSJd1b1wOJ5Z1DwF+dT3n+LodlOD82KyvYgpsUh1CEGnJmIfvZ2AYxt2iL
         AsPvKpoJY4yEPzuVT0fnfzpzyoedFKJTgwQ8G/1NEEZXkWxs5V612vVCe1vG7INsva
         2ltaBkv1uOBnAa06dEOI6cjAO1Fcpf4yqa+wqi0DCdHowpgLr/+8GrLpMYWtuZPmpd
         qNvC2Yps2yjaw==
X-Virus-Scanned: amavisd-new at iphe.gob.pa
Received: from mail.iphe.gob.pa ([127.0.0.1])
        by localhost (mail.iphe.gob.pa [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id xcRJ5w2O31wK; Mon, 30 Jan 2023 07:34:52 -0500 (EST)
Received: from [127.0.0.1] (unknown [191.102.70.91])
        by mail.iphe.gob.pa (Postfix) with ESMTPSA id 3D422D21D14EA;
        Mon, 30 Jan 2023 07:34:50 -0500 (EST)
From: removedforsecurity@iphe.gob.pa
Content-Type: multipart/alternative;
 boundary="Apple-Mail-BCF1B921-3176-6CEA-ACB5-C8D5C253C9E0"
Mime-Version: 1.0 (1.0)
Subject: 1/30/2023 You've got 1 friend request from DanikaHashtag536
Message-Id: <17EB46D9-F5EA-9178-CBD1-B3C414BEF50A@iphe.gob.pa>
Date: Mon, 30 Jan 2023 04:34:16 -0800
To: nonafetherston@outlook.com, stivyroussy14@gmail.com
X-Mailer: iPhone Mail (12H143)

Post Reply