[SOLVED] My Zimbra server sending out spam emails

General discussion about Zimbra Desktop.
Post Reply
abamkacamata
Posts: 8
Joined: Mon Aug 06, 2018 1:29 pm

[SOLVED] My Zimbra server sending out spam emails

Post by abamkacamata »

We're having a problem as of this morning as some of our email accounts are sending spam to different emails. it sends out estimated 9000+ emails. I think it started on weekend.
Almost all accounts are currently "locked" and others were deleted also I try changing the password but it still sends spam.
Our zimbra (email server) is installed on Centos 7.0
Last edited by abamkacamata on Fri Oct 19, 2018 1:17 am, edited 1 time in total.
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: My Zimbra server sending out spam emails

Post by DualBoot »

Hello,

check first if your Zimbra is open relay, it should not be the case by default.
Then grep sasl_username in /var/log/zimbra.log to get account who is spamming.
Use iptables to drop connection on SMTP to stop it.

Regards,
abamkacamata
Posts: 8
Joined: Mon Aug 06, 2018 1:29 pm

Re: My Zimbra server sending out spam emails

Post by abamkacamata »

DualBoot wrote:Hello,

check first if your Zimbra is open relay, it should not be the case by default.
Then grep sasl_username in /var/log/zimbra.log to get account who is spamming.
Use iptables to drop connection on SMTP to stop it.

Regards,
I used this as my solution. Apart from it I also shutdown zimbra services and run clamav. This combo seems to do the trick
odiepus
Posts: 1
Joined: Thu Jul 18, 2019 4:53 am

Re: [SOLVED] My Zimbra server sending out spam emails

Post by odiepus »

HI,

what will I do if I found out what account is relaying to the spammer?
and what do you mean by ip drop?
Thank you
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: [SOLVED] My Zimbra server sending out spam emails

Post by DualBoot »

1 - Change the account status from active to locked.
2 - iptables -I INPUT -s source_ip -j DROP
3 - option : stop and start (not restart) mta to end SMTP connections and re-force client to replay authentication
4 - change password acount
5 - kill the user :p
Post Reply