Spamming Issue

By admin at 2020-01-04 • 0 collector • 1482 pageviews

Outgoing spamming issue

Problem

1: IP blacklisted
2: Not able to send email because of accumulated deferred queue.

Solution

Identify the compromised accounts. Following command will help to give the probable account whose password might compromised if the count was unexpectedly high.

cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -nr

You need to reset the password of the probable users (top 4 having most counts) and restart the MTA service with the following command.

su - zimbra
zmmtactl restart

To minimize the situation of sending email from non authenticated users you can enforce the user to have the auth with the from address and following wiki would help you for this.

https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5

And restart the mailbox service on the mailbox server.

su  - zimbra
zmmailboxdctl restart

Please also make sure that the zimbraMtaMyNetworks would have the Ip's of the server only not network which you are not sure wanted to allow or not because no policy would work for the ip listed in my network, you can get the detail by the following command.

su - zimbra
zmprov gs serverName  zimbraMtaMyNetworks


Incoming spamming

Problem

Not able to send or receive email 
Having deferred email in the queue

Solution

Check the queue if it was flooded with the email

/opt/zimbra/libexec/zmqstat
hold=2054
corrupt=0
deferred=2
active=20000
incoming=37593

With the following command you can checked what all IP's were making how many connections

cat /var/log/zimbra.log | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'| sort | uniq -c | sort -nr
439416 xxx.xxx.xxx.xxx

  19884 192.168.1.246   11587 192.168.5.1    2723 192.168.5.246

Mark the REJECT of the email from that IP, For that following configuration can help.

su - zimbra
zmprov gacf zimbraMtaRestriction
zimbraMtaRestriction: check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist
zimbraMtaRestriction: check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override
strings /opt/zimbra/conf/postfix_blacklist.lmdb
xxx.xxx.xxx.xxx
REJECT

Reviewing the configuration for the RBL configuration if it is in place or not. If not immediately added the following RBL

zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"

Check the queue so that for all MAILER-DAEMON email you can put them onto hold queue later can review and delete.

/opt/zimbra/postfix/sbin/postqueue -p | head
74A443D43D43*   21733 Wed Month 30 12:29:15  MAILER-DAEMON
                                        user1@domain.com
A614D3D43CCF*   21745 Wed Month 30 12:29:43  MAILER-DAEMON
                                        user2@domain.com
781443D4364F*   21751 Wed Month 30 12:25:16  MAILER-DAEMON
                                        user3@domain.com
5C72C3D44438*   21721 Wed Month 30 12:36:53  MAILER-DAEMON
                                        user4@domain.com

With the following command you can put all the MAILER-DAEMON email on hold. Check them or simply you can delete them.

/opt/zimbra/postfix/sbin/postqueue -p | awk 'BEGIN { RS = "" } { if ($7 == "MAILER-DAEMON" ) print $1 }' | tr -d '!*' | /opt/zimbra/postfix/sbin/postsuper -h -

As soon you put those email on hold your queue look like the following and now emails are getting delivered properly.

# /opt/zimbra/libexec/zmqstat
hold=43464
corrupt=0
deferred=0
active=0
incoming=0

To improve your Anti-spam-system you can refer the following wiki and implement the things according to your need.

https://wiki.zimbra.com/wiki/Improving_Anti-spam_system


Requires Login

Loading...