Email server (Zimbra) is reporting a massive increase in amount of emails treated

[bmunger]

I have a server that is essentially used for email purposes, a little for other stuff, but 90% of the activity is email for my small community.

I have seen, recently, a very lage increase in number of message in the stats of ths server and I have difficulty identifying the nature of the messages and the source.

In the past two month, the increase is exponential.


The server has been running for years without any glitch.

the server is not listed in the blacklists ( I checked with mxtoolbox), but I cannot identify the nature of the emails nor the source, I need help.

Ideally, if a Ubuntu guru that knows Zimbra would like to step in and offer his services, I'd be willing to pay for the help... but how tio identify who's an expert and who's pretending?

Any known experts in the crowd that everybody agrees to call an expert?

Thanks!
Bernard

[HermanAB]

Hmm, it sounds like you are running an open relay and is now wondering why it is getting abused?

[Habitual]

Zimbra version?

[SeijiSensei]

Hmm, it sounds like you are running an open relay and is now wondering why it is getting abused?

I had the same thought as Herman. Did you run the test for an open relay at mxtoolbox.com, bmunger? If not, you should do that right away.

What do you see in /var/log/mail.log? Senders? Recipients? Mail only for your legitimate domains or others? If all the recipients are legitimate, then what percentage of the messages are marked as spam?

If Zimbra is using Postfix, what do you have in the "mydestination" field in /etc/postfix/main.cf?

Read this document carefully: http://www.postfix.org/SMTPD_ACCESS_README.html

[Habitual]

and examine /var/tmp closely.
I found 'rogue' zimlets on my zimbra server that were being used against us, and they 'called' files from remote hosts and stuck them in /var/tmp

[bmunger]

Hello,

Thanks for all the replies. I'm not sure what to do next, how to analyze and identify the source of the increase.

I have Zimbra 8.5 on Ubuntu, uname -a reports:
Linux zimbra 3.2.0-57-generic #87-Ubuntu SMP Tue Nov 12 21:35:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
I have upgraded all the packages I could on it.

Here is an image of the version of zimbra:
Zimbra version.jpg

Here is what worries me

Message count stats.jpg
Message volume stats.jpg

The increase is not really easy to explain, other than someone is using my email, or able to send emails using one of the accounts (there are not that many, me and my extended family...). I have attached a picture of the mxtoolbox SMTP test, I'm not an open relay.

I'm not extremely familiar with the stats I can get out of my server, I guess that would be a great start. How can I pin point what is going through, with which account(s) and what is the general content being sent.

Can you help start me off?

If one of you is willing to login and check, contact me at bmunger at ingenieur.org

Thanks!
Bernard

[bmunger]

I forgot, the antivirus / Antispam is running also on increased volume. But that might simply by a collateral damage...

Antivirus-Antispam.jpg

[bashiergui]

I had the same thought as Herman. Did you run the test for an open relay at mxtoolbox.com, bmunger? If not, you should do that right away.

What do you see in /var/log/mail.log? Senders? Recipients? Mail only for your legitimate domains or others? If all the recipients are legitimate, then what percentage of the messages are marked as spam?

If Zimbra is using Postfix, what do you have in the "mydestination" field in /etc/postfix/main.cf?

Read this document carefully: http://www.postfix.org/SMTPD_ACCESS_README.html

Did you do everything seijisensei suggested? Please do that before you allow random strangers from the internet to log in.

[bmunger]

Hello,

I have maybe identified a reason: I get thousands of messages from the same domain:

Apr 26 06:43:39 zimbra postfix/smtpd[31272]: NOQUEUE: filter: RCPT from unknown[115.159.87.233]: <Janna@1g77.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<Janna@1g77.com> to=<removed> proto=ESMTP helo=<Janna.1g77.com>

I guess it's an email attack....

Anyone can suggest how block a domain? I forget how to blacklist with postfix..

Thanks!

[SeijiSensei]

Are all the recipients the same? Are the recipients valid addressees in your domain?

I usually block spammers at the IP level with iptables. Add this line to /etc/rc.local and reboot:

Code:

/sbin/iptables -I INPUT -s 115.159.87.233 -j REJECT

That way your Postfix server never has to deal with the traffic.