Preventing Spamming

KB 24314	Last updated on 2021-06-15	Last updated by Amolmistry	0.00 (0 votes)	Verified in: ZCS 8.8
- This article is a Work in Progress, and may be unfinished or missing sections.

KB 24314	Last updated on 2021-06-15
0.00 (0 votes)
- This article is a Work in Progress, and may be unfinished or missing sections.

Problem

• Huge and unresponsive mail queue due to Incoming Spams and NDRs
• Observing excessive spamming activity on the server.
• MTA IP blacklisting in the Global RBLs resulting huge impact on outgoing mails.

Solution

The solution divided into 2 parts.

• Cure
• Prevention

Cure

In this section let's check how we can identify the spammer, control the spamming and clear the queue.

• First of all hold the queue

su - zimbra

~/common/sbin/postsuper -h ALL

• To release the queue once done with the work.

~/common/sbin/postsuper -r ALL

• Additionally, we can hold all the incoming mails on MTA level by following below wiki.

https://wiki.zimbra.com/wiki/Irfan-Notes#Holding_the_Postfix_Queue_at_time_of_server_migration.2Fmaintenance

There are 2 ways to check the mail queue A) From the admin panel B) Server CLI.

• We will first check the queue from the Admin Control Panel.

Open your Admin Panel and in Left pane go to > Monitor > Mail Queues and you will see the window something like this,

This Mail Queue section containing mainly 4 Tabs. i) Deferred ii) Incoming iii) Active iv) Held v) Corrupt.

And Each tab Containing a summary of accumulated mails, which are summarized between 6 columns,

i) Receiver Domain ii) Origin IP iii) Sender Domain iv) Receiver Address v) Sender Address vi) Error.

Because of load on the server sometimes you may experience difficulty accessing the Admin panel hence we will check the CLI method to find out the spammer

We are going to use the following commands which will give almost a similar result as the admin panel.

$sudo ~/libexec/zmqstat

Thus, by referring to the queue, we can easily identify which email Address has compromised and from which IP addresses spam mails are receiving and you can take the further action.

$qshape -s deferred | head

• For detailed analysis please do the following, check which user has compromised and used that email address for spamming.

$ grep sasl_user /var/log/zimbra.log | sed 's/.*sasl_username=//g' | sort | uniq -c | sort -nr | head

The Output will show something like this,

12289	user1@domain.tld
   13	user2@domain.tld
   10	user3@domain.tld
    7	user4@domain.tld
    7	user5@domain.tld
    4	user6@domain.tld
    1	user7@domain.tld
    1	user8@domain.tld

Thus, by above stats we can easily guess user1@domain.tld has compromised since no other users authenticated as much as user1.

To cross-verify, we can grep the user1@doamin.tld in /var/log/zimbra.log and we may find thousands of entries like this

Sep 21 17:34:11 zmta1   postfix/smtps/smtpd\[12679\]: ACDBA60F68: filter: RCPT from   unknown\[177.39.32.97\]: <user1@domain.tld>: Sender address triggers   FILTER smtp-amavis:\[127.0.0.1\]:10026; from=<user1@domain.tld>   to=<greenxyso333@aol.com> proto=ESMTP helo=<\[127.0.0.1\]>
Sep 21 17:34:12 zmta1   postfix/smtps/smtpd\[14032\]: B6A3860C53: filter: RCPT from   unknown\[191.242.246.133\]: <user1@domain.tld>: Sender address triggers   FILTER smtp-amavis:\[127.0.0.1\]:10026; from=<user1@domain.tld>   to=<ssrkettlecasdaorn@aol.com> proto=ESMTP helo=<\[127.0.0.1\]>
Sep 21 17:34:12 zmta1   postfix/smtps/smtpd\[12700\]: 56C3960F69: filter: RCPT from   6-48-130-177.redewsp.com.br\[177.130.48.6\]: <user1@domain.tld>: Sender   address triggers FILTER smtp-amavis:\[127.0.0.1\]:10026;   from=<user1@domain.tld> to=<dtgadsadulf@yahoo.com> proto=ESMTP   helo=<\[127.0.0.1\]> 

By referring to a few mails we will notice

1) Mails are going to all junk recipient (those probably do not exist).

2) Originating IPs are all different.

By this we can confirm that all those are spam mails, hence change the password of the affected user and/or disable the user to prevent further authentication and spamming.