Preventing Spamming

Preventing Spamming

   KB 24314        Last updated on 2023-11-21  




0.00
(0 votes)

Problem

  • Huge and unresponsive mail queue due to Incoming Spams and NDRs
  • Observing excessive spamming activity on the server.
  • MTA IP blacklisting in the Global RBLs resulting huge impact on outgoing mails.

Solution

The solution divided into 2 parts.

  • Fix
  • Prevention

See also


Fix

In this section let's check how to identify the spammer, control the spamming and clear the queue.

  • First of all hold the queue
su - zimbra
~/common/sbin/postsuper -h ALL
  • To release the queue once done with the work.
~/common/sbin/postsuper -r ALL

There are 2 ways to check the mail queue A) From the admin panel B) Server CLI.

  • First, check the queue from the Admin Control Panel.

Open Admin Panel, From the left pane, go to > Monitor > Mail Queues and the window will look something like this,

Mail-queue.jpg

This Mail Queue section containing mainly 4 Tabs. i) Deferred ii) Incoming iii) Active iv) Held v) Corrupt.

And each tab containing a summary of accumulated mails, which are summarized between 6 columns,

i) Receiver Domain ii) Origin IP iii) Sender Domain iv) Receiver Address v) Sender Address vi) Error.

Because of load on the server sometimes its become difficult accessing the Admin panel hence check the CLI method to find out the spammer

Use the following commands which will give almost a similar result as the admin panel.

$sudo ~/libexec/zmqstat

Zmqstat.jpg


Thus, by referring to the queue, we can easily identify which email Address has been compromised and from which IP addresses spam mails are receiving and take further action.

$qshape -s deferred | head

Qshape-2.jpg


  • For detailed analysis do the following, check which user has compromised and used that email address for spamming.
$ grep sasl_user /var/log/zimbra.log | sed 's/.*sasl_username=//g' | sort | uniq -c | sort -nr | head

The Output will show something like this,

12289	user1@domain.tld
   13	user2@domain.tld
   10	user3@domain.tld
    7	user4@domain.tld
    7	user5@domain.tld
    4	user6@domain.tld
    1	user7@domain.tld
    1	user8@domain.tld

Thus, by the above stats, It is quite an easy guess that user1@domain.tld has compromised since no other users authenticated as much as user1.

To cross-verify, grep the user1@doamin.tld in /var/log/zimbra.log and the result from the search query will look like as follows.

Sep 21 17:34:11 zmta1   postfix/smtps/smtpd\[12679\]: ACDBA60F68: filter: RCPT from   unknown\[177.39.32.97\]: <user1@domain.tld>: Sender address triggers   FILTER smtp-amavis:\[127.0.0.1\]:10026; from=<user1@domain.tld>   to=<greenxyso333@aol.com> proto=ESMTP helo=<\[127.0.0.1\]>
Sep 21 17:34:12 zmta1   postfix/smtps/smtpd\[14032\]: B6A3860C53: filter: RCPT from   unknown\[191.242.246.133\]: <user1@domain.tld>: Sender address triggers   FILTER smtp-amavis:\[127.0.0.1\]:10026; from=<user1@domain.tld>   to=<ssrkettlecasdaorn@aol.com> proto=ESMTP helo=<\[127.0.0.1\]>
Sep 21 17:34:12 zmta1   postfix/smtps/smtpd\[12700\]: 56C3960F69: filter: RCPT from   6-48-130-177.redewsp.com.br\[177.130.48.6\]: <user1@domain.tld>: Sender   address triggers FILTER smtp-amavis:\[127.0.0.1\]:10026;   from=<user1@domain.tld> to=<dtgadsadulf@yahoo.com> proto=ESMTP   helo=<\[127.0.0.1\]> 

By referring to a few logs entries, the following will be noticed.

1) Mails are going to all junk recipients (those probably does not exist).

2) Originating IPs are all different.

By this, it will be confirmed that all those are spam mails, hence change the password of the affected user and/or disable the user to prevent further authentication and spamming.

Due to several unauthorised authentications, it is important to find the originating IPs

Just grep and find out from which IP address, authentication and mails are originated. here use the following 2 ways

i) By “from address”
ii) By Authentication

  • Finding originating IP using “From Address”
grep "from=<user1@domain.tld>" /var/log/zimbra.log | awk '{print $10}' |sort -nr -k 1 | sed -rn 's/.*\[//;s/\].*//p' | uniq -c | sort -nr -k 1

The output will show something like this.

From-Ips.JPG

  • Finding originating IP using Authentication.”
# grep sasl_user /var/log/zimbra.log | grep user1@domain.tld | awk '{print $7}' |sed -rn 's/.*\[//;s/\].*//p'  | sort -nr -k 1 | uniq -c |sort -nr -k 1

The output will show something like this.

Ips-4b.JPG

If you get a bunch of IPs from the above command from which thousands of mails are originated hence it gives us a clear picture that all those are spam mails. go ahead and block all those IPs in the local firewall so that further authentication attempts won’t happen from those IPs.

There is another method to blacklist all these IPs on Zimbra as well by following the below mentioned steps.

i) Create a file /opt/zimbra/conf/postfix_blacklist and add all the IPs in the following format

177.71.83.241    REJECT
191.37.158.10    REJECT
177.39.32.97     REJECT
177.53.74.33     REJECT
177.71.23.64     REJECT

ii) Now do postmap and it will create DB file.

postmap /opt/zimbra/conf/postfix_blacklist

iii) Now add this file in the zimbra mta restriction so that postfix will refer to this file while accepting the connection and reject all the mentioned IPs.

 zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'  

iv) Now restart the MTA services.

 zmmtactl restart 

v) The initial phase is done here, by this, rest assured that now no more new spam will hit nor any authentication will happen. Still, just to cross-check whether there is any brute force attack still happening, just check the zimbra.log for auth failures by executing the below command.

$ grep “authentication failure”  /var/log/zimbra.log 

And the output

Authfailed.JPG

If you find more such entries with new email addresses, please follow similar processes mentioned in point no. 4.

5) Since we have stopped the further authentication and held the queue, Let’s move further and delete all deferred and spam mails from the queue.
5-A) From the Admin panel – >> Monitor >> Mail Queue. Here right click on either originating IP or sender domain/email address and click on delete.

Delete-q.jpg

5-B) If the Admin panel is not accessible we will have to do the same process from CLI.
Let’s first delete all the deferred mails from the queue, these mails are usually throttled by the recipient server due to spamming complaints from the sender’s MTA

/opt/zimbra/common/sbin/postsuper -d ALL deferred 

The safest method is to delete the emails from the user that has been compromised, and the email address from which NDR has received,

Thus, first, execute the below command and check which mails we are going to delete, here we are mentioning "from email address" that was compromised, and later, execute the same command again by replacing with NDR email addresses as well.

 /opt/zimbra/common/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \ | awk 'BEGIN { RS = "" } { if ($7 == "user1@domain.tld") print $1} ' | tr -d '*!' 


Here replace user1@domain.tld with your actual affected email address. After executing above command, it will give you list of the mails which we are going to delete, later you can check all the list just to verify we are on the right path.

Now execute the final command by adding -d at the end to delete all the mails.

/opt/zimbra/common/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \ | awk 'BEGIN { RS = "" } { if ($7 == "user1@domain.tld")   print $1} ' \ | tr -d '*!' | /opt/zimbra/common/sbin/postsuper -d - 

6) Once all the mails are deleted, check the queue again,

 $ sudo ~/libexec/zmqstat 
hold=125
corrupt=0
deferred=0
active=0
incoming=0


7) If queue looks clear along with junk and deferred mail are already deleted, go ahead and release the held queue.

~/common/sbin/postsuper -r ALL 


Prevention

Prevention has divided into 2 parts

  • User level
  • Server Level
1) User level precaution

(Things end-users should take care of)

  • Keep the workstation infection and malware-free with updated AS/AV.
  • Do not access Webmail on public PCs as most of them are infected and the virus may steal login information and can provide it to the spammer.
  • Keep the strong password, include at least 1 Upper case and 1 Lower case letter, 1 special character and 1 number.
  • Keep changing the password frequently, due to which If there is any brute-force happening on the account, the script either will take time or won’t be able to crack the password.
  • Keep the workstation and the outlook updated with all the patches and security updates.
  • Keep ZCO too updated,
  • Do not share login credentials with anyone.
  • Using 2FA will be added advantage.
  • Do not open any unknown email or attachment which has not been sent by a trusted source.
  • Mainly do not open any executable files like (.exe, .bat etc) those could be virus/malware which may harm your system badly.
2) Server level precautions
  • Keep updated ZCS to the latest version and patch since it included all performances and security-related updates which will keep the server safe from the major attack.
  • Keep the strong password policy so users can’t set the weak password and it will prevent hacking the password by a brute-force attack.
  • Set the password expiry as well so users can’t keep the same password for long.
  • Keep updated the OS as well, because if there is any vulnerability In the old version it may affect the complete server resulting ZCS as well.
  • Secure the network with the help of a Network engineer so that nobody can login to the server and change the password of the admin or any user for further spamming.
2A) Following are some basic ways by which we can prevent spamming at a considerable level.

i) Implementing the following wikis will prevent hackers relaying mails using server MTA.

Without the following setting, MTA will act like Open-Relay and spammer can use our MTA to send mails. After the implementation, all the users have to authenticate their accounts to send the mails else, connection to the MTA itself won’t initiate.

https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5
ii) Implementing the following from the similar wiki will restrict Unlisted sender and recipient (Users which are not hosted or not there in the LDAP will be prevented sending and receiving mails .
https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5#Update_zimbraMtaSmtpdRejectUnlistedRecipient_.26_zimbraMtaSmtpdRejectUnlistedSender
iii) Implementing the below wiki, will notify the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information.
https://wiki.zimbra.com/wiki/Zmauditswatch

Hence once you receive the alert mail you can block those IPs in your firewall or you can implement 3rd party application like fail2ban (fail2ban is the 3rd party application that is not supported by Zimbra hence take assistance from system admin or forums)

Alternately, we can block those IPs on the Zimbra MTA as well, please refer to below wiki for the implementation.
https://wiki.zimbra.com/wiki/Specific_Whitelist/Blacklist_per_IP
iv) Also it is important to have updated AntiSpam Rules, updated rules will prevent the spam more effectively hence make sure to enable the below setting if it is not enabled already.
$ zmlocalconfig -e antispam_enable_rule_updates=true
$ zmlocalconfig -e antispam_enable_restarts=true 
v) Restrict executable files.
zmprov mcf +zimbraMtaBlockedExtension exe
zmprov mcf +zimbraMtaBlockedExtension bat 
vi) Tune the SpamTag and SpamKill percentage.
zmprov mcf zimbraSpamKillPercent 75
zmprov mcf zimbraSpamTagPercent 25 {default is 33, it means 33% of 20 = 6.6} 
Example
Return-Path: <mail.tnvsbeqphrnatrhmpem@email.techtrnd.com>
Received: from edge03e.zimbra.com (LHLO edge03e.zimbra.com) (10.43.0.13) by
 mbs03e.zimbra.com with LMTP; Fri, 20 Sep 2019 10:10:05 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
    by edge03e.zimbra.com (Postfix) with ESMTP id CC65160327A
    for <amistry@zimbra.com>; Fri, 20 Sep 2019 10:07:22 -0400 (EDT)
X-Virus-Scanned: amavisd-new at zimbra.com
X-Spam-Flag: YES
X-Spam-Score: 5.888
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.888 required=3 tests=[BAYES_00=-0.05,
    DCC_CHECK=1.1, DIGEST_MULTIPLE=0.293, DKIMWL_WL_MED=-0.001,
    DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=2.75,
    RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
    T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001]
    autolearn=no autolearn_force=no
Authentication-Results: edge03e.zimbra.com (amavisd-new);
    dkim=pass (1024-bit key) header.d=msgfocus.com header.b=Ch2nGc4z;
    dkim=pass (1024-bit key) header.d=email.techtrnd.com header.b=SuHyv5M/
Received: from edge03e.zimbra.com ([127.0.0.1])
    by localhost (edge03e.zimbra.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 5-s4ZPnNKenv for <amistry@zimbra.com>;
    Fri, 20 Sep 2019 10:07:21 -0400 (EDT)
Received: from mail116-79.us2.msgfocus.com (mail116-79.us2.msgfocus.com [185.187.116.79])
    by edge03e.zimbra.com (Postfix) with ESMTP id E35BA603278
    for <AMISTRY@ZIMBRA.COM>; Fri, 20 Sep 2019 10:07:20 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=msgf; d=msgfocus.com;
 h=Subject:X-Mailer:Message-ID:Reply-To:To:List-Unsubscribe:From:Date:MIME-Version:Content-Type;
 bh=ikFEdVyAQq1WoIdBffZJ3tLeMEo=;
 b=Ch2nGc4zxw2AThxqqqZiYD5W11Tr94h89D6JfBltYbrsb8yfF17pC0EC4+1cJptO4RypAKYa2MMN
   fZVYTbABSRKrTCIXT0R/el8uF6lpWzJwGy3FEf8HwWcKO3M0y0IvgxKhysCJD+aw/ECT/4kx0UHe
   +yFKtORN0GP3z+jFwfk=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.techtrnd.com; s=msgf;
    t=1568988596; bh=/JDQ0rvggKcM0iK+5qAd2BC7aLE18wvm2WnlonkYQK8=;
    h=Subject:X-Mailer:Message-ID:Reply-To:To:List-Unsubscribe:From:
     Date:MIME-Version:Content-Type;
    b=SuHyv5M/gWhikMWkKhiQYxbG41AcDmxQQhJf7FsBTlfDKqrxDavvdObgMUpz4IhEB
     3io2Uf+h1qaO+W/K4SulUaqZ6ZBwuxyxSnOn7HYnX4OLqKM9MBcRvUZ/Cz3eA5IwgB
     2Eu+OsSF5BYyz1RWb06/qHGMUhayA+dEjWDgvbLU=
Subject: Join IEEE, get the rest of 2019 free
X-Mailer: MessageFocus v2 launch
Message-ID: <YTYb3-7BWvIDJ96-atnB-18k7sjoQe25Z99nr@email.techtrnd.com>
Reply-To: mail.tnvsbeqphrnatrhmpem@email.techtrnd.com
To: AMISTRY@ZIMBRA.COM
List-Unsubscribe:
 <mailto:mail.tnvsbeqphrnatrhmpem@email.techtrnd.com?subject=Unsubscribe>
From: IEEE <IEEE@email.techtrnd.com>
Date: Fri, 20 Sep 2019 15:09:56 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--1C593B4808655498F3042C88CC"
vii) Along with the updated spam rules, it is more important to check from which server mail has been received, a legitimate email server taking all the possible precautions to keep their server genuine hence while receiving the mails, the following parameters will be checked and if any of the parameters does not meet, that mail may consider as spam.
zmprov mcf \
 
zimbraMtaRestriction reject_invalid_hostname \
zimbraMtaRestriction reject_non_fqdn_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction reject_invalid_helo_hostname \
zimbraMtaRestriction reject_unknown_client_hostname \
zimbraMtaRestriction reject_unknown_helo_hostname \
zimbraMtaRestriction reject_unknown_sender_domain \
viii) Implementing SPF, DKIM and DMARC for better protection also it has become the universal standard check while accepting mails by the remote server. so the chances of getting a poor SPAM score at the remote end will become less.
https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC
ix) Also, along with the local AntiSpam rule it is also important to refer to rules developed by some reputed and effective RBLs,
RBL is Real-time Blackhole list which is maintaining various data collected globally like global IPs which are tends to send spams, new spamming trend, already blacklisted domains, email addresses etc. which will help to identify spams easily and immediately before scanned by local AS/AV hence no need to maintain local rules and spams can eliminate more effectively,
Thus, including such most effective and reputed RBLs in our configuration will help to control the spamming more effectively.
Below are some selected RBLs I’ve used, you can also include your favorite RBLs as per your choice.
zmprov mcf zimbraMtaRestriction "reject_rbl_client dnsbl.njabl.org" \
zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" \
zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org" \
zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" \
zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" \
zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" \
zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org" \
zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" \
zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org" \
zimbraMtaRestriction "reject_rhsbl_sender rhsbl.sorbs.net"


Submitted by: Amol Mistry
Verified Against: ZCS 8.8 Date Created: 2020-04-13
Article ID: https://wiki.zimbra.com/index.php?title=Preventing_Spamming Date Modified: 2023-11-21



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search