Spamming Fighting Tips & Tricks

-

Tip: 01
Check the queue status

#/opt/zimbra/libexec/zmqstat
OR
$mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail

Tip: 02
First of all hold the queue

su - zimbra
/opt/zimbra/common/sbin/postsuper -h ALL

watch --interval=1 'tail -n1000 /var/log/auth.log | grep 'auth_zimbra:''


Tip: 03
check which user has compromised and used that email address for spamming


grep sasl_user /var/log/zimbra.log | sed 's/.*sasl_username=//g' | sort | uniq -c | sort -nr | head

Tip: 04
Finding originating IP using “From Address”

grep "from=<user1@domain.tld>" /var/log/zimbra.log | awk '{print $10}' |sort -nr -k 1 | sed -rn 's/.*\[//;s/\].*//p' | uniq -c | sort -nr -k 1

Tip: 05
Finding originating IP using Authentication.

grep sasl_user /var/log/zimbra.log | grep user1@domain.tld | awk '{print $7}' |sed -rn 's/.*\[//;s/\].*//p'  | sort -nr -k 1 | uniq -c |sort -nr -k 1

Tip: 06
Blacklist all these IPs on Zimbra

Create a file /opt/zimbra/conf/postfix_blacklist and add all the IPs in the following format

177.71.83.241    REJECT
191.37.158.10    REJECT
177.39.32.97     REJECT
177.53.74.33     REJECT
177.71.23.64     REJECT

postmap /opt/zimbra/conf/postfix_blacklist

zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'

zmmtactl restart 


Tip: 07
Create below mentioned script and run as a root user

#vi removemail

#!/usr/bin/perl
$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!";
@data = qx</opt/zimbra/common/sbin/postqueue -p>;
for (@data) {
if (/^(\w+)(\*|\!)?\s/) {
$queue_id = $1;
}
if($queue_id) {
if (/$REGEXP/i) {
$Q{$queue_id} = 1;
$queue_id = "";
}
}
}
#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|/opt/zimbra/common/sbin/postsuper -d -") || die "couldn't open postsuper" ;
foreach (keys %Q) {
print POSTSUPER "$_\n";
};
close(POSTSUPER);


#chmod +x removemail
#/root/removemail user1@spammer.com


OR

/opt/zimbra/common/sbin/postsuper -d ALL deferred

OR
Check and verify
/opt/zimbra/common/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \ | awk 'BEGIN { RS = "" } { if ($7 == "user1@domain.tld") print $1} ' | tr -d '*!'
and Delete
/opt/zimbra/common/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \ | awk 'BEGIN { RS = "" } { if ($7 == "user1@domain.tld")   print $1} ' \ | tr -d '*!' | /opt/zimbra/common/sbin/postsuper -d -


Tip: 08
Requeue all mail

/opt/zimbra/common/sbin/postsuper -r ALL




Comments

Post a Comment

Popular posts from this blog

Cambium cnPilot E400/E410/E500 Configuration Tutorial

-
Image
Basic Connectivity:   Router (Broadband/mikrotik |dhcp enabled) >>> E400/E410/E500 + LAPTOP Cambium (Powered ON) [POE port] >>>> LAPTOP [LAN port] Step 1: Open Cambium controller in the browser. Step 2: After entering in to the site click on the Onboard Device option from Home Tab of Left Panel. Step 3: In the Onboard Option, we will get Claim Device option to adopt a Cambium AP. Step 4: Now we will move to the Cambium AP configuration Part. Below are credentials of default login access of cnpilot E400/E410/E500/E410/E500. IP:192.168.0.1 Command Line Access: Username: admin Telnet: Disabled by default Password: admin SSH: Enabled by default (on standard port: 22) ***We can also use dhcp IP to login to the cnpilot E400/E410/E500. We will get login page. Step 5: We can see several TAB on left panel. On the DashBoard Tab, we will get some overall information. Some are useful for the configuration; some are useful for troubleshoo...
Read more

Disabling Zimbra's AntiSpam, Amavis and AntiVirus filtering

-
 Check whether antispam and antivirus service is enabled currently on server using the given command zmprov -l gs <mail.example.com> | egrep -i 'serviceen|servicein'  The above command will list all the services which are currently installed and enabled on the server. Disable the antivirus and antispam services using the given commands zmprov -l ms <mail.example.com> -zimbraServiceEnabled antispam  zmprov -l ms <mail.example.com> -zimbraServiceEnabled amavis zmprov -l ms <mail.example.com> -zimbraServiceEnabled antivirus  Comment the following line in the file /opt/zimbra/postfix/conf/main.cf content_filter = smtp-amavis:[127.0.0.1]:10024  Restart services on server zmcontrol restart  Confirm that the antispam and antivirus services are disabled with the given command zmprov -l gs <mail.example.com> | egrep -i 'serviceen|servicein'  zmcontrol status 
Read more

Error "Unable to retrive Zimbra GPG key for package validation"

-
From the installation log we see: Executing: /tmp/tmp.mSlzRMclVa/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 9BE6ED79 gpg: requesting key 9BE6ED79 from hkp server keyserver.ubuntu.com gpg: keyserver timed out gpg: keyserver receive failed: keyserver error 1. Open port 11371 11371 tcp,udp hkp OpenPGP HTTP Keyserver 2. Force it to use port 80: gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9BE6ED79 Ref: https://wiki.zimbra.com/wiki/Error_%22Unable_to_retrive_Zimbra_GPG_key_for_package_validation%22
Read more