Handling long queue email in Zimbra part 2

Attack more and let your zimbra server go crazy till the logs display like the matrix

One fine day after the election, i receive a call mentioning user unable to send email. SSH to the server and found out the mail queue growing which was cause by one user due to an account being compromise by spammer. Below are few step i used to resolve this…

1. Go through the log, find the compromised account and from where the attempt and attack come from. Can go here on how to handle email logs.

  • get the sender source ip address
  • get the sender email address
  • get the email account that have been compromised

2. With the sender source IP address information, you may proceed to block the sender ip address using iptables. May get the step from here or may proceed to the blocking using firewall from the gateway of your email server.

3. If happen to be you have UTM firewall or Antispam Appliance/Software, you may proceed block the sender email address to prevent the spammer spread spam to internet and if the email reach spam trap, your email server IP Address will get blacklisted and this will be more serious issue to get it resolve. At same time, just to ensure your IP address clean, may proceed to check through mxtoolbox or follow here to get step how to check your IP address is blacklisted or in bad reputation.

4. As you have found the compromised account, you may proceed to change the password and lock the account temporary until manage to clean up the queue.

5. There were two type of deleting the queue which is one deleting only that particular sender or delete all email which this will affect on deleting the genuine email.

  • Checking email queue status and quantity. (must access as su – zimbra)

[[email protected] ~]$ sudo ~/libexec/zmqstat
hold=0
corrupt=0
deferred=456
active=1
incoming=491065

  • Delete all email using this command. I have mention this in previous article

[[email protected] ~]# /opt/zimbra/postfix/sbin/postsuper -d ALL

  • Delete particular sender using this command. I have mention this in previous article

[[email protected] ~]# /opt/zimbra/postfix/sbin/postqueue -p | egrep -v ‘^ *\(|-Queue ID-‘ | awk ‘BEGIN { RS = “” } { if ($7 == “[email protected]”) print $1} ‘ | tr -d ‘*!’ | /opt/zimbra/postfix/sbin/postsuper -d –

6. Once all above step done, proceed to monitor the email logs for any attempt to try spreading spam.

[[email protected] ~]# tail -f /var/log/zimbra.log

Hope above scenario help you manage handle your zimbra server on receiving large amount of spammer which can cause your email server / domain blacklisted.

Loading…

Comments

comments

Enable the ftp on ajenti virtual site

Zimbra recovering deleted files through zimbra dumpster