In this article I will show how to find how To find user who send a bulk Emails in Zimbra.
If Zimbra server sends spam emails first you need find user or users who authenticated on the SMTP port and sending spam.
The following command will return list of authenticated users on the SMTP port to send an email:
# tail -n 200000 /var/log/maillog | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
or
# cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
Example output:
As we see on the pic. last user sending 1490 emails
How To Find User Who Send a Bulk Emails Zimbra
To get users list who authenticated on the SMTP port and sending spam execute next command from CLI:
$ tail -n 200000 /var/log/maillog | sed -n ‘s/.*sasl_username=//p’ | sort | uniq -c | sort -n