Results 1 to 4 of 4

Thread: need help regarding spam protection and authentication

Hybrid View

  1. #1
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default need help regarding spam protection and authentication

    Hi,

    I found strange thing in my zimbra.log and mailboxd.log.

    One of our user abc@example.com.

    For this user i got the authentication logs as below :

    ###########################################

    2009-08-19 12:08:47,589 INFO [Pop3Server-6533] [name=abc@example.com;ip=177.17.218.29;] pop - user abc@example.com authenticated, mechanism=login
    2009-08-19 12:08:48,057 INFO [Pop3Server-6533] [name=abc@example.com;ip=177.17.218.29;] pop - quit from client
    2009-08-19 13:28:29,847 INFO [Pop3Server-8360] [name=abc@example.com;ip=122.132.111.218;] pop - user abc@example.com authenticated, mechanism=login
    2009-08-19 13:28:29,948 INFO [Pop3Server-8360] [name=abc@example.com;ip=122.132.111.218;] pop - quit from client

    ##############################################


    Here its showing two IP addresses 177.17.218.29 and 122.132.111.218. and its keep getting toggle between this IPs. In this logs its showing "pop - quit from client " What it mean ?? why its continously changing the IP address ?

    ################################################


    And in zimbra.log I am getting below logs for the same user which is trying to send mail to itself and one another user of the same domain which is SPAM and got discarded....but its showing different IP in this logs...which i didnt get in in audit.log or mailboxd.log....


    Aug 18 14:28:08 mail amavis[26966]: (26966-20) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090818T132825-26966: <abc@example.com> -> <cde@example.com>,<abc@example.com> SIZE=2704 Received: from example.com ([127.0.0.1]) by localhost (example.com[127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Tue, 18 Aug 2009 14:28:08 +0530 (IST)
    Aug 18 14:28:08 mail amavis[26966]: (26966-20) Checking: ZNHpduUMTnrn [89.78.49.127] <abc@example.com> -> <cde@example.com>,<abc@example.com>
    Aug 18 14:28:13 mail amavis[26966]: (26966-20) SPAM, <abc@example.com> -> <cde@example.com>,<abc@example.com>, Yes, score=23.19 tag=-10 tag2=6.6 kill=13.2 tests=[BAYES_99=3.5, HTML_IMAGE_ONLY_24=1.552, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, ONLINE_PHARMACY=0.001, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, SUBJECT_NEEDS_ENCODING=0.001, SUBJ_ILLEGAL_CHARS=1.586, TVD_VISIT_PHARMA=0.001, URIBL_AB_SURBL=1.86, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501, URIBL_OB_SURBL=1.5, URIBL_WS_SURBL=1.5], autolearn=spam
    Aug 18 14:28:13 mail amavis[26966]: (26966-20) Blocked SPAM, [89.78.49.127] [98.78.49.111] <abc@example.com> -> <cde@example.com>,<abc@example.com>, Message-ID: <3108XGQ.7401BCC60A.996339454636KATSVFCQQVCAKIQ340 @chello089078049127.chello.pl>, mail_id: ZNHpduUMTnrn, Hits: 23.19, size: 2698, 5487 ms
    Aug 18 14:28:13 mail postfix/smtp[18495]: 7BFEBD4048: to=<cde@example.com>, orig_to=<abc@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.4, delays=0.87/0/0/5.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=26966-20 - SPAM)


    ########################################


    here its Ip adddress is 98.78.49.111 ...!!!! and every day i ma getting similar type of logs with different IP address...

    IS anyone trying to send spma using this email id WITHOUT AUTHENTICATION ?? is it possible ??

    We are not using TLS authentication...do we need to switch over to TLS from clear text authentication ?

    please help me to understand why this is happening and suggest.


    Thanks.
    Last edited by chandu; 08-25-2009 at 09:29 AM.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by chandu View Post
    We are not using TLS authentication...do we need to switch over to TLS from clear text authentication ?
    I believe I advised you not to use clear text login some whil back, under no circumstances should you be using clear text login for access to your server from outside your lan (IMO, you shouldn't even use it on your LAN) - it's a big (very big) security hole.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    Thanks for reply ..yes Bill..i know you suggested me to setup TLS connection..I will plan it asap..client also need to change their outlook setting..

    I am confuse here about one thing...can anyone successfully sent mail by using similar userid WITHOUT providing authentication? and if yes then how its possible?
    In my case those mails got discarded which was getting delivered through IP which not got registered in audit.log....

    And another question about POP3...here pop3 client getting quit and user again loging with different IP ...and its keep getting toggle between two IPs...what it mean ??

    May be i m asking stupid questions but really want to understand...

    Thanks

  4. #4
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Possibly the account is compromised, possibly the user has pop clients set up on different machines. You could use nslookup and Whois to investigate.

    About the first question, email address spoofing is trivial and no authentication is required to send mail from a given address, although you could conceivably write/customize an MTA that would do that, or conceivably
    do the checking via SA. I don't know if such solutions are out there currently.

    Another approach would be to use SPF.

Similar Threads

  1. Spam problem on a new installation
    By SamTzu in forum Administrators
    Replies: 20
    Last Post: 07-17-2009, 08:27 AM
  2. SMTP authentication for local emails
    By extremal in forum Administrators
    Replies: 3
    Last Post: 01-13-2009, 02:51 AM
  3. SMTP authentication for zimbra postfix
    By Vivek k c in forum Administrators
    Replies: 14
    Last Post: 11-18-2008, 08:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •