I found a few threads that contained similar zimbra.log messages, but no answers. How are they connecting, and what method are they using to send thousands of SPAM messages outbound? Is there a way to block this?
May 26 15:23:48 myhost saslauthd: zmpost: url='https://myserver.com:7071/service/admin/soap/' returned buffer->data=
'<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="
7437"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_6970dfdcaeb aed5ca0a775fa8c96e1
f11d83d438_69643d33363a62613365326136312d376238352 d346462342d396662312d3038326334333462346439643b657 8703d31333a31323735303835
May 26 15:23:48 myhost saslauthd: auth_zimbra: email@example.com auth OK
May 26 15:23:48 myhost saslauthd: zmauth: authenticating against elected url 'https://myserver.com:7071/service/admin/soap/' ...
May 26 15:23:48 myhost postfix/smtpd: 885EF22827A: client=unknown[18.104.22.168], sasl_method=LOGIN, firstname.lastname@example.org
May 26 15:23:48 myhost postfix/smtpd: connect from unknown [22.214.171.124]
May 26 15:23:48 myhost postfix/smtpd: disconnect from unknown[126.96.36.199]
The result was thousands of emails being sent outbound, and ultimately getting blocked by major sites.
The IP address is from Nigeria (no surprise, since the SPAM content is similar to a variety of schemes asking for credit card info...)
The account had been compromised, and since disabled. But how can this be prevented? (And please don't say use better passwords, or block Nigeria.)
The connection could come from anywhere.
The admin GUI interface requires a user with admin privileges. This user did not. But it is my understanding that using the admin soap url will authorize on their behalf, and execute commands. This seems scripted, as if from a CLI interface. Are they using telnet, puTTY, or some other web based form to inject their command stream?
Please, I need help in understanding how this works.