Results 1 to 8 of 8

Thread: Spammers break SMTP Auth of user Admin via soap?

Hybrid View

  1. #1
    Join Date
    Apr 2007
    Location
    Italy, Verona
    Posts
    11
    Rep Power
    8

    Exclamation Spammers break SMTP Auth of user Admin via soap?

    Hi at all,
    in those days spammers broke smtp authentication and they're sending a lot of spam from my mail server.
    At first I notice a lot of auth of user admin:
    zimbra.log
    Code:
    Apr 27 18:11:22 lnxgateda saslauthd[31646]: zmauth: authenticating against elected url 'https://mail.ciebspa.it:7071/service/admin/soap/' ...
    Apr 27 18:11:22 lnxgateda saslauthd[31646]: zmpost: url='https://mail.xxxxxxxxxx.it:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="3403"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_f314449532eabd3a7b5c3266e7f1d9b618e0e30a_69643d33363a66613861303534392d306338652d343163302d626463632d3765303536623034613932633b6578703d31333a313330343039333438323531333b76763d313a303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Apr 27 18:11:22 lnxgateda saslauthd[31646]: auth_zimbra: admin auth OK
    Apr 27 18:11:23 lnxgateda postfix/smtpd[30107]: 080E429CC0E7: client=unknown[216.24.204.190], sasl_method=LOGIN, sasl_username=admin
    Apr 27 18:11:32 lnxgateda postfix/cleanup[30185]: 080E429CC0E7: message-id=<20110427161123.080E429CC0E7@mail.xxxxxxxxx.it>
    Apr 27 18:11:32 lnxgateda postfix/qmgr[7941]: 080E429CC0E7: from=<ememebercenter@ups.com>, size=6681, nrcpt=50 (queue active)
    Apr 27 18:11:32 lnxgateda postfix/smtpd[30107]: disconnect from unknown[216.24.204.190]
    Apr 27 18:11:32 lnxgateda amavis[32032]: (32032-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20110427T181132-32032: <ememebercenter@ups.com> -> <ljhill@aol.com>,<ljjjmarc@aol.com>,<ljlazard@aol.com>,<ljludy@aol.com>,<ljm0127@aol.com>,<ljmbsmlegal@aol.com>,<ljohnkj@aol.com>,<ljones1945@aol.com>,<ljonesdenise@aol.com>,<ljperez75@aol.com>,<ljrcwells@aol.com>,<ljs385@aol.com>,<ljones@boyshaven.org>,<ljhollenbeck@charter.net>,<ljr225@charter.net>,<ljhaley764@comcast.net>,<ljohn10557@comcast.net>,<ljmasil@cox.net>,<ljley@cs.com>,<ljschultz@dslextreme.com>,<ljoe19421@earthlink.com>,<ljkanofsky@gmail.com>,<ljnelson1989@gmail.com>,<ljpatron@gmail.com>,<ljkelly@granbury.com>,<ljgardner7@hotmail.com>,<ljl7joy@hotmail.com>,<ljlove21@hotmail.com>,<ljs510769@hotmail.com>,<ljs_designs@hotmail.com>,<ljredder@juno.com>,<l-j-scott@live.com>,<ljoesten@live.com>,<ljn0913@msn.com>,<ljohnson3@myway.com>,<ljmj@sumnet.tv>,<ljfuson71@yahoo.com>,<ljinjax@yahoo.com>,<ljlaa5@yahoo.com>,<ljmoore82@yahoo.com>,<ljnic22@yahoo....
    So I changed the password, but they still " auth_zimbra: admin auth OK", so I deleted all the session of user admin (account-->right click on admin---> delete session) but they still send mail.
    So I created other user, I gived it admin priviledges and I blocked old user admin.

    How can I block this situation from the source?
    Zimbra vers:
    Release 7.0.1_GA_3105.RHEL5_64_20110304210645 CentOS5_64 FOSS edition.


    Thank's at all!

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    You should not, under any circumstances, have you Admin account accessible from any account external to your LAN (use a VPN). You should also enforce strong passwords, go to the COS in the Admin UI and look at the settings. There are also several threads in the forums if you'd like to search for them.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Apr 2007
    Location
    Italy, Verona
    Posts
    11
    Rep Power
    8

    Default

    You're right, but now how can block this attack? Is there a vulnerability on Zimbra?

  4. #4
    Join Date
    Apr 2007
    Location
    Italy, Verona
    Posts
    11
    Rep Power
    8

    Default

    I googled on the web and I didn't find any vulnerability, any idea?

  5. #5
    Join Date
    Apr 2007
    Location
    Italy, Verona
    Posts
    11
    Rep Power
    8

    Default

    Nobody can help me?

  6. #6
    Join Date
    Apr 2011
    Posts
    28
    Rep Power
    4

    Default

    Have you restarted Zimbra after deleting old account/password?

  7. #7
    Join Date
    Jun 2012
    Posts
    4
    Rep Power
    3

    Default

    just ran into this same problem. I don't have 7071 in a VPN but it is blocked by the firewall and the rules must be reloaded to gain access so ssh to the firewall is needed to get access to port 7071.

    anyone have any ideas on how to fix this?

  8. #8
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default

    I don't think it is not someone hitting your 7071 port directly. I think it is someone using the submission port on the server (587) to send emails. smtpd is authenticating through port 7071 using the credentials supplied.

    Do you use external auth to Active directory or ldap ? And perhaps originally accepted a default password for the admin user created by zimbra ?

    It seems that for Global Admins the fallback to local authentication is ALWAYS ON to prevent lockout of the admin. Are you seeing a failed login just before the message you quoted - followed by the one you quoted ? If you are - then the user is trying the admin account against the external auth source, failing the auth, and then falling back to the local auth on the zimbra box and passing on that. Once they authenticate then can send emails.

    check out this thread http://www.zimbra.com/forums/adminis...rity-hole.html

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  3. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 12:34 PM
  4. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  5. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 10:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •