Results 1 to 2 of 2

Thread: Hacked account sending spam

  1. #1
    Join Date
    Jun 2011
    Rep Power

    Default Hacked account sending spam


    We had a user account sending spam through our Zimbra Server 7 server. The server is configured to block account after 10 unsucessully login attempt, but the cracker got the password yet.

    The messages sent by the spammer had sender with different domain configured in Zimbra. Is there any way to block the sending of messages whose sender's domain is not configured in Zimbra?

    Following is the log generated in the spammer login:

    Jun 1 00:17:20 mailserver postfix/smtpd[1075]: connect from unknown[]
    Jun 1 00:17:21 mailserver saslauthd[28352]: zmauth: authenticating against elected url '' ...
    Jun 1 00:17:21 mailserver saslauthd[28352]: zmpost: url='' returned buffer->data='<soap:Envelope xmlns:soap=""><soap:Header><context xmlns="urn:zimbra"><change token="2393"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_4a602a3a97f 18a0a88915d014f8da93c32b48002_69643d33363a32313366 393536622d653039622d346437342d626531642d3233363037 366661386665383b6578703d31333a31333037303731303431 3336393b76763d313a313b747970653d363a7a696d6272613b </authToken><lifetime>172800000</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jun 1 00:17:21 mailserver saslauthd[28352]: auth_zimbra: spamuser auth OK
    Jun 1 00:17:21 mailserver postfix/smtpd[1075]: E737B778001: client=unknown[], sasl_method=PLAIN, sasl_username=spamuser

    2011-06-01 00:17:21,327 INFO [btpool0-255://] [ip=;] soap - AuthRequest

    2011-06-01 00:17:21,369 INFO [btpool0-255://] [;ip=;] security - cmd=Auth;; protocol=soap;


  2. #2
    Join Date
    Oct 2005
    USA, Canada and India
    Rep Power


    you should research about the following

    Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.

    man page: Postfix Configuration Parameters
    enableing it may affact ALIASES to send email thru SMTP AUTH, so please test and research before you apply.
    Will fix spammer problem for sure but it mat affact other things

    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

Similar Threads

  1. [SOLVED] Lot of mails deferred
    By pigui in forum Administrators
    Replies: 17
    Last Post: 04-10-2012, 06:15 AM
  2. Email Server Sending Spam
    By profediego in forum Administrators
    Replies: 5
    Last Post: 05-04-2011, 10:37 AM
  3. Help mail server broadcast spam
    By sh1n_b3 in forum Administrators
    Replies: 0
    Last Post: 01-19-2011, 07:44 PM
  4. Replies: 3
    Last Post: 07-19-2007, 03:00 AM
  5. Problem sending mail from another account in Outlook
    By UTSCSE in forum Zimbra Connector for Outlook
    Replies: 4
    Last Post: 01-25-2007, 05:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts