Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: People spamming via my zimbra server

  1. #1
    Join Date
    Oct 2008
    Posts
    11
    Rep Power
    7

    Default People spamming via my zimbra server

    I am having so much spam going through my server I cannot keep up with deblacklisting.

    I dont understand how this is happening. I have access restricted to sending email via registered account logins and not MTA trusted networks.

    Here is the most recent spam sent via my zimbra server today:

    Jan 8 04:22:11 newmail postfix/qmgr[29990]: 98E4E1120431: from=<office@massory.lv>, size=2474, nrcpt=3 (queue active)
    Jan 8 06:49:01 newmail postfix/qmgr[29990]: 0C96011204D8: from=<office@massory.lv>, size=1818, nrcpt=3 (queue active)

    Jan 8 06:49:01 newmail amavis[8211]: (08211-16) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20120108T060644-08211: <office@massory.lv> -> <sgtkmitth@aol.com>,<serviicess@live.com>,<fiasalg ill@yahoo.com> SIZE=1818

    Received: from mail.edited.com ([127.0.0.1]) by localhost (mail.edited.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Sun, 8 Jan 2012 06:49:01 -0500 (EST)
    Jan 8 06:49:01 newmail amavis[8211]: (08211-16) Checking: weSXnkG5+Lwk [38.99.171.107] <office@massory.lv> -> <edited@aol.com>,<edited@live.com>,<edited@yahoo.c om>

    Jan 8 06:49:06 newmail amavis[8211]: (08211-16) FWD via SMTP: <office@massory.lv> -> <edited@aol.com>,<edited@live.com>,<edited@yahoo.c om>,BODY=7BIT 250 2.6.0 Ok, id=08211-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4B3F411204D9

    Does anyone know what is happening here? I have to stop it and I do not have this issue with my non zimbra servers?

    Thanks
    John

  2. #2
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    looks like one or more of your account password is compromised and someone is relaying SPAM using SMTP-AUTH, soyou need to find out which account(s).
    Most of the time SPAMMER lot in as many as times possible to you will see lots of login attempts
    run the following and see which account repeat itself a lot..chances are that is the account..all you need to do is change password to something strong.

    tail -n 100000 /var/log/maillog | grep "sasl_username=" > /tmp/smtpauthlogins.txt
    if your want to find out in older maillog.gz then you can use zgrep
    * /tmp/smtpauthlogins.txt file will have your output


    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  3. #3
    Join Date
    Oct 2008
    Posts
    11
    Rep Power
    7

    Default

    Quote Originally Posted by raj View Post
    looks like one or more of your account password is compromised and someone is relaying SPAM using SMTP-AUTH, soyou need to find out which account(s).
    Most of the time SPAMMER lot in as many as times possible to you will see lots of login attempts
    run the following and see which account repeat itself a lot..chances are that is the account..all you need to do is change password to something strong.


    if your want to find out in older maillog.gz then you can use zgrep
    * /tmp/smtpauthlogins.txt file will have your output


    Raj
    If the account was authenticated prior to sending why wouldn't zimbra log the account that sent the messages? Why would you have to guess based on login attempts ? If they have the login userids and passwords there wouldn't be that many attempts.

  4. #4
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    Quote Originally Posted by jbuwa View Post
    If the account was authenticated prior to sending why wouldn't zimbra log the account.
    it does..those are the lines my command will extract for you
    PS: once SPAMMER is Authenticated then they can use ANY "FROM" Address to send email..those are the lines you mentioned in your orignal post
    You need to FIND the actual SMTP-AUTH user using my command

    Why would you have to guess based on login attempts
    not guessing..once you see a HUGE list of logins..you will KNOW

    If they have the login userids and passwords there wouldn't be that many attempts.
    YES there will be these are not the "failed" logins..thease will be reall sucess login which they using to RELAY email..once they have access thy will try to login AS MANY AS time till you dont stop them.
    PS: generally they use many logins coz they send email outs in busts of 10-12mails

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  5. #5
    Join Date
    Jul 2012
    Posts
    1
    Rep Power
    3

    Thumbs up

    Quote Originally Posted by raj View Post
    not guessing..once you see a HUGE list of logins..you will KNOW
    Just wanted to say BIG thanks to Raj - you made my day, after getting into RBLs for three times in the first day of running new Zimbra install.

    I was picking my hair out trying to find how it was possible to relay through my server. Your grep suggestion (through google) made things clear, simple yet very effective - some account was really compromised, what I couldn't imagine as the old server didn't have sasl authentication.

    Thanks again, I owe you a beer

  6. #6
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    Glad to help

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  7. #7
    Join Date
    Dec 2012
    Location
    Nairobi
    Posts
    4
    Rep Power
    2

    Default Email Spams

    After i did run the command..

    tail -n 100000 /var/log/mail.log | grep "sasl_username=" > /tmp/smtpauthlogins.txt

    I got the following. I went ahead fixed a new password. DO you think there was a problem? Please explain the meaning of the output. Thank you so much inadvance.

    Jan 21 08:54:05 mail postfix/smtpd[13628]: 31A201A58001: client=unknown[192.168.0.191], sasl_method=LOGIN, sasl_username=rosait
    Jan 21 16:46:02 mail postfix/smtpd[12650]: 05737212188: client=unknown[192.168.0.191], sasl_method=LOGIN, sasl_username=rosait
    Jan 21 16:47:30 mail postfix/smtpd[12650]: A8B15212188: client=unknown[192.168.0.191], sasl_method=LOGIN, sasl_username=rosait
    Jan 22 16:36:57 mail postfix/smtpd[18457]: A0B82212189: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 22 16:50:40 mail postfix/smtpd[24136]: A05E421218A: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 22 16:58:14 mail postfix/smtpd[27418]: 3A18721218A: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 22 17:00:02 mail postfix/smtpd[27697]: DABB621218A: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 22 17:00:38 mail postfix/smtpd[27697]: B1CA521218A: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 23 08:28:58 mail postfix/smtpd[20068]: B2D1721218A: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 23 12:13:54 mail postfix/smtpd[14810]: BDE1121218A: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 23 15:45:46 mail postfix/smtpd[4266]: AF85421218D: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 23 15:53:32 mail postfix/smtpd[7369]: 2DFAB21218D: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 23 15:56:16 mail postfix/smtpd[8735]: 0538721218D: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait
    Jan 23 16:32:46 mail postfix/smtpd[23754]: D8DAB212188: client=unknown[192.168.0.196], sasl_method=LOGIN, sasl_username=rosait

  8. #8
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    You didn't give details as to what is happening. I assume you (like the original poster) are having spam sent through your Zimbra server? As to whether or not you have a problem, Raj is accurate. You'll see a TON of logins for a single user usually.

    Last time we had an issue there were 10k+ sasl_username entries for a single user account in our maillog. There were 225 entries for sasl_username for all other users combined.
    ---
    Paul Chauvet
    State University of New York at New Paltz

  9. #9
    Join Date
    Dec 2012
    Location
    Nairobi
    Posts
    4
    Rep Power
    2

    Default

    Thank you chauvetp for your quick reply. My problem was that i noticed my server is getting listed accross the globe for sending spam emails. The daily report does not give me a suggestioin of any irregular activity, after i tried what was suggested above, i pasted the output above. I dont have an interpretation of the above and also, am not sure whether changing the users password will do any good.

    Thank you again.

    Bernard

    Kenya is a beautiful Country.

  10. #10
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    I would recommend looking at the "Daily Mail Report" messages that are sent by default to the Admin user on Zimbra. They have a "top 50 Senders by message count" section which may shed light on which user(s) may be compromised.

    Once you find a suspected user, look through /var/log/maillog for the addresses they are sending to and the IP addresses their connections are coming from.
    ---
    Paul Chauvet
    State University of New York at New Paltz

Similar Threads

  1. ZCS7 Beta only Listens on IPv6
    By tobru in forum Installation
    Replies: 2
    Last Post: 03-25-2011, 03:31 AM
  2. Zimbra 6 on Ubuntu 8.04 x64 reverting to IPv6
    By nimble7 in forum Installation
    Replies: 1
    Last Post: 11-29-2010, 11:03 PM
  3. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 02:30 PM
  4. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 11:16 AM
  5. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 12:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •