Results 1 to 2 of 2

Thread: got treated like a spam relay

  1. #1
    Join Date
    Jan 2008
    Rep Power

    Angry got treated like a spam relay


    running 6.0.12_GA on one customer site.

    on the 28th April we seem to have been compromised.
    I would be surprised if anyone guessed our admin@ password
    it is 10 characters of uppercase /lowercase /numbers.

    in the logs.. this.. batch requests (I changed the domain name)

    2012-04-28 02:20:52,918 INFO [btpool0-14://localhost/service/soap/AuthRequest] [oip=;ua=zclient/6.0.12_GA_2883;] soap - AuthRequest
    2012-04-28 02:20:53,805 INFO [btpool0-14://localhost/service/soap/AuthRequest] [oip=;ua=zclient/6.0.12_GA_2883;] soap - AuthRequest
    2012-04-28 02:20:53,842 INFO [btpool0-14://localhost:7071/service/admin/soap/GetDomainInfoRequest] [ip=;] soap - GetDomainInfoRequest
    2012-04-28 02:20:53,864 INFO [btpool0-14://localhost:7071/service/admin/soap/GetDomainInfoRequest] [ip=;] soap - GetDomainInfoRequest
    2012-04-28 02:20:53,914 INFO [btpool0-14://localhost:7071/service/admin/soap/GetDomainInfoRequest] [ip=;] soap - GetDomainInfoRequest
    2012-04-28 02:20:54,011 INFO [btpool0-14://localhost/service/soap/BatchRequest] [name=admin@mail.hidden.domain;mid=85;oip=192.168.4 1.251;ua=zclient/6.0.12_GA_2883;] soap - BatchRequest
    2012-04-28 02:20:54,011 INFO [btpool0-14://localhost/service/soap/BatchRequest] [name=admin@mail.hidden.domain;mid=85;oip=192.168.4 1.251;ua=zclient/6.0.12_GA_2883;] soap - (batch) GetInfoRequest
    2012-04-28 02:20:54,179 WARN [btpool0-14://localhost/service/soap/BatchRequest] [name=admin@mail.hidden.domain;mid=85;oip=192.168.4 1.251;ua=zclient/6.0.12_GA_2883;] zimlet - Zimlet not found: /opt/zimbra/zimlets-deployed/com_zimbra_local
    2012-04-28 02:20:54,403 WARN [btpool0-14://localhost/service/soap/BatchRequest] [name=admin@mail.hidden.domain;mid=85;oip=192.168.4 1.251;ua=zclient/6.0.12_GA_2883;] zimlet - cannot find zimlet com_zimbra_local
    2012-04-28 02:20:54,548 INFO [btpool0-14://localhost/service/soap/BatchRequest] [name=admin@mail.hidden.domain;mid=85;oip=192.168.4 1.251;ua=zclient/6.0.12_GA_2883;] soap - (batch) SearchRequest

    and in the admin@mail.domain sent items.. spam.. lots.. see attached image.
    Attached Images Attached Images

  2. #2
    Join Date
    Feb 2012
    Las Vegas
    Rep Power


    Is one of the valid internal IPs on that network?

    There are a lot of Windows trojans that sniff for logins. Is there any possibility that one of the machines the admin may have logged in from was either compromised and had a keylogger installed, or had the password stored in the browser?

Similar Threads

  1. ZD 7.1.2 spam folder oddity
    By JaymeH in forum General Questions
    Replies: 3
    Last Post: 11-06-2011, 01:04 AM
  2. Restricting Local Relay
    By AWnet in forum Administrators
    Replies: 1
    Last Post: 07-25-2011, 08:11 AM
  3. Help mail server broadcast spam
    By sh1n_b3 in forum Administrators
    Replies: 0
    Last Post: 01-19-2011, 06:44 PM
  4. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM
  5. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 02:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts