Results 1 to 10 of 16

Thread: SPAM relay help, SASL auth'ing

Hybrid View

  1. #1
    Join Date
    Feb 2008
    Location
    Tennessee
    Posts
    13
    Rep Power
    7

    Default SPAM relay help, SASL auth'ing

    It's happening right now, to my account, and so far we've not been able to stop it. We've restarted Zimbra, changed passwords, etc...

    /var/log/zimbra.log
    Sep 26 18:53:20 mail postfix/smtpd[20893]: connect from unknown[116.193.158.138]
    Sep 26 18:53:21 mail postfix/smtpd[11197]: 18E3E40BE420: client=60-249-165-131.HINET-IP.hinet.net[60.249.165.131], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 18:53:21 mail postfix/cleanup[11201]: 18E3E40BE420: message-id=<OUTLOOK-IDM-80b74662-f4a0-a9ec-afee-d89553defab1@trml-1>

    Active Directory authentication, Zimbra zcs-NETWORK-7.1.1_GA_3196.RHEL5_64.20110527001604, CentOS 5.8 x86_64.

    Suggestions? What should we look for? They're connecting in and apparently auth'ing as me and then sending out tons of SPAM. I'm getting tons of bounce messages back. We've not been blacklisted anywhere yet but I figure that's next. We've confirmed from some of the headers in the bounced emails that the spam is originating here, not some other open relay with my address as the from:

    Thanks.

    PS. OS was not fully updated, "yum update" is upgrading cyrus-sasl from 2.1.22-5 to 2.1.22-7 now. Not sure if related or not...

  2. #2
    Join Date
    Feb 2008
    Location
    Tennessee
    Posts
    13
    Rep Power
    7

    Default

    CentOS is fully updated now and the server rebooted for good measure. My password has been changed to a complex one I've never used a variant of anywhere. I don't login from any windows PCs so I'm moderately confident I'm not being keylogged or anything of that sort... When I do login to the Zimbra webmail interface this type of sasl_username message does not appear in the logs. Neither when I send an email. So I'm not sure what is even causing these log entries, what type of access to the server. Other than something to relay SPAMs that is...

    Overnight last night:

    Sep 26 19:59:36 mail postfix/smtpd[18505]: B64B040BE420: client=host162-160-static.89-94-b.business.telecomitalia.it[94.89.160.162], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 20:04:26 mail postfix/smtpd[21688]: 05BEC40BE420: client=host162-160-static.89-94-b.business.telecomitalia.it[94.89.160.162], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 20:23:05 mail postfix/smtpd[755]: 1838940BE422: client=unknown[94.74.143.151], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 20:27:57 mail postfix/smtpd[3667]: 1293540BE422: client=unknown[94.74.143.151], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 20:41:23 mail postfix/smtpd[12386]: 36CD940BE423: client=net-93-67-62-69.cust.dsl.vodafone.it[93.67.62.69], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 21:05:50 mail postfix/smtpd[27459]: 7D77840BE422: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 21:41:01 mail postfix/smtpd[17331]: 1FBEE40BE422: client=196.Red-79-148-114.staticIP.rima-tde.net[79.148.114.196], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 21:46:55 mail postfix/smtpd[20821]: 947F740BE424: client=196.Red-79-148-114.staticIP.rima-tde.net[79.148.114.196], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 22:31:22 mail postfix/smtpd[16253]: 09B9040BE422: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 22:34:02 mail postfix/smtpd[17857]: CCE4340BE424: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 27 03:30:11 mail postfix/smtpd[10492]: F0F6340BE422: client=203-59-129-176.perm.iinet.net.au[203.59.129.176], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

    Firewall is configured to allow only the following access to the mail server:


    PORT STATE SERVICE
    25/tcp open smtp
    80/tcp open http
    443/tcp open https
    465/tcp open smtps
    993/tcp open imaps

  3. #3
    Join Date
    Feb 2008
    Location
    Tennessee
    Posts
    13
    Rep Power
    7

    Default

    Well after some checking we at least now know that log entries like this result from "auth before smtp". Employees using Apple mail.app and/or Thunderbird are producing the same types of entries. Outlook/ZCO and/or webmail users do not.

    With a fair amount of confidence, these connections are not supplying my current active directory password. So what is happening? It would seem that they've discovered a way to bypass and/or spoof that authentication. Thoughts? Has nobody dealt with anything like this before?
    Last edited by wdingus; 09-27-2012 at 06:11 AM. Reason: misspelling

  4. #4
    Join Date
    Aug 2009
    Location
    Bulgaria
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by wdingus View Post
    Well after some checking we at least now know that log entries like this result from "auth before smtp". Employees using Apple mail.app and/or Thunderbird are producing the same types of entries. Outlook/ZCO and/or webmail users do not.

    With a fair amount of confidence, these connections are not supplying my current active directory password. So what is happening? It would seem that they've discovered a way to bypass and/or spoof that authentication. Thoughts? Has nobody dealt with anything like this before?
    I am having 3 cases in 1 week, where people got their accounts compromised, all on zimbra servers ( 3 different ones ), thus producing a lot of spam. Clients seemed to authenticate also.

  5. #5
    Join Date
    Dec 2007
    Location
    Guelph, On
    Posts
    6
    Rep Power
    7

    Default Resolution to this?

    We're seeing something which MAY be the same symptoms. Was there ever a resolution or a fix/workaround? Thanks!
    Gerrit Bos
    CCS, U. of Guelph
    Ontario, Canada

  6. #6
    Join Date
    May 2009
    Location
    Lima, Peru
    Posts
    25
    Rep Power
    6

    Default

    Hi,
    We had this issue too with our NETWORK-7.1.4_GA_2555.UBUNTU10_64 (cs-patch-7.1.4_GA_2568) installation.
    Before calling support we decided to update to NETWORK-7.2.1_GA_2790.UBUNTU10_64 because the security updates, updated java/tomcat etc...
    Spammers were still able to INJECT email and sent it through our system (200,000 messages). This pushed us to make an UPGRADE to NETWORK-8.0.0_GA_5434.UBUNTU10_64 because it was a recommended update due to security updates (BTW, I was not able to find a list of those updates anywhere). We also decide to close (temporarily) any kind of access to our server other than the web mail interface.

    After this, the problem stop. we had no need to put a ticket to support and we have being monitoring our system closely to see if the issue appears again.

    About the v8, we got lot of complains about the new interface and some missing features but that's something else. I expected that version NETWORK-7.2.1_GA_2790.UBUNTU10_64 solved this issues but it seems that it did not.

    I only found two issues that may have cause this, one is a XSS and the other is a Java security issue.

    We are expecting 8.1 or something to fix other issues.

    Hope this helps.

    Eduardo
    Release 8.0.3.GA.5664.UBUNTU10.64 UBUNTU10_64 NETWORK edition.

Similar Threads

  1. Problem SPAM RELAY
    By Nando_br in forum Administrators
    Replies: 3
    Last Post: 05-05-2011, 12:55 PM
  2. Spam relay via Zimbra
    By mzcktyler in forum Administrators
    Replies: 11
    Last Post: 01-23-2011, 07:36 AM
  3. SPAM Relay?
    By rbriguetto in forum Administrators
    Replies: 0
    Last Post: 08-17-2010, 11:12 AM
  4. Spam: Relay from any IP if authenticated
    By andremta in forum Administrators
    Replies: 4
    Last Post: 07-06-2009, 06:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •