Results 1 to 8 of 8

Thread: [Help] Spam Attack in my ZIMBRA sever.

  1. #1
    Join Date
    Jul 2012
    Posts
    25
    Rep Power
    3

    Exclamation [Help] Spam Attack in my ZIMBRA sever.

    Dear Guys,

    Recently I am experiencing an issue with my ZIMBRA. "Someone" from outside using random "PUBLIC IP" enter & successfully authenticate itself into
    my ZIMBRA and started to send spam mails through this username: "whchoy" ( as shown in the below quote ) I am not able to determine where this attacker is from. This username "whchoy" is valid in our database. Not sure if this was sent via a "BOT". Are there anyway which I am able to block or prevent such incident from happening. Even as I type now, the attack is still ongoing....Hope to hear from you guys soon. Appreciate your much assistance. Thank you.

    Oct 31 13:52:35 mail postfix/smtpd[13404]: connect from unknown[113.19.211.114]
    Oct 31 13:52:37 mail saslauthd[5142]: zmauth: authenticating against elected url 'https://mail.abc.com.my:7071/service/admin/soap/' ...
    Oct 31 13:52:37 mail saslauthd[5142]: zmpost: url='https://mail.abc.com.my:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="68491"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_3b538077459 5f92d005b24c10d8faafd1187ff1a_69643d33363a31313735 653533622d343139342d343235662d626633302d6665366265 323235663731333b6578703d31333a31333531383335353537 3530333b76763d313a333b747970653d363a7a696d6272613b </authToken><lifetime>172799999</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Oct 31 13:52:37 mail saslauthd[5142]: auth_zimbra: whchoy auth OK
    Oct 31 13:52:38 mail postfix/smtpd[13404]: D1E374B8368: client=unknown[113.19.211.114], sasl_method=LOGIN, sasl_username=whchoy
    Oct 31 13:52:39 mail postfix/cleanup[15735]: D1E374B8368: message-id=<20121031055238.D1E374B8368@mail.abc.com.my>
    Oct 31 13:52:39 mail postfix/qmgr[12130]: D1E374B8368: from=<whchoy@abc.com.my>, size=619, nrcpt=1 (queue active)
    Oct 31 13:52:39 mail amavis[15816]: (15816-02) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20121031T135156-15816: <whchoy@abc.com.my> -> <chb3@frontiernet.net> SIZE=619 Received: from mail.abc.com.my ([127.0.0.1]) by localhost (mail.abc.com.my [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <chb3@frontiernet.net>; Wed, 31 Oct 2012 13:52:39 +0800 (MYT)
    Oct 31 13:52:39 mail amavis[15816]: (15816-02) Checking: Yai3feXlb3nM [113.19.211.114] <whchoy@abc.com.my> -> <chb3@frontiernet.net>
    Oct 31 13:52:39 mail amavis[15816]: (15816-02) Open relay? Nonlocal recips but not originating: chb3@frontiernet.net
    Oct 31 13:52:40 mail postfix/smtpd[13404]: disconnect from unknown[113.19.211.114]
    Oct 31 13:52:40 mail postfix/smtpd[14544]: 8FE4F4B8516: client=localhost.localdomain[127.0.0.1]
    Oct 31 13:52:40 mail postfix/cleanup[14243]: 8FE4F4B8516: message-id=<20121031055238.D1E374B8368@mail.abc.com.my>
    Oct 31 13:52:40 mail opendkim[2952]: 8FE4F4B8516: DKIM-Signature header added (s=default, d=abc.com.my)
    Oct 31 13:52:40 mail postfix/smtpd[14544]: disconnect from localhost.localdomain[127.0.0.1]
    Oct 31 13:52:40 mail postfix/qmgr[12130]: 8FE4F4B8516: from=<whchoy@abc.com.my>, size=1098, nrcpt=1 (queue active)
    Oct 31 13:52:40 mail amavis[15816]: (15816-02) FWD via SMTP: <whchoy@abc.com.my> -> <chb3@frontiernet.net>,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FE4F4B8516
    Oct 31 13:52:40 mail amavis[15816]: (15816-02) Passed CLEAN, [113.19.211.114] [113.19.211.114] <whchoy@abc.com.my> -> <chb3@frontiernet.net>, Message-ID: <20121031055238.D1E374B8368@mail.abc.com.my>, mail_id: Yai3feXlb3nM, Hits: -4.358, size: 619, queued_as: 8FE4F4B8516, 855 ms
    Oct 31 13:52:40 mail postfix/smtp[15709]: D1E374B8368: to=<chb3@frontiernet.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0/0.85, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FE4F4B8516)
    Oct 31 13:52:40 mail postfix/qmgr[12130]: D1E374B8368: removed
    Oct 31 13:52:42 mail postfix/smtp[15341]: 8FE4F4B8516: to=<chb3@frontiernet.net>, relay=mx.frontiernet.net[66.133.129.79]:25, delay=1.7, delays=0.05/0/0.92/0.78, dsn=5.0.0, status=bounced (host mx.frontiernet.net[66.133.129.79] said: 550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. (in reply to RCPT TO command))
    Oct 31 14:12:41 mail postfix/smtpd[10017]: connect from unknown[183.80.108.114]
    Oct 31 14:12:43 mail saslauthd[5142]: zmauth: authenticating against elected url 'https://mail.abc.com.my:7071/service/admin/soap/' ...
    Oct 31 14:12:43 mail saslauthd[5142]: zmpost: url='https://mail.abc.com.my:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="68588"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_2b3428fecfe d821040d64603beadf57d79915ccd_69643d33363a31313735 653533622d343139342d343235662d626633302d6665366265 323235663731333b6578703d31333a31333531383336373633 3833363b76763d313a333b747970653d363a7a696d6272613b </authToken><lifetime>172800000</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Oct 31 14:12:43 mail saslauthd[5142]: auth_zimbra: whchoy auth OK
    Oct 31 14:12:45 mail postfix/smtpd[10017]: 68D584B8526: client=unknown[183.80.108.114], sasl_method=LOGIN, sasl_username=whchoy
    Oct 31 14:12:46 mail postfix/cleanup[24289]: 68D584B8526: message-id=<20121031061245.68D584B8526@mail.abc.com.my>
    Oct 31 14:12:46 mail postfix/qmgr[12130]: 68D584B8526: from=<whchoy@abc.com.my>, size=898, nrcpt=1 (queue active)
    Oct 31 14:12:46 mail amavis[26166]: (26166-04) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20121031T141007-26166: <whchoy@abc.com.my> -> <rterrenate_68@yahoo.com> SIZE=898 BODY=8BITMIME Received: from mail.abc.com.my ([127.0.0.1]) by localhost (mail.abc.com.my [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <rterrenate_68@yahoo.com>; Wed, 31 Oct 2012 14:12:46 +0800 (MYT)
    Oct 31 14:12:46 mail amavis[26166]: (26166-04) Checking: yVv8xymH8-pE [183.80.108.114] <whchoy@abc.com.my> -> <rterrenate_68@yahoo.com>
    Oct 31 14:12:46 mail amavis[26166]: (26166-04) Open relay? Nonlocal recips but not originating: rterrenate_68@yahoo.com
    Oct 31 14:12:47 mail postfix/smtpd[24639]: connect from localhost.localdomain[127.0.0.1]
    Oct 31 14:12:47 mail postfix/smtpd[24639]: 4771A4B852B: client=localhost.localdomain[127.0.0.1]
    Oct 31 14:12:47 mail postfix/cleanup[24301]: 4771A4B852B: message-id=<20121031061245.68D584B8526@mail.abc.com.my>
    Oct 31 14:12:47 mail opendkim[2952]: 4771A4B852B: DKIM-Signature header added (s=default, d=abc.com.my)
    Oct 31 14:12:47 mail postfix/smtpd[24639]: disconnect from localhost.localdomain[127.0.0.1]
    Oct 31 14:12:47 mail postfix/qmgr[12130]: 4771A4B852B: from=<whchoy@abc.com.my>, size=1383, nrcpt=1 (queue active)
    Oct 31 14:12:47 mail amavis[26166]: (26166-04) FWD via SMTP: <whchoy@abc.com.my> -> <rterrenate_68@yahoo.com>,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4771A4B852B
    Oct 31 14:12:47 mail amavis[26166]: (26166-04) Passed CLEAN, [183.80.108.114] [183.80.108.114] <whchoy@abc.com.my> -> <rterrenate_68@yahoo.com>, Message-ID: <20121031061245.68D584B8526@mail.abc.com.my>, mail_id: yVv8xymH8-pE, Hits: -4.175, size: 898, queued_as: 4771A4B852B, 826 ms
    Oct 31 14:12:47 mail postfix/smtp[24993]: 68D584B8526: to=<rterrenate_68@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.4, delays=1.6/0/0/0.83, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4771A4B852B)
    Oct 31 14:12:47 mail postfix/qmgr[12130]: 68D584B8526: removed
    Oct 31 14:12:47 mail postfix/smtpd[10017]: disconnect from unknown[183.80.108.114]

  2. #2
    Join Date
    Nov 2009
    Posts
    38
    Rep Power
    5

    Default

    Did you reset the password of user whchoy? If not re-set it immediately and put a strong password for that. It may be that the user whchoy is using a very simple password. This happened to me too. What I did was, disabled the account temporarily and create another account with different id for same user and then added an alias.

  3. #3
    Join Date
    Jul 2012
    Posts
    25
    Rep Power
    3

    Default

    Quote Originally Posted by yasanthau View Post
    Did you reset the password of user whchoy? If not re-set it immediately and put a strong password for that. It may be that the user whchoy is using a very simple password. This happened to me too. What I did was, disabled the account temporarily and create another account with different id for same user and then added an alias.
    Hi, Thanks for your advice.
    Ever since you changed the strong password, did you still experience the same username attack?
    Is there a permanent solution that you can advice?

  4. #4
    Join Date
    Nov 2009
    Posts
    38
    Rep Power
    5

    Default

    Yes for sometimes but auth failed thereafter. At the same time I put an iptables firewall and block whole IP ranges where the attack came from. I followed some of the guidelines given in link Improving Anti-spam system - Zimbra :: Wiki

  5. #5
    Join Date
    Jul 2012
    Posts
    25
    Rep Power
    3

    Default

    Quote Originally Posted by yasanthau View Post
    Yes for sometimes but auth failed thereafter. At the same time I put an iptables firewall and block whole IP ranges where the attack came from. I followed some of the guidelines given in link Improving Anti-spam system - Zimbra :: Wiki
    Thanks for your advice.
    After the spamming issue, currently my MTA is under poor reputation, do you know how to increase my MTA reputation? Kindly please advice.

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by wcpon View Post
    After the spamming issue, currently my MTA is under poor reputation,
    What exactly do you mean by 'poor reputation?

    Quote Originally Posted by wcpon View Post
    .. do you know how to increase my MTA reputation? Kindly please advice.
    If you're talking about being on an RBL then you need to contact the maintainer of the RBL and get your server removed (check the RBL for requirements.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    Join Date
    Jul 2012
    Posts
    25
    Rep Power
    3

    Default

    Quote Originally Posted by phoenix View Post
    What exactly do you mean by 'poor reputation?

    If you're talking about being on an RBL then you need to contact the maintainer of the RBL and get your server removed (check the RBL for requirements.
    Yes, already contact the maintainer. Now it is working fine. Thanks.
    What is your permanent solution that you can advice about this spamming attack to my Zimbra server?

  8. #8
    Join Date
    Nov 2009
    Posts
    38
    Rep Power
    5

    Default

    There are some important tips in my thread http://www.zimbra.com/forums/adminis...ra-server.html
    See the links under Yves Pires reply.

Similar Threads

  1. removing .msg files directly after spam "attack"
    By ecobrazim in forum Administrators
    Replies: 2
    Last Post: 04-25-2012, 04:55 AM
  2. Moved to Zimbra for security, but still under attack?
    By jeffls in forum Administrators
    Replies: 2
    Last Post: 05-24-2011, 05:59 AM
  3. Replies: 0
    Last Post: 05-23-2011, 07:28 AM
  4. spam attack!
    By BrianA in forum Administrators
    Replies: 3
    Last Post: 06-07-2008, 04:23 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •