Results 1 to 3 of 3

Thread: SPAM attack through the SOAP protocol??

Hybrid View

  1. #1
    Join Date
    Oct 2010
    Posts
    3
    Rep Power
    4

    Question SPAM attack through the SOAP protocol??

    SPAM attack through the SOAP protocol??.
    The IP is not in trusted_networks.


    Here I copy a sequence of actions
    /opt/zimbra/log/mailbox.log


    2013-04-04 05:05:00,432 INFO [btpool0-3://localhost/service/soap/GetInfoRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] soap - GetInfoRequest
    2013-04-04 05:05:01,152 INFO [btpool0-3://localhost/service/soap/SearchRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] soap - SearchRequest
    2013-04-04 05:05:02,677 INFO [btpool0-3://localhost/service/soap/GetAvailableSkinsRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] soap - GetAvailableSkinsRequest
    2013-04-04 05:05:58,431 INFO [btpool0-2://localhost/service/soap/SearchRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] soap - SearchRequest
    2013-04-04 05:06:42,977 INFO [btpool0-0://localhost/service/soap/SendMsgRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] soap - SendMsgRequest
    2013-04-04 05:06:42,999 INFO [btpool0-0://localhost/service/soap/SendMsgRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] smtp - Sending message to MTA at srv-mail.test.com: Message-ID=<746491801.6.1365062802996.JavaMail.root@srv-mail.test.com>, replyType=r
    2013-04-04 05:07:10,551 INFO [btpool0-3://localhost/service/soap/SendMsgRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] soap - SendMsgRequest
    2013-04-04 05:07:57,920 INFO [btpool0-0://localhost/service/soap/SendMsgRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] soap - SendMsgRequest
    2013-04-04 05:07:57,943 INFO [btpool0-0://localhost/service/soap/SendMsgRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] smtp - Sending message to MTA at srv-mail.test.com: Message-ID=<115923247.12.1365062877940.JavaMail.root@srv-mail.test.com>, replyType=r
    2013-04-04 05:13:09,506 INFO [btpool0-0://localhost/service/soap/SendMsgRequest] [name=atencionalcliente@test.com;mid=302;ip=94.78.8 4.35;ua=zclient/6.0.16_GA_2998;] soap - SendMsgRequest
    2013-04-04 05:13:09,934 INFO [LmtpServer-516] [name=atencionalcliente@test.com;mid=302;ip=10.100. 48.2;] mailop - Adding Message: id=36762, Message-ID=<20130404081209.EECF3198E75F@smtp-bsf2.o1.com>, parentId=36723, folderId=2, folderName=Inbox.


    I stopped for now with this:

    blacklist_from atencionalcliente@test.com

    body LOCAL_RULE /IMPORTANT CONSIGNMENT DELIVERY/ #this is subject of message
    score LOCAL_RULE 5.5



    Is there any fix or settings to prevent this exploit

    Thanks.

  2. #2
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    find out who has mailbod id 302 and change their password the attacker is usding that

  3. #3
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    And to prevent this exploit, enforce strong password combination for all users (set it out via Class of Services | advanced) and then enforce all user to change their password
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

Similar Threads

  1. [Help] Spam Attack in my ZIMBRA sever.
    By wcpon in forum Administrators
    Replies: 7
    Last Post: 11-05-2012, 11:00 PM
  2. removing .msg files directly after spam "attack"
    By ecobrazim in forum Administrators
    Replies: 2
    Last Post: 04-25-2012, 04:55 AM
  3. spam attack!
    By BrianA in forum Administrators
    Replies: 3
    Last Post: 06-07-2008, 04:23 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •