Results 1 to 2 of 2

Thread: Prevent Spammer Changing Reply-To Address & Signature

  1. #1
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Lightbulb Prevent Spammer Changing Reply-To Address & Signature

    Hi,

    We have some client which their Zimbra server sending much amount of messages, possibly due to compromised account. Spammer do the following spamming actions :

    1. Change account identity
    2. Change Reply-to address
    3. Change Signature
    4.Create a draft messages
    5. Sending much amount of spam messages

    We have enforce strong password but it seems some account profile still got hacked. I don't know where the spammer came from. Is this possible they are spoofing Zimbra Admin (which be opened from outside) or does this means they came from webmail (which using https by default)?

    Also, is this possible to prevent spammer to change reply-to address and signature by disallow user preferences on Class of services or is there any tips to prevent user preferences modification?
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  2. #2
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    Most likely you have users falling for phishing scams, or users with keylogger viruses on their computers. If they are changing the reply-to settings they are almost surely logging in via the webmail, but you can verify logins (and their source IP/method/etc.) in /opt/zimbra/log/audit.log.

    I'm not aware of a way to change permissions to block the reply-to/signature issue. Doing so won't stop them from sending spam from a compromised account though and would be overlooking the real issue (how the accounts are getting compromised).

    P.S. Your admin port (7071) should be blocked to the general internet and only allowed through specific IPs (for outside use a VPN is recommended). Even if you don't find that the admin access is how spammers are getting to accounts, I would still strongly recommend blocking outside admin port access.
    ---
    Paul Chauvet
    State University of New York at New Paltz

Similar Threads

  1. Signature on Reply/Forward
    By bond1973 in forum Users
    Replies: 1
    Last Post: 09-30-2011, 12:34 PM
  2. zmprov signature on Reply/forward
    By tobias.dinse in forum Administrators
    Replies: 1
    Last Post: 09-26-2011, 04:48 AM
  3. zmprov signature on Reply/forward
    By tobias.dinse in forum Migration
    Replies: 0
    Last Post: 09-22-2011, 05:54 AM
  4. Possible to prevent user from changing settings
    By yonatan in forum General Questions
    Replies: 0
    Last Post: 05-25-2010, 07:39 AM
  5. [SOLVED] changing user reply to address
    By reza225 in forum Administrators
    Replies: 4
    Last Post: 08-30-2007, 02:53 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •