Results 1 to 7 of 7

Thread: ZCS 7.0.1 spam attack - changing password, signatures

  1. #1
    Join Date
    Jun 2014
    Posts
    5
    Rep Power
    1

    Default ZCS 7.0.1 spam attack - changing password, signatures

    Dear Gurus,

    URGENT Please help

    I have installed Zimbra 7.0.1 version. Past 3 days users passwords and signatures are compromised and from their account thousands of spam is generated continuously. logs are as follows:

    Jun 21 04:03:41 node1 postfix/smtpd[6615]: connect from unknown[192.168.1.3]
    Jun 21 04:03:41 node1 postfix/smtpd[6615]: 5A4442DA033B: client=unknown[192.168.1.3]
    Jun 21 04:03:41 node1 postfix/cleanup[5750]: 5A4442DA033B: message-id=<01.62.30058.AC7B4A35@MAIL.CCMB.RES.IN>
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: 5A4442DA033B: from=<>, size=4775, nrcpt=1 (queue active)
    Jun 21 04:03:41 node1 amavis[3310]: (03310-15) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140621T035602-03310: <> -> <trk@ccmb.res.in> SIZE=4775 Rece
    ived: from webmail.ccmb.res.in ([127.0.0.1]) by localhost (webmail.ccmb.res.in [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <trk@ccmb.res.in>; Sat,
    21 Jun 2014 04:03:41 +0530 (IST)
    Jun 21 04:03:41 node1 postfix/smtpd[6615]: 5F96A4538002: client=unknown[192.168.1.3]
    Jun 21 04:03:41 node1 postfix/cleanup[4844]: 5F96A4538002: message-id=<31.62.30058.AC7B4A35@MAIL.CCMB.RES.IN>
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: 5F96A4538002: from=<>, size=4767, nrcpt=1 (queue active)
    Jun 21 04:03:41 node1 amavis[4041]: (04041-06) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140621T035740-04041: <> -> <trk@ccmb.res.in> SIZE=4767 Rece
    ived: from webmail.ccmb.res.in ([127.0.0.1]) by localhost (webmail.ccmb.res.in [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <trk@ccmb.res.in>; Sat,
    21 Jun 2014 04:03:41 +0530 (IST)
    Jun 21 04:03:41 node1 amavis[3310]: (03310-15) Checking: l1AZB1ZYav6I MYNETS [192.168.1.3] <> -> <trk@ccmb.res.in>
    Jun 21 04:03:41 node1 postfix/smtpd[6615]: 67AA74538003: client=unknown[192.168.1.3]
    Jun 21 04:03:41 node1 postfix/cleanup[5750]: 67AA74538003: message-id=<41.62.30058.AC7B4A35@MAIL.CCMB.RES.IN>
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: 67AA74538003: from=<>, size=4769, nrcpt=1 (queue active)
    Jun 21 04:03:41 node1 amavis[3455]: (03455-12) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140621T035625-03455: <> -> <trk@ccmb.res.in> SIZE=4769 Rece
    ived: from webmail.ccmb.res.in ([127.0.0.1]) by localhost (webmail.ccmb.res.in [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <trk@ccmb.res.in>; Sat,
    21 Jun 2014 04:03:41 +0530 (IST)
    Jun 21 04:03:41 node1 amavis[4041]: (04041-06) Checking: 4Pz26N4gmcSG MYNETS [192.168.1.3] <> -> <trk@ccmb.res.in>
    Jun 21 04:03:41 node1 amavis[3455]: (03455-12) Checking: WH0thzW-gaNm MYNETS [192.168.1.3] <> -> <trk@ccmb.res.in>
    Jun 21 04:03:41 node1 postfix/smtpd[1771]: connect from localhost.localdomain[127.0.0.1]
    Jun 21 04:03:41 node1 postfix/smtpd[1771]: A45B44538004: client=localhost.localdomain[127.0.0.1]
    Jun 21 04:03:41 node1 postfix/cleanup[4844]: A45B44538004: message-id=<31.62.30058.AC7B4A35@MAIL.CCMB.RES.IN>
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: A45B44538004: from=<>, size=5392, nrcpt=1 (queue active)
    Jun 21 04:03:41 node1 postfix/smtpd[1771]: disconnect from localhost.localdomain[127.0.0.1]
    Jun 21 04:03:41 node1 amavis[4041]: (04041-06) FWD via SMTP: <> -> <trk@ccmb.res.in>,BODY=7BIT 250 2.0.0 Ok, id=04041-06, from MTA([127.0.0.1]:10025): 250 2.
    0.0 Ok: queued as A45B44538004
    Jun 21 04:03:41 node1 amavis[4041]: (04041-06) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [192.168.1.3] <> -> <trk@ccmb.res.in>, Message-ID: <31.62.30058.AC7B4
    A35@MAIL.CCMB.RES.IN>, mail_id: 4Pz26N4gmcSG, Hits: -2.9, size: 4767, queued_as: A45B44538004, 299 ms
    Jun 21 04:03:41 node1 postfix/smtp[4845]: 5F96A4538002: to=<trk@ccmb.res.in>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.31, delays=0.01/0/0/0.3, dsn=2.0.0, s
    tatus=sent (250 2.0.0 Ok, id=04041-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A45B44538004)
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: 5F96A4538002: removed
    Jun 21 04:03:41 node1 postfix/smtpd[29526]: connect from localhost.localdomain[127.0.0.1]
    Jun 21 04:03:41 node1 postfix/smtpd[29526]: AC1F34538002: client=localhost.localdomain[127.0.0.1]
    Jun 21 04:03:41 node1 postfix/cleanup[5750]: AC1F34538002: message-id=<41.62.30058.AC7B4A35@MAIL.CCMB.RES.IN>
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: AC1F34538002: from=<>, size=5394, nrcpt=1 (queue active)
    Jun 21 04:03:41 node1 postfix/smtpd[29526]: disconnect from localhost.localdomain[127.0.0.1]
    Jun 21 04:03:41 node1 amavis[3455]: (03455-12) FWD via SMTP: <> -> <trk@ccmb.res.in>,BODY=7BIT 250 2.0.0 Ok, id=03455-12, from MTA([127.0.0.1]:10025): 250 2.
    0.0 Ok: queued as AC1F34538002
    Jun 21 04:03:41 node1 amavis[3455]: (03455-12) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [192.168.1.3] <> -> <trk@ccmb.res.in>, Message-ID: <41.62.30058.AC7B4
    A35@MAIL.CCMB.RES.IN>, mail_id: WH0thzW-gaNm, Hits: -2.9, size: 4769, queued_as: AC1F34538002, 287 ms
    Jun 21 04:03:41 node1 postfix/smtp[5699]: 67AA74538003: to=<trk@ccmb.res.in>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.3, delays=0.01/0/0/0.29, dsn=2.0.0, s
    tatus=sent (250 2.0.0 Ok, id=03455-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AC1F34538002)
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: 67AA74538003: removed
    Jun 21 04:03:41 node1 postfix/smtpd[21350]: BA15E4538003: client=localhost.localdomain[127.0.0.1]
    Jun 21 04:03:41 node1 postfix/cleanup[4844]: BA15E4538003: message-id=<01.62.30058.AC7B4A35@MAIL.CCMB.RES.IN>
    Jun 21 04:03:41 node1 postfix/smtpd[21350]: disconnect from localhost.localdomain[127.0.0.1]
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: BA15E4538003: from=<>, size=5400, nrcpt=1 (queue active)
    Jun 21 04:03:41 node1 amavis[3310]: (03310-15) FWD via SMTP: <> -> <trk@ccmb.res.in>,BODY=7BIT 250 2.0.0 Ok, id=03310-15, from MTA([127.0.0.1]:10025): 250 2.
    0.0 Ok: queued as BA15E4538003
    Jun 21 04:03:41 node1 postfix/lmtp[5260]: A45B44538004: to=<trk@ccmb.res.in>, relay=webmail.ccmb.res.in[192.168.1.4]:7025, delay=0.1, delays=0.02/0/0/0.08, d
    sn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Jun 21 04:03:41 node1 postfix/qmgr[25984]: A45B44538004: removed
    Jun 21 04:03:41 node1 amavis[3310]: (03310-15) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [192.168.1.3] <> -> <trk@ccmb.res.in>, Message-ID: <01.62.30058.AC7B4
    A35@MAIL.CCMB.RES.IN>, mail_id: l1AZB1ZYav6I, Hits: -2.9, size: 4775, queued_as: BA15E4538003, 397 ms
    Jun 21 04:03:41 node1 postfix/smtp[5739]: 5A4442DA033B: to=<trk@ccmb.res.in>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.41, delays=0.01/0/0/0.4, dsn=2.0.0, s
    tatus=sent (250 2.0.0 Ok, id=03310-15, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as BA15E4538003)

    Thanks

  2. #2
    Join Date
    May 2014
    Location
    Madrid
    Posts
    202
    Rep Power
    1

    Default

    Hi padma,
    First of all, my advice is update! The laste version of Zimbra Collaboration Suite 7 is 7.2.7 but is higly recommend 8.0.7 - Open Source Edition Downloads: Enterprise Messaging and Collaboration Software by Zimbra

    After it, please follow these steps, is for protect and only relay from your Localnetworks - Zimbra: Seguridad (I Parte) » Blog de Jorge de la Cruz

    Following these steps, everything will work fine.

    Kind regards

  3. #3
    Join Date
    Jun 2014
    Posts
    5
    Rep Power
    1

    Default

    Dear jorgedelacruz.es,

    Thanks a lot . The solution provided by you had worked very well. We will immediately upgrade as per your advice.

    Kind Regards

  4. #4
    Join Date
    May 2014
    Location
    Madrid
    Posts
    202
    Rep Power
    1

    Default

    Hi padma,
    Good news! You can also vote the solution if you find helpful.

    Tell us in the future if you find problems with the upgrade.

    Kind regards. See you soon.

  5. #5
    Join Date
    Jun 2014
    Posts
    5
    Rep Power
    1

    Default

    Dear jorgedelacruz.es,

    Passwords of email account of the same affected users are getting again changed and are unable to login. We use external ldap authentication. Any help please provide.

    Jun 25 04:03:06 node1 amavis[29669]: (29669-07) FWD via SMTP: <> -> <mohan@ccmb.res.in>,BODY=7BIT 250 2.0.0 Ok, id=29669-07, from MTA([127.0.0.1]:10025): 250
    2.0.0 Ok: queued as E08E04538004
    Jun 25 04:03:06 node1 amavis[29669]: (29669-07) FWD via SMTP: <> -> <chmohanrao@gmail.com>,BODY=7BIT 250 2.0.0 Ok, id=29669-07, from MTA([127.0.0.1]:10025):
    250 2.0.0 Ok: queued as E271A4538005
    Jun 25 04:03:06 node1 amavis[29669]: (29669-07) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [192.168.1.3] <> -> <mohan@ccmb.res.in>,<chmohanrao@gmail.com>, Mess
    age-ID: <80.E1.10987.C9DF9A35@MAIL.CCMB.RES.IN>, mail_id: 2ofcz1hQOSYD, Hits: -2.899, size: 5568, queued_as: E08E04538004/E271A4538005, 7529 ms
    Jun 25 04:03:06 node1 postfix/smtp[30393]: 611A74538002: to=<mohan@ccmb.res.in>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.5, delays=0.01/0/0/7.5, dsn=2.0.0,
    status=sent (250 2.0.0 Ok, id=29669-07, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E08E04538004)
    Jun 25 04:03:06 node1 postfix/smtp[30393]: 611A74538002: to=<chmohanrao@gmail.com>, orig_to=<mohan@ccmb.res.in>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.5,
    delays=0.01/0/0/7.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=29669-07, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E08E04538004)
    Jun 25 04:03:06 node1 postfix/lmtp[29039]: E08E04538004: to=<mohan@ccmb.res.in>, relay=webmail.ccmb.res.in[192.168.1.4]:7025, delay=0.07, delays=0/0/0/0.06,
    dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Jun 25 04:03:06 node1 postfix/smtp[322]: E271A4538005: to=<chmohanrao@gmail.com>, relay=192.168.1.3[192.168.1.3]:2525, delay=0.06, delays=0/0/0/0.05, dsn=2.0
    .0, status=sent (250 OK 11/E1-10987-4ADF9A35)
    Jun 25 04:03:07 node1 amavis[28983]: (28983-13) FWD via SMTP: <> -> <mohan@ccmb.res.in>,BODY=7BIT 250 2.0.0 Ok, id=28983-13, from MTA([127.0.0.1]:10025): 250
    2.0.0 Ok: queued as BE5F64538002
    Jun 25 04:03:07 node1 amavis[28983]: (28983-13) FWD via SMTP: <> -> <chmohanrao@gmail.com>,BODY=7BIT 250 2.0.0 Ok, id=28983-13, from MTA([127.0.0.1]:10025):
    250 2.0.0 Ok: queued as C0C2E4538004
    Jun 25 04:03:07 node1 amavis[28983]: (28983-13) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [192.168.1.3] <> -> <mohan@ccmb.res.in>,<chmohanrao@gmail.com>, Mess
    age-ID: <01.E1.10987.0ADF9A35@MAIL.CCMB.RES.IN>, mail_id: qEqU1Fym+58l, Hits: -2.899, size: 5464, queued_as: BE5F64538002/C0C2E4538004, 5587 ms
    Jun 25 04:03:07 node1 postfix/smtp[366]: 30D454538003: to=<mohan@ccmb.res.in>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.6, delays=0.01/0/0.01/5.6, dsn=2.0.0
    , status=sent (250 2.0.0 Ok, id=28983-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as BE5F64538002)
    Jun 25 04:03:07 node1 postfix/smtp[366]: 30D454538003: to=<chmohanrao@gmail.com>, orig_to=<mohan@ccmb.res.in>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.6, d
    elays=0.01/0/0.01/5.6, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=28983-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as BE5F64538002)
    Jun 25 04:03:07 node1 postfix/lmtp[29039]: BE5F64538002: to=<mohan@ccmb.res.in>, relay=webmail.ccmb.res.in[192.168.1.4]:7025, delay=0.06, delays=0.01/0/0/0.0
    6, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Jun 25 04:03:08 node1 postfix/smtp[322]: C0C2E4538004: to=<chmohanrao@gmail.com>, relay=192.168.1.3[192.168.1.3]:2525, delay=0.92, delays=0/0/0/0.91, dsn=2.0
    .0, status=sent (250 OK 31/E1-10987-5ADF9A

    Regards,

    padma

  6. #6
    Join Date
    Jun 2014
    Posts
    5
    Rep Power
    1

    Default

    Hi

    The previous post was the log from zimbra.log and the one I pasted below is the mail.log for the user mohan.



    2014-06-25 00:00:44,899 INFO [btpool0-625://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:05:44,916 INFO [btpool0-637://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:07:09,945 INFO [LmtpServer-404] [name=mohan@ccmb.res.in;mid=556;ip=192.168.1.4;] mailop - Adding Message: id=44351, Message-ID=<FE839A9AD17A4B
    24AE704F52332AD4B9@icicibankltd.com>, parentId=-1, folderId=2, folderName=Inbox.
    2014-06-25 00:10:44,976 INFO [btpool0-625://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:15:45,004 INFO [btpool0-633://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:20:41,579 INFO [MailboxPurge] [name=jagamohan@ccmb.res.in;mid=1701;] purge - Purging messages.
    2014-06-25 00:20:45,021 INFO [btpool0-633://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:25:45,081 INFO [btpool0-625://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:30:45,103 INFO [btpool0-625://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:35:45,118 INFO [btpool0-632://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:40:45,180 INFO [btpool0-632://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:45:45,197 INFO [btpool0-632://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:46:01,462 INFO [LmtpServer-430] [name=mohan@ccmb.res.in;mid=556;ip=192.168.1.4;] mailop - Adding Message: id=44352, Message-ID=<14035129025f44
    ae9f10e5f11213e9406b3c4a5808_@gmail.com>, parentId=-1, folderId=2, folderName=Inbox.
    2014-06-25 00:46:02,787 INFO [LmtpServer-430] [name=mohan@ccmb.res.in;mid=556;ip=192.168.1.4;] mailop - Adding Message: id=44353, Message-ID=<14035127915f44
    ae9f10e5f11213e9406b3c4a5808_@gmail.com>, parentId=-1, folderId=2, folderName=Inbox.
    2014-06-25 00:50:45,228 INFO [btpool0-625://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:50:45,496 INFO [LmtpServer-430] [name=mohan@ccmb.res.in;mid=556;ip=192.168.1.4;] mailop - Adding Message: id=44354, Message-ID=<84391324-22014
    6224192455906@mail.elsevier-alerts.com>, parentId=-1, folderId=2, folderName=Inbox.
    2014-06-25 00:55:45,289 INFO [btpool0-633://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 00:55:56,875 INFO [LmtpServer-435] [name=mohan@ccmb.res.in;mid=556;ip=192.168.1.4;] mailop - Adding Message: id=44355, Message-ID=<300666192-2201
    4622419306343@mail.cell-press.com>, parentId=-1, folderId=2, folderName=Inbox.
    2014-06-25 01:00:45,307 INFO [btpool0-632://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 01:01:13,318 INFO [LmtpServer-438] [name=mohan@ccmb.res.in;mid=556;ip=192.168.1.4;] mailop - Adding Message: id=44356, Message-ID=<3E06F7F08FD141
    119ED9529EDD642DA4@icicibankltd.com>, parentId=-1, folderId=2, folderName=Inbox.
    2014-06-25 01:01:35,185 INFO [LmtpServer-438] [name=mohan@ccmb.res.in;mid=556;ip=192.168.1.4;] mailop - Adding Message: id=44357, Message-ID=<8b5d9a1151dfde
    d6db4dce46001942a0@asbmb.org>, parentId=-1, folderId=2, folderName=Inbox.
    2014-06-25 01:05:45,322 INFO [btpool0-633://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 01:10:45,382 INFO [btpool0-637://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap - NoOpRequest
    2014-06-25 01:15:45,400 INFO [btpool0-633://webmail.ccmb.res.in/service/soap/NoOpRequest] [name=mohan@ccmb.res.in;mid=556;ip=192.168.11.5;ua= ZimbraWebClient
    - FF3.0 (Win)/7.0.1_GA_3105;] soap




    Please help tp resolve this issue.

    thanks
    padma

  7. #7
    Join Date
    Jun 2014
    Posts
    5
    Rep Power
    1

    Default spam attack ---! Need help

    Dear Gurus,

    There is continuous spam attack, which changes signatures, password, set reply to address and start delivering thousand of junk mails outside our network. The log has been pasted below. And any solution to this would be highly appreciated...

    [root@node1 log]# cat zimbra.log | grep johnson | more
    Jul 2 04:21:38 node1 amavis[11900]: (11900-03) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140702T041556-11900: <> -> SIZE=6643 Received: from webma
    il.ccmb.res.in ([127.0.0.1]) by localhost (webmail.ccmb.res.in [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 2 Jul 2014 04:21:38 +0530 (IST)
    Jul 2 04:21:38 node1 amavis[11900]: (11900-03) Checking: z+bla+O4jxO0 MYNETS [192.168.1.3] <> ->
    Jul 2 04:21:58 node1 amavis[11900]: (11900-03) FWD via SMTP: <> -> ,BODY=7BIT 250 2.0.0 Ok, id=11900-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued a
    s BF6784538003
    Jul 2 04:21:58 node1 amavis[11900]: (11900-03) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [202.97.0.13] <> -> , Message-ID: <201407012258.AUH67242@ns.chinanet
    .cn.net>, mail_id: z+bla+O4jxO0, Hits: -1.087, size: 6643, queued_as: BF6784538003, 20516 ms
    Jul 2 04:21:58 node1 postfix/smtp[11881]: 415F14538002: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=0.02/0/0/21, dsn=2.0.0, status=sent (250 2.0
    .0 Ok, id=11900-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as BF6784538003)
    Jul 2 04:21:58 node1 postfix/lmtp[14360]: BF6784538003: to=, relay=webmail.ccmb.res.in[192.168.1.4]:7025, delay=0.09, delays=0.02/0/0/0.07, dsn=2.1.5, statu
    s=sent (250 2.1.5 Delivery OK)
    Jul 2 05:26:03 node1 amavis[31955]: (31955-17) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140702T034507-31955: <> -> SIZE=5519 Received: from webma
    il.ccmb.res.in ([127.0.0.1]) by localhost (webmail.ccmb.res.in [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 2 Jul 2014 05:26:03 +0530 (IST)
    Jul 2 05:26:03 node1 amavis[31955]: (31955-17) Checking: LY4QNAv5XSbH MYNETS [192.168.1.3] <> ->
    Jul 2 05:26:03 node1 amavis[31955]: (31955-17) FWD via SMTP: <> -> ,BODY=7BIT 250 2.0.0 Ok, id=31955-17, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued a
    s B702F4538003
    Jul 2 05:26:03 node1 amavis[31955]: (31955-17) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [192.168.1.3] <> -> , Message-ID: <20140701235603.70B004538002@webma
    il.ccmb.res.in>, mail_id: LY4QNAv5XSbH, Hits: -2.899, size: 5518, queued_as: B702F4538003, 286 ms
    Jul 2 05:26:03 node1 postfix/smtp[636]: 70B004538002: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.33, delays=0.03/0.01/0/0.29, dsn=2.0.0, status=sent (25
    0 2.0.0 Ok, id=31955-17, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B702F4538003)
    Jul 2 05:26:03 node1 postfix/lmtp[681]: B702F4538003: to=, relay=webmail.ccmb.res.in[192.168.1.4]:7025, delay=0.08, delays=0.01/0.01/0/0.07, dsn=2.1.5, stat
    us=sent (250 2.1.5 Delivery OK)
    Jul 2 05:26:34 node1 amavis[1899]: (01899-10) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140702T035628-01899: <> -> SIZE=5539 Received: from webmai
    l.ccmb.res.in ([127.0.0.1]) by localhost (webmail.ccmb.res.in [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 2 Jul 2014 05:26:34 +0530 (IST)
    Jul 2 05:26:34 node1 amavis[1899]: (01899-10) Checking: F5LWu7dFkMKL MYNETS [192.168.1.3] <> ->
    Jul 2 05:26:34 node1 amavis[31955]: (31955-18) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140702T034507-31955: <> -> SIZE=5531 Received: from webma
    il.ccmb.res.in ([127.0.0.1]) by localhost (webmail.ccmb.res.in [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 2 Jul 2014 05:26:34 +0530 (IST)
    Jul 2 05:26:34 node1 amavis[31955]: (31955-18) Checking: c85KwqQDIqIJ MYNETS [192.168.1.3] <> ->
    Jul 2 05:26:34 node1 amavis[31955]: (31955-18) FWD via SMTP: <> -> ,BODY=7BIT 250 2.0.0 Ok, id=31955-18, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued a
    s A61A34538005
    Jul 2 05:26:34 node1 amavis[14362]: (14362-09) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140702T042120-14362: <> -> SIZE=5527 Received: from webma
    il.ccmb.res.in ([127.0.0.1]) by localhost (webmail.ccmb.res.in [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 2 Jul 2014 05:26:34 +0530 (IST)
    Jul 2 05:26:34 node1 amavis[31955]: (31955-18) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [192.168.1.3] <> -> , Message-ID: <20140701235634.613F44538003@webma
    il.ccmb.res.in>, mail_id: c85KwqQDIqIJ, Hits: -2.899, size: 5530, queued_as: A61A34538005, 282 ms
    Jul 2 05:26:34 node1 postfix/smtp[966]: 613F44538003: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.3, delays=0.01/0.01/0/0.28, dsn=2.0.0, status=sent (250
    2.0.0 Ok, id=31955-18, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A61A34538005)
    Jul 2 05:26:34 node1 amavis[14362]: (14362-09) Checking: QbZ0VKDu6ZJ6 MYNETS [192.168.1.3] <> ->
    Jul 2 05:26:34 node1 amavis[1899]: (01899-10) FWD via SMTP: <> -> ,BODY=7BIT 250 2.0.0 Ok, id=01899-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
    B30954538003
    Jul 2 05:26:34 node1 amavis[1899]: (01899-10) Passed CLEAN, MYNETS LOCAL [192.168.1.3] [192.168.1.3] <> -> , Message-ID: <20140701235634.218AC4538002@webmai
    l.ccmb.res.in>, mail_id: F5LWu7dFkMKL, Hits: -2.899, size: 5538, queued_as: B30954538003, 564 ms
    Jul 2 05:26:34 node1 postfix/smtp[636]: 218AC4538002: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.61, delays=0.05/0/0/0.56, dsn=2.0.0, status=sent (250 2
    .0.0 Ok, id=01899-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B30954538003)
    Jul 2 05:26:34 node1 postfix/lmtp[681]: A61A34538005: to=, relay=webmail.ccmb.res.in[192.168.1.4]:7025, delay=0.08, delays=0/0/0/0.07, dsn=2.1.5, status=sen
    t (250 2.1.5 Delivery OK)

    Regards,
    padma

Similar Threads

  1. SPAM attack through the SOAP protocol??
    By guillotte in forum Administrators
    Replies: 2
    Last Post: 04-06-2013, 07:08 PM
  2. [Help] Spam Attack in my ZIMBRA sever.
    By wcpon in forum Administrators
    Replies: 7
    Last Post: 11-06-2012, 12:00 AM
  3. spam attack!
    By BrianA in forum Administrators
    Replies: 3
    Last Post: 06-07-2008, 05:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •