Trying to track down spammer using my Zimbra server

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
omegainstitute
Advanced member
Advanced member
Posts: 68
Joined: Fri Sep 12, 2014 10:33 pm

Trying to track down spammer using my Zimbra server

Postby omegainstitute » Thu Jul 18, 2013 12:06 pm

Hello everyone,
I'm trying to track down how emails are being sent from my server when the following is setup
(Version = Release 7.1.4_GA_2555.RHEL5_64_20120105094627 RHEL5_64 FOSS edition)
For Global Settings->MTA I have:



  • (Authentication) Enable Authentication: TRUE

  • (Protocol Checks) Sender Address must be fully qualified: TRUE

  • (DNS Checks) Client's IP Address (reject_invalid_hostname): TRUE

  • (DNS Checks) Hostname in greeting (reject_unknown_hostname): TRUE

  • (DNS Checks) Sender's Domain (reject_unknown_sender_domain): TRUE


I am seeing the following in my daily reports:



Host/Domain Summary: Messages Received (top 50) msg cnt bytes host/domain

-------- ------- -----------

4536 902m mydomain.org

1352 29082k localhost.localdomain

396 27273k gmail.com

166 3560k bounce.mkt1808.com

160 888k discoveralltech.info

143 5057k in.constantcontact.com

136 66435k whalebacksystems.net

116 670k skyisthelimitnow.com

98 2834k bounce.linkedin.com

96 534k deathmon-days.biz

94 519k marchmon-days.biz

93 520101 ordermon-days.biz

92 515172 electmon-days.biz

91 507529 oasismon-days.biz

88 501119 rumormon-days.biz

88 500550 painsmon-days.biz

88 500008 shapemon-days.biz

87 492443 scopemon-days.biz

86 2263k yahoo.com

84 486637 mommymon-days.biz

80 450814 lobbymon-days.biz

80 276130 newandgentlyloved.com

77 433870 geniemon-days.biz

74 423276 aislemon-days.biz

69 384931 linenmon-days.biz

68 397523 milanmon-days.biz

67 604k barbayer.com

66 376441 checkmon-days.biz

64 370025 rivalmon-days.biz

63 892k hotmail.com

60 343059 widthmon-days.biz

57 339448 tokenmon-days.biz

56 351030 larchmon-days.biz

55 318755 spainmon-days.biz

55 308054 swissmon-days.biz

54 525k alerts.bounces.google.com

51 199152 ragdebreem.com

46 872k aol.com

44 287495 grindmon-days.biz

44 255922 hatchmon-days.biz

44 254535 bravamon-days.biz

44 250260 juicemon-days.biz

44 249802 dandymon-days.biz

44 249429 faithmon-days.biz

44 249307 benchmon-days.biz

44 249254 spermmon-days.biz

44 249096 deucemon-days.biz

44 248869 capermon-days.biz

44 248610 flamemon-days.biz

43 250699 shademon-days.biz


Now, some of these senders are legit.. but all those mon-days.biz ones are not. I'm trying to figure out HOW they are sending their emails through my server. I've gone through the following logs:

mailbox.log (GREP'ing on LmtpServer-15915)

2013-07-15 06:42:05,912 INFO  [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6100 bytes, nrcpts=1, sender=Info@deathmon-days.biz, msgid=

2013-07-15 06:42:05,913 INFO [LmtpServer-15915] [name=ramdasslibrary@mydomain.com;mid=400;ip=192.168.1.54;] mailop - Adding Message: id=38122, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:42:05,936 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:42:09,730 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6018 bytes, nrcpts=1, sender=Info@deathmon-days.biz, msgid=

2013-07-15 06:42:09,732 INFO [LmtpServer-15915] [name=jeanl@mydomain.com;mid=404;ip=192.168.1.54;] mailop - Adding Message: id=195326, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:42:09,773 INFO [LmtpServer-15915] [name=jeanl@mydomain.com;mid=404;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=195326 rcpt='jeanl@mydomain.com'

2013-07-15 06:42:09,774 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:42:09,820 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6069 bytes, nrcpts=1, sender=Info@hatchmon-days.biz, msgid=

2013-07-15 06:42:09,821 INFO [LmtpServer-15915] [name=roseh@mydomain.com;mid=417;ip=192.168.1.54;] mailop - Adding Message: id=120948, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:42:09,844 INFO [LmtpServer-15915] [name=roseh@mydomain.com;mid=417;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=120948 rcpt='roseh@mydomain.com'

2013-07-15 06:42:11,900 INFO [LmtpServer-15915] [name=roseh@mydomain.com;mid=417;ip=192.168.1.54;] lmtp - disconnected without quit

2013-07-15 06:42:11,900 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:42:13,696 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6043 bytes, nrcpts=1, sender=Info@hatchmon-days.biz, msgid=

2013-07-15 06:42:13,698 INFO [LmtpServer-15915] [name=adams@mydomain.com;mid=408;ip=192.168.1.54;] mailop - Adding Message: id=246345, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:42:13,706 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:42:13,750 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=9396 bytes, nrcpts=1, sender=Info@hatchmon-days.biz, msgid=

2013-07-15 06:42:13,752 INFO [LmtpServer-15915] [name=brettb@mydomain.com;mid=419;ip=192.168.1.54;] mailop - Adding Message: id=152187, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:42:13,757 INFO [LmtpServer-15915] [name=brettb@mydomain.com;mid=419;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=152187 rcpt='brettb@mydomain.com'

2013-07-15 06:42:15,791 INFO [LmtpServer-15915] [name=brettb@mydomain.com;mid=419;ip=192.168.1.54;] lmtp - disconnected without quit

2013-07-15 06:42:15,791 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:42:26,202 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6018 bytes, nrcpts=1, sender=bounce-40795-16093795799-michaelc=mydomain.com@fambas.com, msgid=

2013-07-15 06:42:26,204 INFO [LmtpServer-15915] [name=michaelc@mydomain.com;mid=364;ip=192.168.1.54;] mailop - Adding Message: id=927129, Message-ID=, parentId=-1, folderId=2, folderName=Inbox.

2013-07-15 06:42:26,218 INFO [LmtpServer-15915] [name=michaelc@mydomain.com;mid=364;ip=192.168.1.54;] mailbox - outofoffice not sent (until date reached) mid=927129 rcpt='michaelc@mydomain.com'

2013-07-15 06:42:26,218 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:42:28,808 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6133 bytes, nrcpts=1, sender=Info@hatchmon-days.biz, msgid=

2013-07-15 06:42:28,809 INFO [LmtpServer-15915] [name=rcbackus@mydomain.com;mid=361;ip=192.168.1.54;] mailop - Adding Message: id=635124, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:42:28,825 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:42:59,365 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=7279 bytes, nrcpts=1, sender=vremechkoforfistface@mail.ru, msgid=

2013-07-15 06:42:59,388 INFO [LmtpServer-15915] [name=pac@mydomain.com;mid=365;ip=192.168.1.54;] index - IndexDeferredItems(null, 302281): Deferred count out of sync - found=18 in progress=0 (deferred count=20)

2013-07-15 06:42:59,738 INFO [LmtpServer-15915] [name=pac@mydomain.com;mid=365;ip=192.168.1.54;] index - Deferred Indexing: submitted 18 items in 372ms (48.39/sec). (0 items failed to index). IndexDeferredCount now at 18 NumNotSubmitted= 0

2013-07-15 06:42:59,742 INFO [LmtpServer-15915] [name=pac@mydomain.com;mid=365;ip=192.168.1.54;] mailop - Adding Message: id=166581, Message-ID=, parentId=-1, folderId=2, folderName=Inbox.

2013-07-15 06:42:59,750 INFO [LmtpServer-15915] [name=pac@mydomain.com;mid=365;ip=192.168.1.54;] mailbox - outofoffice not sent (until date reached) mid=166581 rcpt='pac@mydomain.com'

2013-07-15 06:42:59,750 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:43:22,130 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6004 bytes, nrcpts=1, sender=Info@shapemon-days.biz, msgid=

2013-07-15 06:43:22,131 INFO [LmtpServer-15915] [name=georgek@mydomain.com;mid=450;ip=192.168.1.54;] mailop - Adding Message: id=253856, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:43:22,155 INFO [LmtpServer-15915] [name=georgek@mydomain.com;mid=450;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=253856 rcpt='georgek@mydomain.com'

2013-07-15 06:43:22,156 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:43:26,088 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6037 bytes, nrcpts=1, sender=Info@shapemon-days.biz, msgid=

2013-07-15 06:43:26,088 INFO [LmtpServer-15915] [name=randim@mydomain.com;mid=462;ip=192.168.1.54;] mailop - Adding Message: id=895525, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:43:26,097 INFO [LmtpServer-15915] [name=randim@mydomain.com;mid=462;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=895525 rcpt='randim@mydomain.com'

2013-07-15 06:43:26,097 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:43:41,330 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=5957 bytes, nrcpts=1, sender=Info@marchmon-days.biz, msgid=

2013-07-15 06:43:41,331 INFO [LmtpServer-15915] [name=jr@mydomain.com;mid=355;ip=192.168.1.54;] mailop - Adding Message: id=77655, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:43:41,341 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally

2013-07-15 06:43:45,260 INFO [LmtpServer-15915] [ip=192.168.1.54;] lmtp - Delivering message: size=6041 bytes, nrcpts=1, sender=Info@marchmon-days.biz, msgid=

2013-07-15 06:43:45,261 INFO [LmtpServer-15915] [name=jeanl@mydomain.com;mid=404;ip=192.168.1.54;] mailop - Adding Message: id=195329, Message-ID=, parentId=-1, folderId=4, folderName=Junk.

2013-07-15 06:43:45,285 INFO [LmtpServer-15915] [name=jeanl@mydomain.com;mid=404;ip=192.168.1.54;] mailbox - outofoffice not sent (in spam) mid=195329 rcpt='jeanl@mydomain.com'

2013-07-15 06:43:45,285 INFO [LmtpServer-15915] [] ProtocolHandler - Handler exiting normally


(* Continuation in next message due to size limits *)


omegainstitute
Advanced member
Advanced member
Posts: 68
Joined: Fri Sep 12, 2014 10:33 pm

Trying to track down spammer using my Zimbra server

Postby omegainstitute » Thu Jul 18, 2013 12:07 pm

Taking one of the message ID's (B897C2690016) and GREP'ing the logs for it I came up with:



maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16114]: B897C2690016: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/cleanup[16154]: B897C2690016: message-id=

maillog:Jul 15 06:42:04 zimbra postfix/qmgr[30659]: B897C2690016: from=, size=5273, nrcpt=1 (queue active)

maillog:Jul 15 06:42:13 zimbra postfix/smtp[16548]: B897C2690016: to=, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=29, delays=20/4.8/0/3.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9BA9C22A000C)

maillog:Jul 15 06:42:13 zimbra postfix/qmgr[30659]: B897C2690016: removed

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16114]: B897C2690016: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/cleanup[16154]: B897C2690016: message-id=

zimbra.log:Jul 15 06:42:04 zimbra postfix/qmgr[30659]: B897C2690016: from=, size=5273, nrcpt=1 (queue active)

zimbra.log:Jul 15 06:42:13 zimbra postfix/smtp[16548]: B897C2690016: to=, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=29, delays=20/4.8/0/3.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9BA9C22A000C)

zimbra.log:Jul 15 06:42:13 zimbra postfix/qmgr[30659]: B897C2690016: removed



Notice the client=unknown[173.44.183.38]. If I have my MTA settings to not allow unknown, why am I seeing this? Anyways.. Investigating what the IP has done I came up with the following:



maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16114]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16116]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16115]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16117]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16118]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16119]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16120]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16121]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16122]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:41:44 zimbra postfix/smtpd[16123]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16117]: B892E2690015: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16123]: B89C62690017: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16114]: B897C2690016: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16121]: B8AC62690018: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16119]: B8C0F2690019: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16115]: B8CE0269001A: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16118]: B8D8B269001B: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16122]: B929A269001C: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16116]: B96A2269001D: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:04 zimbra postfix/smtpd[16120]: B9706269001E: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16114]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16117]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16119]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16120]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16118]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16123]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16116]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16121]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16122]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16115]: disconnect from unknown[173.44.183.38]

maillog:Jul 15 06:42:05 zimbra postfix/smtpd[16107]: connect from unknown[173.44.183.38]

maillog:Jul 15 06:42:24 zimbra postfix/smtpd[16107]: AC75922A000A: client=unknown[173.44.183.38]

maillog:Jul 15 06:42:24 zimbra postfix/smtpd[16107]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16114]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16116]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16115]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16117]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16118]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16119]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16120]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16121]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16122]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:41:44 zimbra postfix/smtpd[16123]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16117]: B892E2690015: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16123]: B89C62690017: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16114]: B897C2690016: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16121]: B8AC62690018: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16119]: B8C0F2690019: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16115]: B8CE0269001A: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16118]: B8D8B269001B: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16122]: B929A269001C: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16116]: B96A2269001D: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:04 zimbra postfix/smtpd[16120]: B9706269001E: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16114]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16117]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16119]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16120]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16118]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16123]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16116]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16121]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16122]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16115]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra postfix/smtpd[16107]: connect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:05 zimbra amavis[963]: (00963-08) Checking: dyivrrJmFhhF [173.44.183.38] ->

zimbra.log:Jul 15 06:42:05 zimbra amavis[32753]: (32753-06) Checking: bgD1yGH1b3eU [173.44.183.38] ->

zimbra.log:Jul 15 06:42:05 zimbra amavis[24478]: (24478-17) Checking: hGNmuaLeCbiP [173.44.183.38] ->

zimbra.log:Jul 15 06:42:05 zimbra amavis[13155]: (13155-19) Checking: Tm4YCcQ37yQB [173.44.183.38] ->

zimbra.log:Jul 15 06:42:09 zimbra amavis[9704]: (09704-04-2) Checking: hmEyL0A+KXaa [173.44.183.38] ->

zimbra.log:Jul 15 06:42:09 zimbra amavis[1698]: (01698-03-2) Checking: O9BAxRnHx-kd [173.44.183.38] ->

zimbra.log:Jul 15 06:42:09 zimbra amavis[963]: (00963-08) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: dyivrrJmFhhF, Hits: 10.931, size: 5246, queued_as: B038922A000A, 3948 ms

zimbra.log:Jul 15 06:42:09 zimbra amavis[18186]: (18186-15-2) Checking: 3P9ZIyt5o+Jz [173.44.183.38] ->

zimbra.log:Jul 15 06:42:09 zimbra amavis[955]: (00955-05-2) Checking: sOunQMj3wYL3 [173.44.183.38] ->

zimbra.log:Jul 15 06:42:09 zimbra amavis[24478]: (24478-17) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: hGNmuaLeCbiP, Hits: 10.376, size: 5383, queued_as: B9E9122A000C, 3984 ms

zimbra.log:Jul 15 06:42:09 zimbra amavis[963]: (00963-08-2) Checking: AU6RH5pjmD58 [173.44.183.38] ->

zimbra.log:Jul 15 06:42:09 zimbra amavis[32463]: (32463-13-2) Checking: YRT9Br4rlBOS [173.44.183.38] ->

zimbra.log:Jul 15 06:42:09 zimbra amavis[32753]: (32753-06) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: bgD1yGH1b3eU, Hits: 10.366, size: 4830, queued_as: BBB3C22A000D, 4008 ms

zimbra.log:Jul 15 06:42:09 zimbra amavis[13155]: (13155-19) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: Tm4YCcQ37yQB, Hits: 10.931, size: 5184, queued_as: C961522A0002, 4025 ms

zimbra.log:Jul 15 06:42:13 zimbra amavis[9704]: (09704-04-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: hmEyL0A+KXaa, Hits: 10.376, size: 5473, queued_as: 936A622A0002, 3930 ms

zimbra.log:Jul 15 06:42:13 zimbra amavis[955]: (00955-05-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: sOunQMj3wYL3, Hits: 10.931, size: 5269, queued_as: 9BA9C22A000C, 3936 ms

zimbra.log:Jul 15 06:42:13 zimbra amavis[18186]: (18186-15-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: 3P9ZIyt5o+Jz, Hits: 10.931, size: 5220, queued_as: 9B29B22A000A, 3936 ms

zimbra.log:Jul 15 06:42:13 zimbra amavis[963]: (00963-08-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: AU6RH5pjmD58, Hits: 10.931, size: 5187, queued_as: A33F022A000D, 3927 ms

zimbra.log:Jul 15 06:42:13 zimbra amavis[1698]: (01698-03-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: O9BAxRnHx-kd, Hits: 11.918, size: 5231, queued_as: A3C7922A000E, 3997 ms

zimbra.log:Jul 15 06:42:13 zimbra amavis[32463]: (32463-13-2) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: YRT9Br4rlBOS, Hits: 10.802, size: 8585, queued_as: A90F722A000F, 3944 ms

zimbra.log:Jul 15 06:42:24 zimbra postfix/smtpd[16107]: AC75922A000A: client=unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:24 zimbra amavis[32463]: (32463-14) Checking: sexcGzPRtiPX [173.44.183.38] ->

zimbra.log:Jul 15 06:42:24 zimbra postfix/smtpd[16107]: disconnect from unknown[173.44.183.38]

zimbra.log:Jul 15 06:42:28 zimbra amavis[32463]: (32463-14) Passed SPAMMY, [173.44.183.38] [173.44.183.38] -> , Message-ID: , mail_id: sexcGzPRtiPX, Hits: 10.931, size: 5304, queued_as: B974722A0002, 3917 ms



What am I missing in identifying HOW they are getting in and using my server?
Any help would be GREATLY appreciated... Thank you for taking the time to go over this thread.
- Rob
phoenix
Ambassador
Ambassador
Posts: 26625
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Trying to track down spammer using my Zimbra server

Postby phoenix » Thu Jul 18, 2013 12:38 pm

Is this a new problem or has it been happening for a while? What's in your Trusted Networks configuration? Have you made any recent configuration changes to your server and/or network? Are you behind a NAT router (I guess so from the log output)? Do you have any RBLs configured and if so, which ones? Have you checked to see if you're an open relay?
[EDIT]In addition, I've just checked your DNS records and they appear to have no A record. Is there another server (anti-spam?) in front of ZCS?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
omegainstitute
Advanced member
Advanced member
Posts: 68
Joined: Fri Sep 12, 2014 10:33 pm

Trying to track down spammer using my Zimbra server

Postby omegainstitute » Thu Jul 18, 2013 12:55 pm

[quote user="10330phoenix"]Is this a new problem or has it been happening for a while? [/QUOTE]

This is a problem that has persisted for a couple of months now. I've been so busy I haven't had time to properly address it, but I also do not want to get our IP shutdown, as emails going out are vital.
[quote user="10330phoenix"]What's in your Trusted Networks configuration? [/QUOTE]

127.0.0.0/8

192.168.0.0/21

204.14.232.65/32

204.14.234.65/32

202.129.242.65/32

66.152.98.96/32

These entries are mostly to allow for trusted EMailing companies (SilverPop, etc.) to send on our behalf.
[quote user="10330phoenix"]Have you made any recent configuration changes to your server and/or network? [/QUOTE]

No we have not. We've been rather stable with our configuration at this moment.
[quote user="10330phoenix"]Are you behind a NAT router (I guess so from the log output)? [/QUOTE]

Yes. We have a Sonicwall NSA2400 handling our firewall needs (NAT and filtering)
[quote user="10330phoenix"]Do you have any RBLs configured and if so, which ones? [/QUOTE]

dnsbl.njabl.org

bl.spamcop.net

sbl.spamhaus.org

relays.mail-abuse.org

cbl.abuseat.org
[quote user="10330phoenix"]Have you checked to see if you're an open relay?[/QUOTE]

According to: Open Relay Test (Open Relay Test) Our mail server is NOT a relay
[quote user="10330phoenix"]In addition, I've just checked your DNS records and they appear to have no A record. Is there another server (anti-spam?) in front of ZCS?[/QUOTE]

Which DNS record did you check? PM me with the DNS Name and I'll verify it for you.
Thank you so much for your help Phoenix!!!
- Rob
omegainstitute
Advanced member
Advanced member
Posts: 68
Joined: Fri Sep 12, 2014 10:33 pm

Trying to track down spammer using my Zimbra server

Postby omegainstitute » Fri Jul 19, 2013 3:17 pm

Nobody has any ideas?
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Trying to track down spammer using my Zimbra server

Postby quanah » Fri Jul 19, 2013 4:22 pm

By grepping, you are likely missing whatever account they are authenticating as. Zimbra does not run as an open relay, so (a) the person who is sending the mail is located in your network (not the case based on your mynetworks posting), (b) they are authenticating as one of your users over ports 587/465, or (c) they are sending email out through some other MTA, which is then delivering to your domain.
For (a), you would fix mynetworks

For (b), you would identify the compromised account and shut it down by looking at who they are authenticating as

For (c), you may wish to also enable cbpolicyd greylisting and DSPAM
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
omegainstitute
Advanced member
Advanced member
Posts: 68
Joined: Fri Sep 12, 2014 10:33 pm

Trying to track down spammer using my Zimbra server

Postby omegainstitute » Fri Jul 19, 2013 5:36 pm

Thank you Quanah,
I have made a modification to my Trusted Networks (pearing down the local lan to a specific subnet instead of a /21)
Any input on where I would start looking for option b? I've checked /opt/zimbra/logs for possible user credentials and IPs and haven't come up with a hit yet. I know they have compromised one of my accounts, I'm just looking to see which one.
I'll look into setting of cbpolicyd as well. I'll do some research to see how to set that up (Think I saw a wiki on it around here somewhere).
Again, thank you for the input. It's greatly appreciated.
- Rob
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Trying to track down spammer using my Zimbra server

Postby quanah » Fri Jul 19, 2013 5:51 pm

It would be in /var/log/zimbra.log on the MTA.
Find your connect ... line from the bad IP
like:



Jul 19 11:59:32 edge01-zcs postfix/smtps/smtpd[29706]: connect from some.host.com[XX.XXX.XX.XXX]


Then you should see a call to zmsoap to auth:


Jul 19 11:59:33 edge01-zcs saslauthd[3820]: zmauth: authenticating against elected url 'https://your.mailbox.com:7071/service/admin/soap/' ...


Then you should see a very long soap request, followed by:


Jul 19 11:59:33 edge01-zcs saslauthd[3820]: auth_zimbra: hacked_user@yourdomain.com auth OK


--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
omegainstitute
Advanced member
Advanced member
Posts: 68
Joined: Fri Sep 12, 2014 10:33 pm

Trying to track down spammer using my Zimbra server

Postby omegainstitute » Mon Jul 22, 2013 8:26 am

[quote user="quanah"]It would be in /var/log/zimbra.log on the MTA.
Find your connect ... line from the bad IP
like:



Jul 19 11:59:32 edge01-zcs postfix/smtps/smtpd[29706]: connect from some.host.com[XX.XXX.XX.XXX]


Then you should see a call to zmsoap to auth:


Jul 19 11:59:33 edge01-zcs saslauthd[3820]: zmauth: authenticating against elected url 'https://your.mailbox.com:7071/service/admin/soap/' ...


Then you should see a very long soap request, followed by:


Jul 19 11:59:33 edge01-zcs saslauthd[3820]: auth_zimbra: hacked_user@yourdomain.com auth OK


--Quanah[/QUOTE]

Good morning,
In trying to track down the spammer, I am not seeing any connects via the method you described. Unfortunately I think someone has found a way to get into slapd and do their bidding from there (if that's even possible). What I'm noticing are a long series of slapd communications from the same connection, involving the spammer. Is it possible to send an email via only slapd? If the user is connecting to us via regular SMTP port 25 communications, do soap requests ever get logged? I thought soap dialogs would be there for http(s) connections to the webmail portion of Zimbra only.
Thanks,
- Rob
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Trying to track down spammer using my Zimbra server

Postby quanah » Mon Jul 22, 2013 8:54 am

SOAP is used for authentication to postfix. There is no way to send email via LDAP, only via postfix.
What they may be doing is harvesting all your email addresses from LDAP, and then sending spam out via their own MTA to your domain. By default, since ZCS6, Zimbra's LDAP does not allow anonymous searches of the LDAP server. It also is not required that LDAP be publicly available, only the Zimbra nodes need to be able to communicate with it.
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 15 guests