Lot of spam from Zimbra servers: unknown vulnerability?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
6233maxxer
Outstanding Member
Outstanding Member
Posts: 391
Joined: Sat Sep 13, 2014 12:06 am

Lot of spam from Zimbra servers: unknown vulnerability?

Postby 6233maxxer » Wed Feb 04, 2015 2:04 am

Hi.


I'm receiving a lot of spam these days, all from Zimbra servers. Since it looks strange to me that so many admins have set up a password for the unix zimbra account, couldn't it be there is an unknown vulnerability affecting Zimbra which is being exploited?


Some example headers:


Received: from mail.fcbc.cu ([190.6.92.26]:45194)
by srv-hp17.netsons.net with esmtp (Exim 4.84)
(envelope-from <zimbra@mail.fcbc.cu>)
id 1YIult-003oGy-H5
for support@MYDOMAIN.it; Wed, 04 Feb 2015 08:53:14 +0100
Received: from localhost (localhost [127.0.0.1])
by mail.fcbc.cu (Postfix) with ESMTP id 2393433E1C32
for <support@MYDOMAIN.it>; Wed, 4 Feb 2015 02:52:51 -0500 (EST)
X-Virus-Scanned: amavisd-new at fcbc.cu
Received: from mail.fcbc.cu ([127.0.0.1])
by localhost (mail.fcbc.cu [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id gp5PNFiYx-2H; Wed, 4 Feb 2015 02:52:37 -0500 (EST)
Received: by mail.fcbc.cu (Postfix, from userid 1001)
id F3B2B33E0CD8; Wed, 4 Feb 2015 02:43:31 -0500 (EST)

another


Received: from mytwinlife.net ([127.0.0.1])
by localhost (mytwinlife.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 5qC28-zKR_SV for <maxxer@MYDOMAIN.com>;
Wed, 4 Feb 2015 07:54:59 +0000 (UTC)
Received: by mytwinlife.net (Postfix, from userid 1001)
id 3A952242D18; Wed, 4 Feb 2015 07:44:22 +0000 (UTC)


Of course it could be just a case, or it could be that they're all old and unpatched, but it's at least curious. And they're all fake Apple ID scams ;)



User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Lot of spam from Zimbra servers: unknown vulnerability?

Postby jorgedlcruz » Wed Feb 04, 2015 4:06 am

Hi maxxer,

Please let us know the result of zmcontrol -v in the Zimbra servers.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
6233maxxer
Outstanding Member
Outstanding Member
Posts: 391
Joined: Sat Sep 13, 2014 12:06 am

Lot of spam from Zimbra servers: unknown vulnerability?

Postby 6233maxxer » Wed Feb 04, 2015 4:20 am

thanks but these are NOT mine, I'm just receiving the spam from those hosts... I was just wondering if it's just a coincidence (yesterday and today, two spam mails each day from a total of four zimbra servers) or if there could be an issue, considering those mails looks like sent from the zimbra system user (which usually don't have a password set).
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 936
Joined: Sat Sep 13, 2014 12:47 am

Lot of spam from Zimbra servers: unknown vulnerability?

Postby liverpoolfcfan » Wed Feb 04, 2015 4:34 am

Doesn't zimbra normally use userid 500? These both show user 1001



Could these be from one of the previously publisized zimlet vulnerabilities on older versions of zimbra? Or would they show as an actual user account in that scenario?
6233maxxer
Outstanding Member
Outstanding Member
Posts: 391
Joined: Sat Sep 13, 2014 12:06 am

Lot of spam from Zimbra servers: unknown vulnerability?

Postby 6233maxxer » Wed Feb 04, 2015 5:14 am

in Ubuntu it's usually 1001, as 1000 is the default unprivileged user.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 10 guests