Spam attack, cant figure it out

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Aragorn
Posts: 18
Joined: Sat Sep 13, 2014 1:11 am

Spam attack, cant figure it out

Postby Aragorn » Tue Jun 02, 2020 3:40 pm

My server has been blacklisted and the ISP has shut down its external ports

On investigating i had 80 thousand emails sitting in the deferred queue.

All had a sender address "documents@mydomain" and they were usual junky spam asking for loans or whtever.

I cleared the queue, got the server unblocked and watched the logs and sure enough more spam started arriving.

I really cant figure out whats going on, so heres an excerpt from the log:

Code: Select all

Jun  2 14:33:08 zimbra postfix/smtp[29957]: 82F79DE0DA1: to=<mcnielcody99@gmail.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.7, delays=0.12/0/0/1.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6231DE0D9A)
Jun  2 14:33:08 zimbra postfix/smtp[29957]: 82F79DE0DA1: to=<kylegalicia1998@icloud.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.7, delays=0.12/0/0/1.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6231DE0D9A)
Jun  2 14:33:08 zimbra postfix/smtp[29957]: 82F79DE0DA1: to=<luckystiff@protonmail.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.7, delays=0.12/0/0/1.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6231DE0D9A)
Jun  2 14:33:08 zimbra postfix/qmgr[29011]: 82F79DE0DA1: removed
Jun  2 14:33:08 zimbra postfix/smtps/smtpd[29019]: 98660DE0D9F: filter: RCPT from 122.222.0.201.ap.gmobb-fix.jp[122.222.0.201]: <documents@[mydomain].com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<documents@[mydomain].com> to=<abaszigma61@gmail.com> proto=ESMTP helo=<[127.0.0.1]>
Jun  2 14:33:08 zimbra postfix/amavisd/smtpd[29966]: 3CA2FDE0DA1: client=localhost[127.0.0.1]
Jun  2 14:33:08 zimbra postfix/cleanup[29936]: 3CA2FDE0DA1: message-id=<65641C98-EB63-0ADE-EC20-5528B3A9AC3B@[mydomain].com>
Jun  2 14:33:08 zimbra postfix/smtps/smtpd[29012]: NOQUEUE: filter: RCPT from unknown[176.50.168.195]: <documents@[mydomain].com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<documents@[mydomain].com> to=<coleramay@gmail.com> proto=ESMTP helo=<[127.0.0.1]>
Jun  2 14:33:08 zimbra postfix/smtps/smtpd[29012]: 4C359DE0DA6: client=unknown[176.50.168.195], sasl_method=PLAIN, sasl_username=documents@[mydomain].com
Jun  2 14:33:08 zimbra postfix/smtp[29874]: B6231DE0D9A: to=<dhhdhdhdbssh@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=0.67, delays=0.45/0.01/0.12/0.09, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.76.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1  https://support.google.com/mail/?p=NoSuchUser 93si2889772wrg.36 - gsmtp (in reply to RCPT TO command))
Jun  2 14:33:08 zimbra amavis[20975]: (20975-16) ROYvyDEYU7WW FWD from <documents@[mydomain].com> -> <jwhite38570@gmail.com>,<lylesangster75@gmail.com>,<nickbrowning94@gmail.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3CA2FDE0DA1
Jun  2 14:33:08 zimbra postfix/qmgr[29011]: 3CA2FDE0DA1: from=<documents@[mydomain].com>, size=52112, nrcpt=3 (queue active)
Jun  2 14:33:08 zimbra amavis[20975]: (20975-16) Passed CLEAN {RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:54880 [113.21.96.190] <documents@[mydomain].com> -> <jwhite38570@gmail.com>,<lylesangster75@gmail.com>,<nickbrowning94@gmail.com>, Queue-ID: C68D6DE0DA3, Message-ID: <65641C98-EB63-0ADE-EC20-5528B3A9AC3B@[mydomain].com>, mail_id: ROYvyDEYU7WW, Hits: -2.888, size: 51764, queued_as: 3CA2FDE0DA1, 1515 ms
Jun  2 14:33:08 zimbra postfix/smtp[29884]: C68D6DE0DA3: to=<jwhite38570@gmail.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.6, delays=0.09/0/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3CA2FDE0DA1)
Jun  2 14:33:08 zimbra postfix/smtp[29884]: C68D6DE0DA3: to=<lylesangster75@gmail.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.6, delays=0.09/0/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3CA2FDE0DA1)
Jun  2 14:33:08 zimbra postfix/smtp[29884]: C68D6DE0DA3: to=<nickbrowning94@gmail.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=1.6, delays=0.09/0/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3CA2FDE0DA1)
Jun  2 14:33:08 zimbra postfix/qmgr[29011]: C68D6DE0DA3: removed
Jun  2 14:33:08 zimbra postfix/smtps/smtpd[29012]: 4C359DE0DA6: filter: RCPT from unknown[176.50.168.195]: <documents@[mydomain].com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<documents@[mydomain].com> to=<asdfghjk@gmail.com> proto=ESMTP helo=<[127.0.0.1]>
Jun  2 14:33:08 zimbra postfix/smtps/smtpd[29012]: 4C359DE0DA6: filter: RCPT from unknown[176.50.168.195]: <documents@[mydomain].com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<documents@[mydomain].com> to=<btmonlybtm@hotmail.com> proto=ESMTP helo=<[127.0.0.1]>
Jun  2 14:33:08 zimbra postfix/smtp[29874]: B6231DE0D9A: to=<kingrioter12@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=0.98, delays=0.45/0.01/0.12/0.4, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.76.27] said: 550-5.7.1 [[my ip address]      18] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending IP 550-5.7.1 address. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. 93si2889772wrg.36 - gsmtp (in reply to end of DATA command))
Jun  2 14:33:08 zimbra postfix/smtp[29874]: B6231DE0D9A: to=<mcnielcody99@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=0.98, delays=0.45/0.01/0.12/0.4, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.76.27] said: 550-5.7.1 [[my ip address]      18] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending IP 550-5.7.1 address. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. 93si2889772wrg.36 - gsmtp (in reply to end of DATA command))
Jun  2 14:33:08 zimbra postfix/smtp[29873]: B6231DE0D9A: host mx-aol.mail.gm0.yahoodns.net[67.195.204.80] said: 421 4.7.0 [TSS04] Messages from [my ip address] temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)
Jun  2 14:33:08 zimbra postfix/smtp[29873]: B6231DE0D9A: lost connection with mx-aol.mail.gm0.yahoodns.net[67.195.204.80] while sending RCPT TO
Jun  2 14:33:08 zimbra postfix/smtps/smtpd[29012]: 4C359DE0DA6: filter: RCPT from unknown[176.50.168.195]: <documents@[mydomain].com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<documents@[mydomain].com> to=<joelkhup83@gmail.com> proto=ESMTP helo=<[127.0.0.1]>
Jun  2 14:33:09 zimbra postfix/qmgr[29011]: A4EA7DE0D9E: from=<documents@[mydomain].com>, size=51508, nrcpt=5 (queue active)
Jun  2 14:33:09 zimbra amavis[29875]: (29875-07) ESMTP:[127.0.0.1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20200602T143217-29875-eH1Z43C8: <documents@[mydomain].com> -> <danny.hedge1212@gmail.com>,<desmadrebolensgv@gmail.com>,<wardhaywood54@gmail.com>,<anglica@wt.com>,<ryvredunlap@yahoo.com> Received: from zimbra.[mydomain].com ([127.0.0.1]) by localhost (zimbra.[mydomain].com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP; Tue,  2 Jun 2020 14:33:09 +0000 (UTC)
Jun  2 14:33:09 zimbra postfix/smtp[29034]: 3CA2FDE0DA1: to=<jwhite38570@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=1.1, delays=0.17/0/0.12/0.82, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.76.26] said: 550-5.7.1 [[my ip address]      18] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending IP 550-5.7.1 address. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. h196si2530804wme.73 - gsmtp (in reply to end of DATA command))
Jun  2 14:33:09 zimbra postfix/smtp[29034]: 3CA2FDE0DA1: to=<lylesangster75@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=1.1, delays=0.17/0/0.12/0.82, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.76.26] said: 550-5.7.1 [[my ip address]      18] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending IP 550-5.7.1 address. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. h196si2530804wme.73 - gsmtp (in reply to end of DATA command))
Jun  2 14:33:09 zimbra amavis[29875]: (29875-07) Checking: u3mWQUDiCJQU ORIGINATING [186.179.182.31] <documents@[mydomain].com> -> <danny.hedge1212@gmail.com>,<desmadrebolensgv@gmail.com>,<wardhaywood54@gmail.com>,<anglica@wt.com>,<ryvredunlap@yahoo.com>
Jun  2 14:33:09 zimbra postfix/smtp[29034]: 3CA2FDE0DA1: to=<nickbrowning94@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=1.1, delays=0.17/0/0.12/0.82, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.76.26] said: 550-5.7.1 [[my ip address]      18] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending IP 550-5.7.1 address. To best protect our users from spam, the message has been 550-5.7.1 blocked. Please visit 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. h196si2530804wme.73 - gsmtp (in reply to end of DATA command))
Jun  2 14:33:09 zimbra postfix/cleanup[29041]: 70626DE0DAA: message-id=<20200602143309.70626DE0DAA@zimbra.[mydomain].com>
Jun  2 14:33:09 zimbra postfix/bounce[29030]: 3CA2FDE0DA1: sender non-delivery notification: 70626DE0DAA
Jun  2 14:33:09 zimbra postfix/qmgr[29011]: 3CA2FDE0DA1: removed
Jun  2 14:33:09 zimbra postfix/qmgr[29011]: 70626DE0DAA: from=<>, size=6378, nrcpt=1 (queue active)
Jun  2 14:33:09 zimbra postfix/dkimmilter/smtpd[29023]: 84E26DE0DA1: client=localhost[127.0.0.1]


Any ideas where i should be looking to fix this?


Aragorn
Posts: 18
Joined: Sat Sep 13, 2014 1:11 am

Re: Spam attack, cant figure it out

Postby Aragorn » Tue Jun 02, 2020 3:47 pm

I should add, it looks like they're sending from an account "documents@[mydomain]", this account doesnt appear in the account listing in the Zimbra control panel, but if i try to create it, it says it already exists?!
Bittone
Posts: 20
Joined: Mon Sep 05, 2016 4:30 pm

Re: Spam attack, cant figure it out

Postby Bittone » Wed Jun 03, 2020 7:12 am

Hello,
first verify no account has been hacked, second verify if any web service using your mail server hasn't been hacked and third verify you have not become an open relay.
Just my 2 cents..
Aragorn
Posts: 18
Joined: Sat Sep 13, 2014 1:11 am

Re: Spam attack, cant figure it out

Postby Aragorn » Wed Jun 03, 2020 8:33 am

After poring over the logs, i eventually became convinced that these mails were being sent by a user logging in as "documents@mydomain". Everything pointed to it being a logged in user sending mail.

That account appears to be a system account, and doesnt show up in the standard listing. Found it using the search tool, changed the password and set its status to "locked" and the spam stopped.

Now my log is full of authentication errors, which is good because those IP's should automatically get filtered out.

No idea how a system account ended up compromised though?! Unless its had a weak or standard password or something.
Bittone
Posts: 20
Joined: Mon Sep 05, 2016 4:30 pm

Re: Spam attack, cant figure it out

Postby Bittone » Wed Jun 03, 2020 8:41 am

Hello,
are you sure your admin account hasn't be hacked? Is your admin interface open to the internet?
If I were you I'd check all the accounts in order to check if others are compromised.
Just my 2 cents...
Alberto

Return to “Administrators”

Who is online

Users browsing this forum: Bing [Bot], rcardozo1987 and 11 guests