Page 1 of 1

Preventing access to hacked account

Posted: Sun Jun 07, 2020 8:30 pm
by zigi2020
Hello,

We have Zimbra 8.5.0 GA in production on RHEL 6 OS.
Our users authenticate via LDAP server.
We found out a number of user accounts that are hacked.
These accounts are now used for sending spam.
We noticed that even if we change their LDAP passwords malicious users are still somehow able to login and send spam.
How to prevent malicious users to use compromised accounts without locking accounts?

Thank you for any suggestion.

Re: Preventing access to hacked account

Posted: Mon Jun 08, 2020 3:59 am
by phoenix
You should not be on an old version of ZCS, there are security flaws in versions prior to the current ZCS 8.8.15 that also include having your server hacked and sending spam etc. You could try disabling those accounts but I'd suggest you upgrade to the most recent version of ZCS today, tomorrow is too late. ;)

It is foolhardy and a danger to your reputation and users (never mind the people that receive your spam) not to keep your server software up-to-date.

Check your server by reading this thread: https://forums.zimbra.org/viewtopic.php?f=15&t=65932

Re: Preventing access to hacked account

Posted: Wed Jun 10, 2020 7:48 am
by GlooM
phoenix wrote:You should not be on an old version of ZCS, there are security flaws in versions prior to the current ZCS 8.8.15 that also include having your server hacked and sending spam etc. You could try disabling those accounts but I'd suggest you upgrade to the most recent version of ZCS today, tomorrow is too late. ;)

It is foolhardy and a danger to your reputation and users (never mind the people that receive your spam) not to keep your server software up-to-date.

Check your server by reading this thread: https://forums.zimbra.org/viewtopic.php?f=15&t=65932


Hello! I use 8.7.11 version with last security patches.
viewtopic.php?f=15&t=68306&p=297598#p297598

Recently asked a similar question. Spam continued after account was locked. As I understand it, the reason is that internal ip addresses are whitelisted and user authorization is not checked.

Re: Preventing access to hacked account

Posted: Wed Jun 10, 2020 2:00 pm
by L. Mark Stone
Have you checked this: https://wiki.zimbra.com/wiki/Using_and_ ... _attribute

Hope that helps,
Mark