[Help] Spam Attack in my ZIMBRA sever.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
wcpon
Posts: 25
Joined: Sat Sep 13, 2014 2:40 am

[Help] Spam Attack in my ZIMBRA sever.

Postby wcpon » Wed Oct 31, 2012 2:04 am

Dear Guys,
Recently I am experiencing an issue with my ZIMBRA. "Someone" from outside using random "PUBLIC IP" enter & successfully authenticate itself into

my ZIMBRA and started to send spam mails through this username: "whchoy" ( as shown in the below quote ) I am not able to determine where this attacker is from. This username "whchoy" is valid in our database. Not sure if this was sent via a "BOT". Are there anyway which I am able to block or prevent such incident from happening. Even as I type now, the attack is still ongoing....Hope to hear from you guys soon. Appreciate your much assistance. Thank you.
[QUOTE]

Oct 31 13:52:35 mail postfix/smtpd[13404]: connect from unknown[113.19.211.114]

Oct 31 13:52:37 mail saslauthd[5142]: zmauth: authenticating against elected url 'https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap/' ...

Oct 31 13:52:37 mail saslauthd[5142]: zmpost: url='https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap/' returned buffer->data='http://www.w3.org/2003/05/soap-envelope">">http://www.w3.org/2003/05/soap-envelope"> xmlns="urn:zimbra">0_3b5380774595f92d005b24c10d8faafd1187ff1a_69643d33363a31313735653533622d343139342d343235662d626633302d6665366265323235663731333b6578703d31333a313335313833353535373530333b76763d313a333b747970653d363a7a696d6272613b172799999carbon', hti->error=''

Oct 31 13:52:37 mail saslauthd[5142]: auth_zimbra: whchoy auth OK

Oct 31 13:52:38 mail postfix/smtpd[13404]: D1E374B8368: client=unknown[113.19.211.114], sasl_method=LOGIN, sasl_username=whchoy

Oct 31 13:52:39 mail postfix/cleanup[15735]: D1E374B8368: message-id=

Oct 31 13:52:39 mail postfix/qmgr[12130]: D1E374B8368: from=<whchoy@abc.com.my>, size=619, nrcpt=1 (queue active)

Oct 31 13:52:39 mail amavis[15816]: (15816-02) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20121031T135156-15816: <whchoy@abc.com.my> -> SIZE=619 Received: from mail.abc.com.my ([127.0.0.1]) by localhost (mail.abc.com.my [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 31 Oct 2012 13:52:39 +0800 (MYT)

Oct 31 13:52:39 mail amavis[15816]: (15816-02) Checking: Yai3feXlb3nM [113.19.211.114] <whchoy@abc.com.my> ->

Oct 31 13:52:39 mail amavis[15816]: (15816-02) Open relay? Nonlocal recips but not originating: chb3@frontiernet.net

Oct 31 13:52:40 mail postfix/smtpd[13404]: disconnect from unknown[113.19.211.114]

Oct 31 13:52:40 mail postfix/smtpd[14544]: 8FE4F4B8516: client=localhost.localdomain[127.0.0.1]

Oct 31 13:52:40 mail postfix/cleanup[14243]: 8FE4F4B8516: message-id=

Oct 31 13:52:40 mail opendkim[2952]: 8FE4F4B8516: DKIM-Signature header added (s=default, d=abc.com.my)

Oct 31 13:52:40 mail postfix/smtpd[14544]: disconnect from localhost.localdomain[127.0.0.1]

Oct 31 13:52:40 mail postfix/qmgr[12130]: 8FE4F4B8516: from=<whchoy@abc.com.my>, size=1098, nrcpt=1 (queue active)

Oct 31 13:52:40 mail amavis[15816]: (15816-02) FWD via SMTP: <whchoy@abc.com.my> -> ,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FE4F4B8516

Oct 31 13:52:40 mail amavis[15816]: (15816-02) Passed CLEAN, [113.19.211.114] [113.19.211.114] <whchoy@abc.com.my> -> , Message-ID: , mail_id: Yai3feXlb3nM, Hits: -4.358, size: 619, queued_as: 8FE4F4B8516, 855 ms

Oct 31 13:52:40 mail postfix/smtp[15709]: D1E374B8368: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0/0.85, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FE4F4B8516)

Oct 31 13:52:40 mail postfix/qmgr[12130]: D1E374B8368: removed

Oct 31 13:52:42 mail postfix/smtp[15341]: 8FE4F4B8516: to=, relay=mx.frontiernet.net[66.133.129.79]:25, delay=1.7, delays=0.05/0/0.92/0.78, dsn=5.0.0, status=bounced (host mx.frontiernet.net[66.133.129.79] said: 550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. (in reply to RCPT TO command))
[/QUOTE]
[QUOTE]

Oct 31 14:12:41 mail postfix/smtpd[10017]: connect from unknown[183.80.108.114]

Oct 31 14:12:43 mail saslauthd[5142]: zmauth: authenticating against elected url 'https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap/' ...

Oct 31 14:12:43 mail saslauthd[5142]: zmpost: url='https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap">https://mail.abc.com.my:7071/service/admin/soap/' returned buffer->data='http://www.w3.org/2003/05/soap-envelope">">http://www.w3.org/2003/05/soap-envelope"> xmlns="urn:zimbra">0_2b3428fecfed821040d64603beadf57d79915ccd_69643d33363a31313735653533622d343139342d343235662d626633302d6665366265323235663731333b6578703d31333a313335313833363736333833363b76763d313a333b747970653d363a7a696d6272613b172800000carbon', hti->error=''

Oct 31 14:12:43 mail saslauthd[5142]: auth_zimbra: whchoy auth OK

Oct 31 14:12:45 mail postfix/smtpd[10017]: 68D584B8526: client=unknown[183.80.108.114], sasl_method=LOGIN, sasl_username=whchoy

Oct 31 14:12:46 mail postfix/cleanup[24289]: 68D584B8526: message-id=

Oct 31 14:12:46 mail postfix/qmgr[12130]: 68D584B8526: from=, size=898, nrcpt=1 (queue active)

Oct 31 14:12:46 mail amavis[26166]: (26166-04) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20121031T141007-26166: <whchoy@abc.com.my> -> SIZE=898 BODY=8BITMIME Received: from mail.abc.com.my ([127.0.0.1]) by localhost (mail.abc.com.my [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 31 Oct 2012 14:12:46 +0800 (MYT)

Oct 31 14:12:46 mail amavis[26166]: (26166-04) Checking: yVv8xymH8-pE [183.80.108.114] <whchoy@abc.com.my> ->

Oct 31 14:12:46 mail amavis[26166]: (26166-04) Open relay? Nonlocal recips but not originating: rterrenate_68@yahoo.com

Oct 31 14:12:47 mail postfix/smtpd[24639]: connect from localhost.localdomain[127.0.0.1]

Oct 31 14:12:47 mail postfix/smtpd[24639]: 4771A4B852B: client=localhost.localdomain[127.0.0.1]

Oct 31 14:12:47 mail postfix/cleanup[24301]: 4771A4B852B: message-id=

Oct 31 14:12:47 mail opendkim[2952]: 4771A4B852B: DKIM-Signature header added (s=default, d=abc.com.my)

Oct 31 14:12:47 mail postfix/smtpd[24639]: disconnect from localhost.localdomain[127.0.0.1]

Oct 31 14:12:47 mail postfix/qmgr[12130]: 4771A4B852B: from=<whchoy@abc.com.my>, size=1383, nrcpt=1 (queue active)

Oct 31 14:12:47 mail amavis[26166]: (26166-04) FWD via SMTP: <whchoy@abc.com.my> -> ,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4771A4B852B

Oct 31 14:12:47 mail amavis[26166]: (26166-04) Passed CLEAN, [183.80.108.114] [183.80.108.114] <whchoy@abc.com.my> -> , Message-ID: , mail_id: yVv8xymH8-pE, Hits: -4.175, size: 898, queued_as: 4771A4B852B, 826 ms

Oct 31 14:12:47 mail postfix/smtp[24993]: 68D584B8526: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=2.4, delays=1.6/0/0/0.83, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4771A4B852B)

Oct 31 14:12:47 mail postfix/qmgr[12130]: 68D584B8526: removed

Oct 31 14:12:47 mail postfix/smtpd[10017]: disconnect from unknown[183.80.108.114]

[/QUOTE]


yasanthau
Advanced member
Advanced member
Posts: 57
Joined: Sat Sep 13, 2014 12:52 am

[Help] Spam Attack in my ZIMBRA sever.

Postby yasanthau » Wed Oct 31, 2012 3:15 am

Did you reset the password of user whchoy? If not re-set it immediately and put a strong password for that. It may be that the user whchoy is using a very simple password. This happened to me too. What I did was, disabled the account temporarily and create another account with different id for same user and then added an alias.
wcpon
Posts: 25
Joined: Sat Sep 13, 2014 2:40 am

[Help] Spam Attack in my ZIMBRA sever.

Postby wcpon » Wed Oct 31, 2012 3:27 am

[quote user="yasanthau"]Did you reset the password of user whchoy? If not re-set it immediately and put a strong password for that. It may be that the user whchoy is using a very simple password. This happened to me too. What I did was, disabled the account temporarily and create another account with different id for same user and then added an alias.[/QUOTE]
Hi, Thanks for your advice.

Ever since you changed the strong password, did you still experience the same username attack?

Is there a permanent solution that you can advice?
yasanthau
Advanced member
Advanced member
Posts: 57
Joined: Sat Sep 13, 2014 12:52 am

[Help] Spam Attack in my ZIMBRA sever.

Postby yasanthau » Wed Oct 31, 2012 3:37 am

Yes for sometimes but auth failed thereafter. At the same time I put an iptables firewall and block whole IP ranges where the attack came from. I followed some of the guidelines given in link Improving Anti-spam system - Zimbra :: Wiki
wcpon
Posts: 25
Joined: Sat Sep 13, 2014 2:40 am

[Help] Spam Attack in my ZIMBRA sever.

Postby wcpon » Wed Oct 31, 2012 5:24 am

[quote user="yasanthau"]Yes for sometimes but auth failed thereafter. At the same time I put an iptables firewall and block whole IP ranges where the attack came from. I followed some of the guidelines given in link Improving Anti-spam system - Zimbra :: Wiki[/QUOTE]
Thanks for your advice.

After the spamming issue, currently my MTA is under poor reputation, do you know how to increase my MTA reputation? Kindly please advice.
phoenix
Ambassador
Ambassador
Posts: 26342
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

[Help] Spam Attack in my ZIMBRA sever.

Postby phoenix » Wed Oct 31, 2012 6:54 am

[quote user="wcpon"]After the spamming issue, currently my MTA is under poor reputation,[/QUOTE]What exactly do you mean by 'poor reputation?
[quote user="wcpon"].. do you know how to increase my MTA reputation? Kindly please advice.[/QUOTE]If you're talking about being on an RBL then you need to contact the maintainer of the RBL and get your server removed (check the RBL for requirements.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
wcpon
Posts: 25
Joined: Sat Sep 13, 2014 2:40 am

[Help] Spam Attack in my ZIMBRA sever.

Postby wcpon » Thu Nov 01, 2012 9:54 am

[quote user="10330phoenix"]What exactly do you mean by 'poor reputation?
If you're talking about being on an RBL then you need to contact the maintainer of the RBL and get your server removed (check the RBL for requirements.[/QUOTE]
Yes, already contact the maintainer. Now it is working fine. Thanks.

What is your permanent solution that you can advice about this spamming attack to my Zimbra server?
yasanthau
Advanced member
Advanced member
Posts: 57
Joined: Sat Sep 13, 2014 12:52 am

[Help] Spam Attack in my ZIMBRA sever.

Postby yasanthau » Tue Nov 06, 2012 1:00 am

There are some important tips in my thread http://www.zimbra.com/forums/administrators/55150-somebody-intruded-zimbra-server.html

See the links under Yves Pires reply.

Return to “Administrators”

Who is online

Users browsing this forum: gabrieles and 3 guests