Results 1 to 9 of 9

Thread: [SOLVED] SPAM Sent!?

  1. #1
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    7

    Default [SOLVED] SPAM Sent!?

    My company is relatively new to Zimbra - just installed onto our production servers on Aug 4th of 2007. Per the installation instructions, the install exists on a box with nothing else running besides the instance of Zimbra - no other application server, DB instance, etc. the server is dedicated to Zimbra.

    Somehow today a few hundred emails were sent from - none other than - my wife's email account. When she told me, I didn't believe her at first, I had assumed that someone send SPAM with a reply-to as her email address (spoofing her email address), so I went and looked at her account. Sure enough, the email is in the "Sent" folder and every recipient is now part of her "Emailed Contacts".

    The server does have IPTables running as a firewall with ports 22, 80, 443, 25, 110, 143, 993, 995, 7071 opened - besides that, the default rule is deny. The Zimbra install is a relatively straight forward install following the installation instructions.

    Her password is, in my mind, a good password; utilizing a combination of uppercase, lowercase, alpha, and numerics. Not to mention the SPAM which was sent was the typical Phishing SPAM; here is the start of the email:

    <sample of email sent>
    TUNG TRADING LLC (TTL).
    # 12 Taichi Avenue,
    Panshi Road,
    Central
    Hongkong 000
    Tel: +852-301-41328
    Fax: +852-301-41328
    Email: tungtradingllc121@gmail.com

    Tung Trading LLC(TTL),
    REF:TTL/AGT/445
    Tung Trading LLC is a Trading Company;which deals with the distribution
    and Marking of Steel and other Steel products around the Globe.
    </sample of email sent>

    We are a very small company in the Midwest with only local customers. We only have a total of 50 customers using Zimbra. So to say someone "targeted" us is unlikely; however, you never know.

    I also noticed that the X-Originating-IP address *IS* the address of my server. And to reiterate, this is a very new server and new IP address for my company.

    (1) Can someone help me understand what I should research. It would appear that someone actually sent this message from my wife's account, especially being all of the emailed recipients are now in her "Emailed Contact List". Thus, from the best of my knowledge they would have had to use the web client to send the message; am I mistaken?

    (2) Are there any known vulnerabilities to Zimbra which I have failed to learn about during all of my test installs, Wiki readings, and forum readings?

    Ultimately, I am really concerned about this and really at a loss as to where to start looking.

    I found this in the maillog, which looks as if the email WAS send via my server:

    Aug 23 10:01:08 postfix/smtpd[24759]: connect from <MY-SERVERNAME-HERE>
    Aug 23 10:01:08 postfix/smtpd[24759]: 228E038CC4DF: client=<MY-SERVERNAME-HERE>
    Aug 23 10:01:09 postfix/cleanup[29784]: 228E038CC4DF: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
    Aug 23 10:01:09 postfix/qmgr[27904]: 228E038CC4DF: from=<USERNAME-HERE>, size=4108, nrcpt=503 (queue active)
    Aug 23 10:01:09 postfix/smtpd[24759]: disconnect from <MY-SERVERNAME-HERE>
    Aug 23 10:01:11 postfix/smtpd[29788]: connect from localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/smtpd[29788]: 2822638CC4EB: client=localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/smtpd[30658]: connect from localhost.localdomain[127.0.0.1]
    Aug 23 10:01:12 postfix/cleanup[29784]: 2822638CC4EB: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
    Aug 23 10:01:13 postfix/qmgr[27904]: 2822638CC4EB: from=<USERNAME-HERE>, size=4747, nrcpt=50 (queue active)
    Aug 23 10:01:13 postfix/smtpd[29788]: disconnect from localhost.localdomain[127.0.0.1]

    This looks really bad, any help is greatly appreciated.

    Thank you,
    -Marc
    Last edited by msf004; 08-23-2007 at 03:59 PM.

  2. #2
    gmsmith is offline Moderator
    Join Date
    Apr 2006
    Location
    Williamsburg, VA
    Posts
    451
    Rep Power
    9

    Default

    Any chance your wife uses Outlook and has the Outlook connector installed? Perhaps her machine has a virus?

  3. #3
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    7

    Default

    That was a good thought, but no - she only uses the web client.

    Thanks for the reply...I am still looking into this.

    -Marc

  4. #4
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    7

    Default

    Anyone with any other ideas? I still do not have any idea what is happening; however, I have some more information.

    (1) I had her change her password after the incident. Even after the password change, email continue to be sent. I.e.: in the zimbra.log I continued to see emails being sent from her account to 50 recipients. So the password change didn't accomplish anything - I have since disabled her account...AND EMAILS STILL CONTINUE TO BE SENT! ****Even with a disabled Account!****

    (2) The emails appear to be coming locally, I.e.: everytime a send occurs the zimbra.log shows:

    Aug 23 10:24:12 postfix/smtpd[8465]: 4A21138CC504: client=localhost.localdomain[127.0.0.1]
    Aug 23 10:24:15 postfix/cleanup[8456]: 4A21138CC504: message-id=<14619962.18031187882614894.JavaMail.root@local host>
    Aug 23 10:24:16 postfix/qmgr[27904]: 4A21138CC504: from=<user@server.net>, size=2604, nrcpt=50 (queue active)

    Note: I changed the from to be user@server.net instead of her actual email address.

    I am running an up-to-date RHEL4 server. However are there any recent known Redhat Trojans? I cannot find anything, but it was a thought.

    Any help? Anyone?

    -Marc

  5. #5
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    7

    Default

    ...more findings...

    Ater looking at more logs I have learned that this happened to a customer of mine a couple of days ago. 50 Emails being sent every-so-often.

    This would lead me to believe there is something running locally on the machine.

    Anyone know of any exploits on a patched Redhat (RHEL4) server running Zimbra and only Zimbra?

    As stated above, IPTables are running as well.

  6. #6
    imarks001's Avatar
    imarks001 is offline Active Member
    Join Date
    May 2006
    Location
    Reston, VA
    Posts
    34
    Rep Power
    8

    Default Audit Logs

    Have you looked through Zimba's audit logs? Try checking out /opt/zimbra/log/audit.log* to see if there are any suspicious looking connections. You also might want to try turning on iptables logging and checking to see if any odd ports appear be to listening with "netstat -tulnp".

  7. #7
    imarks001's Avatar
    imarks001 is offline Active Member
    Join Date
    May 2006
    Location
    Reston, VA
    Posts
    34
    Rep Power
    8

    Default Audit Logs

    Have you looked through Zimba's audit logs? Try checking out /opt/zimbra/log/audit.log* to see if there are any suspicious looking connections. You also might want to try turning on iptables logging and checking to see if any odd ports appear be to listening with "netstat -tulnp".

  8. #8
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    9

    Default Why so many ports open?

    Quote Originally Posted by msf004 View Post
    The server does have IPTables running as a firewall with ports 22, 80, 443, 25, 110, 143, 993, 995, 7071 opened - besides that, the default rule is deny.
    Marc,

    This may be overkill but I tend to be paranoid on the security side of things.

    Are others of your users logging in using POP, IMAP, etc? If not--that is, if the others are sticking to the web client just like your wife, why not close the other ports? Allow only 443 for the web clients (reject even clear-text port 80), and 25 for SMTP and shut the rest down. Obviously you need to keep 7071 open for admin, but you should restrict 7071 connections to your local network only and not to the outside world. Rule of thumb--if you don't need a service close it's port, and if you must open it, do so for as limited a scope as possible.

    Similarly, if anyone is using IMAP allow only 993 (not 143); allow 21/22 ftp connections outbound only; etc.

    The other possibility, of course, is that your wife has a keylogger trojan on her PC that is sending her new password to the bad boys. . .you might want to do a safe-mode scan of her disk. Even more paranoid, there could be a sniffing trojan elsewhere on your network, but that really is low on the probability list I would guess. It is nevertheless true that if you're connecting to the Zimbra box using port 80 a network sniffer could copy and then replicate your login quite easily. How open is the firewall for the rest of your LAN?

    HTH,

    Dan
    Last edited by dwmtractor; 09-10-2007 at 09:36 AM. Reason: added more paranoid thoughts ;{)

  9. #9
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    20

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Reject SPAM
    By s0undt3ch in forum Users
    Replies: 9
    Last Post: 08-22-2007, 03:07 AM
  2. Spam question (all related)
    By dlochart in forum Administrators
    Replies: 3
    Last Post: 07-24-2007, 08:58 AM
  3. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM
  4. How to check if spam training is working?
    By tbovingdon in forum Administrators
    Replies: 1
    Last Post: 03-13-2007, 05:57 AM
  5. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 03:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •