Zimbra

msf004 · #1 (**permalink**) 08-23-2007, 10:58 PM

Per another thread I started, I have found that SPAM is being sent through my Zimbra server. In the past two days two of my Zimbra accounts, both of which I personally know the account owner, have had occurances of an email being sent to 50 recipients throughout the day.

I know the account owners are not sending the SPAM. The server is a per-the-instructions Zimbra install with nothing else on the server - it is a Zimbra mail-only server. Both accounts also do not use Outlook or the Outlook connector, both accounts only utilize the web-client to access their accounts.

In trying to get a handle on the emails being sent, I have:

(1) Attempted to have the individuals change their password - the SPAM emails are still being sent.
(2) I have turned off "locked" their accounts - the SPAM emails are still being sent.
(3) I changed the postfix smtpd_recipient_limit to 49, being the emails are being sent to 50 recipients - regardless the emails are still being sent to 50 users.

These users actually SEE THE EMAILS in their Sent Folder. Further, all of the recipients to which these emails have been sent are now in the users "Emailed Contacts" list. In my mind this would show that the culprit is actually connecting to Zimbra as the user.

I have been trying to troubleshoot this or find a stop-gap for 9 hours now. I find this rather alarming and a serious issue that I want to get stopped - I hate SPAM! I have even opened a support ticket through Zimbra being I am a Network customer - I am willing to pay the cost of a support ticket for help; however, their SLA is 48 hours and I have not yet heard anything from them.

Can anyone offer any suggestions?

Here is a portion of the zimbra.log during a send from this occurance. I have removed my servername and the from email address:

Aug 23 10:01:44 postfix/smtpd[30658]: 863D638CC51F: client=localhost.localdomain[127.0.0.1]
Aug 23 10:01:46 postfix/cleanup[30814]: 863D638CC51F: message-id=<9660788.17891187881267810.JavaMail.root@SERVER NAME-HERE>
Aug 23 10:01:48 postfix/qmgr[27904]: 863D638CC51F: from=<EMAIL-ADDRESS-HERE>, size=4747, nrcpt=50 (queue active)

It would appear that the emails are coming from a process on the local machine. The server is a Redhat RHEL4 Server with all patches up to date.

Doing a ps -ef, the only "suspicious" processes I see are:

/usr/bin/perl /tmp/.swatch_script.xxxx

However, I am by no means an expert on the processes which should be running for a Zimbra install.

Any help is greatly appreciated.

msf004 · #2 (**permalink**) 08-23-2007, 10:59 PM

As a bit of additional info, this server and the Zimbra license were both purchases and placed into production on Aug 6th, 2007 - so this is a new server which has not been used too long. Further, before launching it live, I had a couple of services perform port scans, and open-relay checks - nothing was found.

jholder · #3 (**permalink**) 08-23-2007, 11:02 PM

Can you post the whole log?

Also, you may wish to look in /opt/zimbra/log/audit.log for any logins.

msf004 · #4 (**permalink**) 08-23-2007, 11:08 PM

Posting the whole log would be huge, it is currently at 15MB; however, here is the first instance of the SPAM being sent through one of the accounts:

Aug 23 10:01:08 postfix/smtpd[24759]: connect from <MY-SERVERNAME-HERE>
Aug 23 10:01:08 postfix/smtpd[24759]: 228E038CC4DF: client=<MY-SERVERNAME-HERE>
Aug 23 10:01:09 postfix/cleanup[29784]: 228E038CC4DF: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
Aug 23 10:01:09 postfix/qmgr[27904]: 228E038CC4DF: from=<USERNAME-HERE>, size=4108, nrcpt=503 (queue active)
Aug 23 10:01:09 postfix/smtpd[24759]: disconnect from <MY-SERVERNAME-HERE>
Aug 23 10:01:11 postfix/smtpd[29788]: connect from localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/smtpd[29788]: 2822638CC4EB: client=localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/smtpd[30658]: connect from localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/cleanup[29784]: 2822638CC4EB: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
Aug 23 10:01:13 postfix/qmgr[27904]: 2822638CC4EB: from=<USERNAME-HERE>, size=4747, nrcpt=50 (queue active)
Aug 23 10:01:13 postfix/smtpd[29788]: disconnect from localhost.localdomain[127.0.0.1]

I replaced my actual server name with "MY-SERVERNAME-HERE" and the users account with "USERNAME-HERE".

I will check the audit.log and post what I find there too.

Let me know if there is more of the zimbra.log you would like to see.

msf004 · #5 (**permalink**) 08-23-2007, 11:28 PM

I found a couple of questionable entries in the audit log. Specifically, connections showing the user agent as Opera for a user who I KNOW does not use Opera. However, as stated, I had this user change their password, then I locked their account, and I have restarted Zimbra via zmcontrol stop - zmcontrol start; and the occurances of

Aug 23 10:23:39 postfix/smtpd[8466]: 79AFA38CC510: client=localhost.localdomain[127.0.0.1]
Aug 23 10:23:40 postfix/cleanup[8467]: 79AFA38CC510: message-id=<14619962.18031187882614894.JavaMail.root@serve r.domain.net>
Aug 23 10:23:41 postfix/qmgr[27904]: 79AFA38CC510: from=<user@domain.net>, size=2604, nrcpt=50 (queue active)

Aug 23 10:23:41 amavis[30718]: (30718-04) ...user@domain.com>,<user@domain.com>,<user@domain .com>,<user@domain.com>,<user@domain.com>,<user@do main.com>,<user@domain.com>,<user@domain.com>,<use r@domain.com>,<user@domain.com>,<user@domain.com>, <user@domain.com>, BODY=8BITMIME 250 2.6.0 Ok, id=30718-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 79AFA38CC510

Aug 23 10:23:42 amavis[30718]: (30718-04) ...<user@domain.com>,<user@domain.com>,<user@domai n.com>,<user@domain.com>,<user@domain.com>,<user@d omain.com>,<user@domain.com>, Message-ID: <14619962.18031187882614894.JavaMail.root@server.d omain.net>, mail_id: oK5FMW07jrVP, Hits: -3.252, queued_as: 79AFA38CC510, 5452 ms

Aug 23 10:23:41 postfix/smtp[8523]: 79AFA38CC510: to=<user@domain.com>, relay=mx.mailanyone.net[208.70.128.223], delay=2, status=sent (250 OK id=1IOEbo-0000SM-6B)

Aug 23 10:23:42 postfix/smtp[8517]: 79AFA38CC510: to=<user@domain.com>, relay=mail.xecu.net[216.127.136.211], delay=3, status=sent (250 2.0.0 Ok: queued as 8EA4576A5F3)

.
.
.

..more...

Keep happening; even with a locked account - AND I have changed the Postfix policy to limit recipients to 49.

msf004 · #6 (**permalink**) 08-23-2007, 11:34 PM

I am seeing entries like this in the audit.log:

2007-08-24 01:00:04,925 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
2007-08-24 01:00:04,926 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;

Is that normal?

phoenix · #7 (**permalink**) 08-24-2007, 12:20 AM

Quote:

Originally Posted by msf004

I am seeing entries like this in the audit.log:

2007-08-24 01:00:04,925 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
2007-08-24 01:00:04,926 INFO [http-7071-Processor48] [ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;

Is that normal?

Yes, it's normal but .....:. How often are you seeing these messages? Do any of them relate to when you have this 'spam' being sent?

Could you attach a copy of your log to the support case you've raised? Is there any frequency of when these batches of messages are being sent? As this is a Network Edition, who uses your server - this is an HSP service isn't it? Is it in production? Can you also send details of your mynetwork setting to your case notes. Please include as much detail as you feel is necessary and we'll try and track this down for you.

fajarpri · #8 (**permalink**) 08-24-2007, 03:35 AM

Sorry to joining the discussion.
I find it very interesting. It looks like the spams are sent through the webmail.
I suspect that someone in your network is guilty.
Regarding the change password, it's still possible that he/she planted a keylogger in the victim's pc that will record and send the new password to the bad guy.

In order to make sure that indeed the bad guys use the webmail, can you turn off tomcat for while and see if the spam stops? If it continues, then he's using another mean. If he's using webmail, we can begin tracing the ip address that is accessing the webmail. Knowing this, we will be able to narrow the possibilities.

msf004 · #9 (**permalink**) 08-24-2007, 07:59 AM

Unfortunately, our "network" is only two people in a small and secured office. The rest of our users are customers.

Also, locally we are not using any Windows computers. It is all Linux and Mac. Not to say that there are not keyloggers for macs or CentOS; however, less likely being (i) only two of us, (ii) secured office, (iii) no windows.

This has also happened to two Zimbra accounts now as well. The two accounts too which it has happened are not related accounts, different companies who do not know each other.

mdeneen · #10 (**permalink**) 08-24-2007, 08:27 AM

maybe the output of "ps -eafwww" would be helpful. that is, if the problem is some sort of local process.