Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Security phishing problem with zimbra

  1. #1
    xusnbb is offline Junior Member
    Join Date
    Oct 2007
    Posts
    5
    Rep Power
    7

    Default Security phishing problem with zimbra

    Hello, i have a domain for examble probe.com, with ldap authentication, and i have the account probe@probe.com. If i know this account i can phishing this email doing this action:

    cmd for open ms-dos windows

    telnet mail.probe.com 25
    helo probe.com
    mail from: probe@probe.com
    rcpt to: probe@probe.com
    data
    This is a phishing
    .

    Using this method someone can send email to probe@probe.com without authentication, and phishing this account.

    ¿Can i resolve this problem of security in my zimbra opensource server?


    Thank you very much

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    20

    Default

    Welcome to the forums,

    Zimbra is not an open relay by default. However, are you testing from your local LAN?

    See: ZimbraMtaMyNetworks - Zimbra :: Wiki

  3. #3
    xusnbb is offline Junior Member
    Join Date
    Oct 2007
    Posts
    5
    Rep Power
    7

    Default

    OK, zimbra is not an open relay, but from extranet i can send mail without authentication if i know an valid account: for example:

    telnet mail.probe.com 25
    helo probe.com
    mail from: probe@probe.com
    rcpt to: probe@probe.com
    data
    This is a phishing

    This run, because the account probe exists

    ¿Can i resolver this problem?

  4. #4
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    9

    Exclamation Behavior confirmed

    Quote Originally Posted by xusnbb View Post
    telnet mail.probe.com 25
    helo probe.com
    mail from: probe@probe.com
    rcpt to: probe@probe.com
    data
    This is a phishing

    This run, because the account probe exists
    I just tested this and had the same experience. I sent messages to multiple users in my network after logging in with MAIL FROM: of a valid account. Postfix accepts the email despite it coming from an IP that is NOT in any of the trusted ranges (in my case, another IP on my T1, none of whose addresses are in the allowed networks).

    Strictly speaking it's not phishing, but it IS a backdoor into relaying messages by people we don't want to allow in. . .

    Whether this is an issue with Postfix or Zimbra directly, it does constitute a security hole of some significance since it essentially opens the relay to anybody who first knows a valid email address from inside. I'll be happy to file the bug but would prefer a couple more confirmations first.

    Thanks for catching this!

    Dan
    Last edited by dwmtractor; 10-29-2007 at 11:26 AM.

  5. #5
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    How is the server supposed to know if you aren't sending a message to yourself?

    I would not consider this a security issue. Plus, it's not phishing, it's spoofing.

    If you want to protect against this, then keep the AntiVirus/Spam on. The server will analyze the message and determine if it's legit or not.

    The server should accept all messages, then determine if it's spam or not per RFC 2821

    http://www.ietf.org/rfc/rfc2821.txt

    "An SMTP server MAY verify that the domain name parameter in the EHLO
    command actually corresponds to the IP address of the client.
    However, the server MUST NOT refuse to accept a message for this
    reason if the verification fails: the information about verification"
    failure is for logging and tracing only.

  6. #6
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    9

    Default Further Testing - Not as severe as I feared

    I just did a second test and it's not as severe as I feared; it's more of a spoofing issue than an open relay. With the valid MAIL FROM: I was NOT able to get the server to relay a message outside my domain (to my home address). So IT IS NOT AN OPEN RELAY and I was wrong to characterize it as such.

    The MTA is going to accept a message for delivery to any valid address inside the domain, from anywhere outside. . .that's what email does. It is not good that it'll accept a spoofed MAIL FROM from people outside the kingdom, but it wouldn't be the first time I saw a spoofed FROM header.

    I don't know if this can be fixed but it is WAY less serious than I first feared.

    Dan

  7. #7
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    20

    Default

    If you want to test: Mail relay testing

    Yup, as you pointed out that's not open relay; that would be when a user who is not on your domain uses your server to send mail to a differing domain.
    Last edited by mmorse; 10-29-2007 at 11:59 AM.

  8. #8
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    9

    Default

    My question would be, shouldn't a spoofed "FROM" header be considered a strong spam indicator? I looked at my test messages and they don't get any red flag for having a HELO and a FROM that are inside the network while the message is coming from outside. On the other hand, it is clear that the spam filters still scanned the message, so if it were "spammier" I would hope it'd still be caught. . .

    Dan

  9. #9
    xusnbb is offline Junior Member
    Join Date
    Oct 2007
    Posts
    5
    Rep Power
    7

    Default

    You can sen email from any valid account to any valid account in any domains. This is very dangerous if this problem is known in the company

  10. #10
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Quote Originally Posted by xusnbb View Post
    This is very dangerous if this problem is known in the company
    That is a very true and accurate statement. That can be dangerous internally, unfortunetly, that is another RFC:
    See Chris Linfoot | postmaster@, domain literal, RFC compliance...

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. QUE Failure
    By tbullock in forum Administrators
    Replies: 31
    Last Post: 07-30-2008, 12:17 PM
  2. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 01:00 PM
  3. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 10:47 AM
  4. Zimbra Processor Output
    By UltraFlux in forum Installation
    Replies: 3
    Last Post: 02-01-2006, 08:23 AM
  5. Mail logs
    By Rick Baker in forum Installation
    Replies: 8
    Last Post: 01-17-2006, 04:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •