Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: zimbra mail hacked

  1. #11
    quietas is offline Elite Member
    Join Date
    Aug 2007
    Location
    Anchorage, AK
    Posts
    376
    Rep Power
    7

    Default

    Something like this happened to me a while back. I was getting up to 10000 messages a day returned. I thought someone had gotten in to my system or it was relaying. Turned out it was backscatter spam where someone was forging the sent from fields.

    Spam Links - backscatter
    Backscatter (e-mail) - Wikipedia, the free encyclopedia

    Not much you can do unfortunately until the sender stops using your domain as the return and sent from. The best thing to do is try and identify something in the message that is unique to the forged emails, but not in your valid emails, then use Postfix to filter it out.
    Culley
    Mail | Dell 2950III | 2x Quad Core 5420 | 8gb RAM | 6x 146gb SAS RAID 0+1 | Red Hat 5.3 | Zimbra 6.0.10 Network Edition
    Test | VMware ESXi Whitebox | Phenom II Black 3.2ghz | 12gb RAM | 6x 1tb SATA RAID 0+1 | CentOS 5.4 | FOSS, Not in use now

  2. #12
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    8

    Default Spam lists.

    If his mail server has ended up on several spam listings the it probably has been spamming.

  3. #13
    extremal is offline Active Member
    Join Date
    May 2008
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by LMStone View Post
    One other thing to check...

    The server itself may not be hacked, but if you allow your users to use any simple password they like, one or more spammers may just be using a valid mailbox account on your server using a guessed or cracked password.

    Zimbra usernames are email addresses; easy to find and half of the authentication requirements right there.

    We insist upon using "complex" passwords and forced password rotations.

    So, the "fix" might be as simple as just changing everyone's password, then generating an unblock request and see what happens.

    Hope that helps,
    Mark

    "Sometimes a pipe is just a pipe..."
    I also think problem is because of weak password(s) ..



    thanks for replies

  4. #14
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by extremal View Post
    I also think problem is because of weak password(s)
    You can check them with zmprov:

    Code:
    checkPasswordStrength(cps) {name@domain|id} {password}
    and set Password policy in the Admin UI/COS.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #15
    captainmish is offline Loyal Member
    Join Date
    Mar 2007
    Location
    Plymouth, uk
    Posts
    93
    Rep Power
    8

    Default Blacklists

    Bear in mind that RBLs can be very incestuous - get on one (especially the "big" ones - spamhaus etc), and you will be on 5 within minutes. I have seen a server listed on the CBL because of a postfix configuration they didnt like. Bear in mind also that if you are behind NAT, then ANY of the machines behind it can have sent spam out, not just your mail server, and the public NAT ip will be blocked (thus its best to block outgoing port 25 for everything but your mail server).

    Have a read of the CBL faq for some hints as well The CBL FAQ

  6. #16
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    Acutally I have pretty the same problem. Do you have found a solution?

    I've checked everything mentioned in this thread, but found no solution.

    Obviously mail got sent from my IP-Adress and from my zimbra-server. I can see these Mails on the admin-Web-GUI. My IP got also blacklisted .

    I have only 10 users. Everybody has a pretty strong PWD.

    I don't find a rootkit on my server.

    And the SPAM-Mails seam to be relayed, but it's not an open-relay. So there could be only the possibility that at least one of "my" mail-accounts/pwds is compromised?

    I checked the audit.log but there was only access from known IP-Addresses from known zimbra-Accounts.

    Still I got a lot of Mails in the Mailqueue that also will be sent out...


  7. #17
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Or the headers have been forged. We would really need to see one of them.

  8. #18
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    8

    Default Trusted Netwqorks.

    If you have a WAN interface you may want to check your trusted networks.

  9. #19
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by Bill Brock View Post
    If you have a WAN interface you may want to check your trusted networks.
    Actually I have a WAN interface. But all these strange mails have origin at 127.0.0.1 it says...

  10. #20
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by uxbod View Post
    Or the headers have been forged. We would really need to see one of them.
    Oh, of course. I'm sorry, have forgot about that.

    Here you see some of them from my zimbra.log:

    Code:
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780056@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780102@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780104@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780207@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780409@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780510@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780606@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780611@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky7806152000@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky780713@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky781105@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky781116@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky781126sky@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky781219@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky781228@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Jan 12 19:07:25 zimbra postfix/smtp[2752]: 8C4BBD692F: to=<sky78_03_29@yahoo.com.tw>, relay=127.0.0.1[127.0.0.1]:10024, delay=31, delays=30/0.01/0.01/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=27536-01 - SPAM)
    Code:
    Jan 12 19:00:14 zimbra postfix/smtp[31825]: A0CD2D6946: to=<polly10_16@yahoo.com.tw>, relay=mx1.mail.tw.yahoo.com[203.188.197.9]:25, delay=597, delays=587/0.07/10/0, dsn=4.7.0, status=deferred (host mx1.mail.tw.yahoo.com[203.188.197.9] refused to talk to me: 421 4.7.0 [TS01] Messages from <my.ip.address> temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

    Thanks
    Last edited by pasco; 01-12-2009 at 12:01 PM. Reason: Additional Information

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Migration Assistance
    By dwill in forum Administrators
    Replies: 10
    Last Post: 12-02-2008, 08:20 AM
  2. [SOLVED] parts_decode_ext error
    By jsabater in forum Administrators
    Replies: 7
    Last Post: 10-13-2008, 07:24 AM
  3. Replies: 2
    Last Post: 02-12-2008, 11:55 AM
  4. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  5. Replies: 22
    Last Post: 12-02-2007, 05:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •