Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: My zimbra is being used to send spam by malicious outsiders!

  1. #1
    higeon is offline Intermediate Member
    Join Date
    Jun 2009
    Posts
    21
    Rep Power
    6

    Unhappy My zimbra is being used to send spam by malicious outsiders!

    Hi, all
    Anyone help!
    How to Restrict it?

    the zimbra.log is here:

    Jun 29 04:02:56 mail postfix/smtpd[17503]: connect from unknown[86.60.97.105]
    Jun 29 04:03:45 mail postfix/smtpd[17503]: E4EBB47001B5: client=unknown[86.60.97.105]
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 77BA64700255: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: AF718470024B: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 01141470019C: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 0D52D47002A0: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2717A47001C6: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2A6D34700222: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2C0794700252: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2930D4700207: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 26C3847001BB: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2A4864700215: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2A05B4700221: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2D41347002CD: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 270C6470019A: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2C2CB470024E: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2743447001BE: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 26CFC47001B0: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2BA4A4700240: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2E54F47002A9: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
    Jun 29 04:03:47 mail postfix/qmgr[2703]: 2FA5447002D0: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,580
    Rep Power
    57

    Default

    Tell us some details about your Zimbra set-up, start with the putting the output of the following command in your forum profile (don't post in this thread):

    Code:
    zmcontrol -v
    When did this problem start? Why do you think it's your system sending spam rather than NDR Spam that you're receiving? Which account is sending the spam? Have you checked to see if that really is the case? Is the 'compromised' account a local or remote user? Have you checked to see if you're acting as an open relay (search the web for sites that will check that)? Are all the machines on your LAN clean, have they been checked for viruses or bots recently?

    Do you also have a strong password pilocy for your Zimbra user accounts?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Welcome to the forums

    What do you have specified for your trusted networks in the MTA tab of the Admin GUI ? have you checked whether you server is a open relay using something like Mail relay testing ?

  4. #4
    higeon is offline Intermediate Member
    Join Date
    Jun 2009
    Posts
    21
    Rep Power
    6

    Default

    [zimbra@mail ~]$ zmcontrol -v
    Release 5.0.14_GA_2850.RHEL5_20090303142201 CentOS5 FOSS edition

    [zimbra@mail ~]$ zmprov gs `zmhostname` | grep zimbraMtaMyNetworks
    zimbraMtaMyNetworks: 127.0.0.0/8 172.16.10.0/24 192.168.0.0/16

  5. #5
    higeon is offline Intermediate Member
    Join Date
    Jun 2009
    Posts
    21
    Rep Power
    6

    Default

    Mail relay testing by Mail relay testing

    Mail relay testing
    Connecting to 203.179.82.186 for anonymous test ...
    ......
    ......
    ......
    Relay test result
    All tests performed, no relays accepted.

  6. #6
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Check /opt/zimbra/log/audit.log for that IP address and see if one of your accounts has been compromised.

  7. #7
    higeon is offline Intermediate Member
    Join Date
    Jun 2009
    Posts
    21
    Rep Power
    6

    Default

    I cannot find the IP address 86.60.97.105
    but found a lot of logs such as:

    2009-06-29 04:48:00,775 INFO [btpool0-125] [name=data@newcon.co.jp;ip=127.0.0.1;] security - cmd=Auth; account=data@newcon.co.jp; protocol=soap;

    I think the account compromised is data@newcon.co.jp.
    But why the IP is 127.0.0.1?

  8. #8
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Do you have SSH or Telnet to your server open to the Internet ? I would recommend that you also check your server for r00tkits etc to ensure it has not been hacked.

  9. #9
    higeon is offline Intermediate Member
    Join Date
    Jun 2009
    Posts
    21
    Rep Power
    6

    Default

    Yes, I can SSH to the server.
    How check it?

  10. #10
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    chkrootkit -- locally checks for signs of a rootkit also check /var/log/secure for any successful connections from IP addresses you do not know.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 8
    Last Post: 01-12-2012, 02:20 AM
  2. Replies: 8
    Last Post: 01-20-2009, 01:06 PM
  3. slapd message error
    By smoke in forum Administrators
    Replies: 7
    Last Post: 04-27-2008, 03:23 PM
  4. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  5. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 01:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •