need help regarding spam protection and authentication

[chandu]

Hi,

I found strange thing in my zimbra.log and mailboxd.log.

One of our user abc@example.com.

For this user i got the authentication logs as below :

###########################################

2009-08-19 12:08:47,589 INFO [Pop3Server-6533] [name=abc@example.com;ip=177.17.218.29;] pop - user abc@example.com authenticated, mechanism=login
2009-08-19 12:08:48,057 INFO [Pop3Server-6533] [name=abc@example.com;ip=177.17.218.29;] pop - quit from client
2009-08-19 13:28:29,847 INFO [Pop3Server-8360] [name=abc@example.com;ip=122.132.111.218;] pop - user abc@example.com authenticated, mechanism=login
2009-08-19 13:28:29,948 INFO [Pop3Server-8360] [name=abc@example.com;ip=122.132.111.218;] pop - quit from client

##############################################


Here its showing two IP addresses 177.17.218.29 and 122.132.111.218. and its keep getting toggle between this IPs. In this logs its showing "pop - quit from client " What it mean ?? why its continously changing the IP address ?

################################################


And in zimbra.log I am getting below logs for the same user which is trying to send mail to itself and one another user of the same domain which is SPAM and got discarded....but its showing different IP in this logs...which i didnt get in in audit.log or mailboxd.log....


Aug 18 14:28:08 mail amavis[26966]: (26966-20) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090818T132825-26966: <abc@example.com> -> <cde@example.com>,<abc@example.com> SIZE=2704 Received: from example.com ([127.0.0.1]) by localhost (example.com[127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Tue, 18 Aug 2009 14:28:08 +0530 (IST)
Aug 18 14:28:08 mail amavis[26966]: (26966-20) Checking: ZNHpduUMTnrn [89.78.49.127] <abc@example.com> -> <cde@example.com>,<abc@example.com>
Aug 18 14:28:13 mail amavis[26966]: (26966-20) SPAM, <abc@example.com> -> <cde@example.com>,<abc@example.com>, Yes, score=23.19 tag=-10 tag2=6.6 kill=13.2 tests=[BAYES_99=3.5, HTML_IMAGE_ONLY_24=1.552, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, ONLINE_PHARMACY=0.001, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, SUBJECT_NEEDS_ENCODING=0.001, SUBJ_ILLEGAL_CHARS=1.586, TVD_VISIT_PHARMA=0.001, URIBL_AB_SURBL=1.86, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501, URIBL_OB_SURBL=1.5, URIBL_WS_SURBL=1.5], autolearn=spam
Aug 18 14:28:13 mail amavis[26966]: (26966-20) Blocked SPAM, [89.78.49.127] [98.78.49.111] <abc@example.com> -> <cde@example.com>,<abc@example.com>, Message-ID: <3108XGQ.7401BCC60A.996339454636KATSVFCQQVCAKIQ340 @chello089078049127.chello.pl>, mail_id: ZNHpduUMTnrn, Hits: 23.19, size: 2698, 5487 ms
Aug 18 14:28:13 mail postfix/smtp[18495]: 7BFEBD4048: to=<cde@example.com>, orig_to=<abc@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.4, delays=0.87/0/0/5.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=26966-20 - SPAM)


########################################


here its Ip adddress is 98.78.49.111 ...!!!! and every day i ma getting similar type of logs with different IP address...

IS anyone trying to send spma using this email id WITHOUT AUTHENTICATION ?? is it possible ??

We are not using TLS authentication...do we need to switch over to TLS from clear text authentication ?

please help me to understand why this is happening and suggest.


Thanks.

[phoenix]

Quote:

Originally Posted by chandu

We are not using TLS authentication...do we need to switch over to TLS from clear text authentication ?

I believe I advised you not to use clear text login some whil back, under no circumstances should you be using clear text login for access to your server from outside your lan (IMO, you shouldn't even use it on your LAN) - it's a big (very big) security hole.

[chandu]

Thanks for reply ..yes Bill..i know you suggested me to setup TLS connection..I will plan it asap..client also need to change their outlook setting..

I am confuse here about one thing...can anyone successfully sent mail by using similar userid WITHOUT providing authentication? and if yes then how its possible?
In my case those mails got discarded which was getting delivered through IP which not got registered in audit.log....

And another question about POP3...here pop3 client getting quit and user again loging with different IP ...and its keep getting toggle between two IPs...what it mean ??

May be i m asking stupid questions but really want to understand...

Thanks

[ewilen]

Possibly the account is compromised, possibly the user has pop clients set up on different machines. You could use nslookup and Whois to investigate.

About the first question, email address spoofing is trivial and no authentication is required to send mail from a given address, although you could conceivably write/customize an MTA that would do that, or conceivably
do the checking via SA. I don't know if such solutions are out there currently.

Another approach would be to use SPF.