Mail server zimbra in blacklist

[mvalenzuela.cl]

[QUOTE=maumar;154757]there 2 ipothesys:
1. one of the pc on your lan was infected and it is spreading out spamming
2. someone has guessed a weak password and using sasl authenticated access, is ab-using your zimbra
This is very easy to discover:
here is a zimbra were they have abused *abuse* account:

Code:

grep sasl /var/log/maillog|grep abuse |wc -l
1107

[root@mail backup]# grep sasl /var/log/maillog|grep abuse |wc -l
0

[maumar]

Code:

grep sasl /var/log/maillog* |less

and using less examine what's goin' on

or

Code:

grep sasl /var/log/maillog*|head -n50 > report.txt

and paste here report.txt
or paste onto pastebin.ca

[mvalenzuela.cl]

Here paste report.txt :

/var/log/maillog:Sep 27 04:03:34 mail postfix/smtpd[31749]: CBD562078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
/var/log/maillog:Sep 27 22:49:56 mail postfix/smtpd[5476]: A96F32088001: client=pc-79-70-161-190.cm.vtr.net[190.161.70.79], sasl_method=PLAIN, sasl_username=cmperez@sitac.cl
/var/log/maillog:Sep 28 02:26:30 mail postfix/smtpd[12966]: B61DC2078001: client=localhost.localdomain[127.0.0.1], sasl_sender=zimbra@mail.sitac.cl
/var/log/maillog:Sep 28 04:02:28 mail postfix/smtpd[4940]: 680BF2078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
/var/log/maillog:Sep 28 04:04:16 mail postfix/smtpd[8326]: 32CDE2078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
/var/log/maillog:Sep 28 08:53:20 mail postfix/smtpd[7088]: D04002078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 10:09:22 mail postfix/smtpd[21596]: 1A1D02088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 10:32:09 mail postfix/smtpd[9901]: A6A382088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 10:49:39 mail postfix/smtpd[19582]: 7D1112088001: client=unknown[192.168.10.7], sasl_method=PLAIN, sasl_username=hperez@sitac.cl
/var/log/maillog:Sep 28 11:04:32 mail postfix/smtpd[23275]: B5EBF2088001: client=unknown[192.168.10.7], sasl_method=PLAIN, sasl_username=hperez@sitac.cl
/var/log/maillog:Sep 28 11:08:12 mail postfix/smtpd[28413]: BD05B2088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 11:23:09 mail postfix/smtpd[15400]: D98992088001: client=unknown[192.168.10.7], sasl_method=PLAIN, sasl_username=hperez@sitac.cl
/var/log/maillog:Sep 28 11:46:13 mail postfix/smtpd[25365]: 2AC1B2088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 12:17:25 mail postfix/smtpd[20254]: 766502088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 12:31:58 mail postfix/smtpd[26455]: 51A5E20A8003: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 13:15:06 mail postfix/smtpd[24813]: 9D2832088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 14:23:08 mail postfix/smtpd[4084]: 62E7C2088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 14:51:22 mail postfix/smtpd[16977]: 863212078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 15:27:32 mail postfix/smtpd[14360]: EA5E92088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 15:46:33 mail postfix/smtpd[23335]: D79012078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 16:34:39 mail postfix/smtpd[24477]: B1DE62078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 28 16:37:12 mail postfix/smtpd[24477]: EF6CE2078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 28 17:11:52 mail postfix/smtpd[22027]: 9AA9F2078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 28 17:11:52 mail postfix/smtpd[22027]: 972BC2078002: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 28 17:15:01 mail postfix/smtpd[22490]: 532282078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 28 17:15:01 mail postfix/smtpd[22490]: 604632078002: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 28 17:17:46 mail postfix/smtpd[22489]: E04A52078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 28 17:57:27 mail postfix/smtpd[10540]: 131362078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 28 19:07:52 mail postfix/smtpd[22534]: 5723A2078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 19:23:01 mail postfix/smtpd[7933]: 4F0142078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 28 20:35:52 mail postfix/smtpd[22495]: B2D662078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 01:10:13 mail postfix/smtpd[3166]: 9EBC52088003: client=localhost.localdomain[127.0.0.1], sasl_sender=zimbra@mail.sitac.cl
/var/log/maillog:Sep 29 04:02:39 mail postfix/smtpd[19845]: 665E02078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
/var/log/maillog:Sep 29 04:03:40 mail postfix/smtpd[19845]: DFAAB2078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
/var/log/maillog:Sep 29 08:15:49 mail postfix/smtpd[2303]: 0870C2078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 08:27:16 mail postfix/smtpd[6608]: EA1F52078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 08:28:15 mail postfix/smtpd[6608]: C879F2078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 12:30:13 mail postfix/smtpd[5036]: D41DC1D38646: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 29 12:30:14 mail postfix/smtpd[5036]: 870451D3865D: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 29 12:33:43 mail postfix/smtpd[6949]: 708431D38646: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 12:39:05 mail postfix/smtpd[9748]: 2164F1D38495: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 12:51:07 mail postfix/smtpd[9748]: 23A7D1D386D7: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 15:08:52 mail postfix/smtpd[5136]: 7A8061D3958D: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 15:37:48 mail postfix/smtpd[30218]: 2EBEC1D3958D: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 15:51:57 mail postfix/smtpd[4607]: 6519F1D39669: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
/var/log/maillog:Sep 29 16:02:28 mail postfix/smtpd[9615]: CBA7D1D39411: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 16:03:12 mail postfix/smtpd[9615]: 01E9F1D39411: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 16:20:37 mail postfix/smtpd[30466]: F08D11D38E04: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
/var/log/maillog:Sep 29 16:54:28 mail postfix/smtpd[13145]: B28701D3996F: client=unknown[192.168.10.7], sasl_method=PLAIN, sasl_username=hperez@sitac.cl
/var/log/maillog:Sep 29 17:00:25 mail postfix/smtpd[13526]: 87E151D39523: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl


Thanks maumar

[LMStone]

Hmmmm...

If the Zimbra server is in the DMZ, then clients shouldn't be able to connect with private IP addresses.

The (NAT policies on the) firewall should force the LAN users to access the Zimbra server on its Public IP. The logs would then show the firewall WAN IP as the connecting IP for those mailboxes in the log snippets posted here.

In any event, I would ask the users listed in the logs to review their Sent Items folder to see if the emails being sent are truly theirs.

Hope that helps,
Mark

[ArcaneMagus]

Quote:

Originally Posted by ArcaneMagus

If your mail server is on the same network as workstation computers, or if it's traffic comes from the same public IP address then one of your workstation machines may be infected with a trojan/virus that is sending out spam email and since they come from the same IP as your server those blacklists will think your email server is sending out these messages.

In case you didn't see, it doesn't matter if your Zimbra server is on a DMZ or not if one of your workstations is infected the spam it is sending out will still appear to come from the same public Ip address as your Zimbra server. This will cause it to be put on the blacklists you are on.
Do you have a firewall in place that is blocking all outbound SMTP traffic from all computers besides your mail server?

[maumar]

Code:

grep sasl /var/log/maillog*|grep -v 192.168> report.txt

use pastebin.com to paste report.txt

anyway, from Sep 27 04:03:34 until Sep 29 17:00:25 it seems no abusing smtp auth, so the source of spamming
should be coming form inside, a workstation infected

as ArcaneMagus and the others has pointed out, only your zimbra in dmz should be allowed to use port 25 towards RED interface
block any connection coming from lan toward RED port 25

[mtorres]

If your email server nats to the same thing the rest of your network does, it is probably a machine on your network somewhere. I had the same exact problem, I emailed the rbl that blacklisted us and they gave me some info to track the machine down and I replaced it with a new one and haven't been blacklisted in about 2 years now *knock on wood*. As everyone else is saying, you should block all outbound email traffic except for zimbra, that way if any of your machines do become spambots, you won't get blacklisted. I also have a sniffer (snort) running that will alert me if any computer on my network is trying to send emails other than zimbra.

[mvalenzuela.cl]

Quote:

Originally Posted by maumar

Code:

grep sasl /var/log/maillog*|grep -v 192.168> report.txt

use pastebin.com to paste report.txt

anyway, from Sep 27 04:03:34 until Sep 29 17:00:25 it seems no abusing smtp auth, so the source of spamming
should be coming form inside, a workstation infected

as ArcaneMagus and the others has pointed out, only your zimbra in dmz should be allowed to use port 25 towards RED interface
block any connection coming from lan toward RED port 25

And then I do with the workstations that use client such as Outlook or Thunderbird?

[ArcaneMagus]

If you are worried about them not being able to connect to the Zimbra server they should be able to talk to the server on it's DMZ but not to the Internet on port 25... however if you need them to be able to send email using external mail accounts via port 25 then there isn't much you can do without an advanced firewall that can do things like limit the number of connections to a certain port / min.

Here we simply don't allow external mail accounts so blocking port 25 for all but the email server is not an issue.