Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Mail server zimbra in blacklist

  1. #11
    mvalenzuela.cl is offline Senior Member
    Join Date
    Sep 2007
    Location
    Santiago - Chile
    Posts
    69
    Rep Power
    7

    Default

    [QUOTE=maumar;154757]there 2 ipothesys:
    1. one of the pc on your lan was infected and it is spreading out spamming
    2. someone has guessed a weak password and using sasl authenticated access, is ab-using your zimbra
    This is very easy to discover:
    here is a zimbra were they have abused *abuse* account:
    Code:
    grep sasl /var/log/maillog|grep abuse |wc -l
    1107
    [root@mail backup]# grep sasl /var/log/maillog|grep abuse |wc -l
    0

  2. #12
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    348
    Rep Power
    8

    Default

    Code:
    grep sasl /var/log/maillog* |less
    and using less examine what's goin' on

    or
    Code:
    grep sasl /var/log/maillog*|head -n50 > report.txt
    and paste here report.txt
    or paste onto pastebin.ca

  3. #13
    mvalenzuela.cl is offline Senior Member
    Join Date
    Sep 2007
    Location
    Santiago - Chile
    Posts
    69
    Rep Power
    7

    Default

    Here paste report.txt :

    /var/log/maillog:Sep 27 04:03:34 mail postfix/smtpd[31749]: CBD562078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
    /var/log/maillog:Sep 27 22:49:56 mail postfix/smtpd[5476]: A96F32088001: client=pc-79-70-161-190.cm.vtr.net[190.161.70.79], sasl_method=PLAIN, sasl_username=cmperez@sitac.cl
    /var/log/maillog:Sep 28 02:26:30 mail postfix/smtpd[12966]: B61DC2078001: client=localhost.localdomain[127.0.0.1], sasl_sender=zimbra@mail.sitac.cl
    /var/log/maillog:Sep 28 04:02:28 mail postfix/smtpd[4940]: 680BF2078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
    /var/log/maillog:Sep 28 04:04:16 mail postfix/smtpd[8326]: 32CDE2078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
    /var/log/maillog:Sep 28 08:53:20 mail postfix/smtpd[7088]: D04002078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 10:09:22 mail postfix/smtpd[21596]: 1A1D02088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 10:32:09 mail postfix/smtpd[9901]: A6A382088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 10:49:39 mail postfix/smtpd[19582]: 7D1112088001: client=unknown[192.168.10.7], sasl_method=PLAIN, sasl_username=hperez@sitac.cl
    /var/log/maillog:Sep 28 11:04:32 mail postfix/smtpd[23275]: B5EBF2088001: client=unknown[192.168.10.7], sasl_method=PLAIN, sasl_username=hperez@sitac.cl
    /var/log/maillog:Sep 28 11:08:12 mail postfix/smtpd[28413]: BD05B2088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 11:23:09 mail postfix/smtpd[15400]: D98992088001: client=unknown[192.168.10.7], sasl_method=PLAIN, sasl_username=hperez@sitac.cl
    /var/log/maillog:Sep 28 11:46:13 mail postfix/smtpd[25365]: 2AC1B2088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 12:17:25 mail postfix/smtpd[20254]: 766502088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 12:31:58 mail postfix/smtpd[26455]: 51A5E20A8003: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 13:15:06 mail postfix/smtpd[24813]: 9D2832088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 14:23:08 mail postfix/smtpd[4084]: 62E7C2088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 14:51:22 mail postfix/smtpd[16977]: 863212078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 15:27:32 mail postfix/smtpd[14360]: EA5E92088001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 15:46:33 mail postfix/smtpd[23335]: D79012078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 16:34:39 mail postfix/smtpd[24477]: B1DE62078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 28 16:37:12 mail postfix/smtpd[24477]: EF6CE2078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 28 17:11:52 mail postfix/smtpd[22027]: 9AA9F2078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 28 17:11:52 mail postfix/smtpd[22027]: 972BC2078002: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 28 17:15:01 mail postfix/smtpd[22490]: 532282078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 28 17:15:01 mail postfix/smtpd[22490]: 604632078002: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 28 17:17:46 mail postfix/smtpd[22489]: E04A52078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 28 17:57:27 mail postfix/smtpd[10540]: 131362078001: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 28 19:07:52 mail postfix/smtpd[22534]: 5723A2078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 19:23:01 mail postfix/smtpd[7933]: 4F0142078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 28 20:35:52 mail postfix/smtpd[22495]: B2D662078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 01:10:13 mail postfix/smtpd[3166]: 9EBC52088003: client=localhost.localdomain[127.0.0.1], sasl_sender=zimbra@mail.sitac.cl
    /var/log/maillog:Sep 29 04:02:39 mail postfix/smtpd[19845]: 665E02078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
    /var/log/maillog:Sep 29 04:03:40 mail postfix/smtpd[19845]: DFAAB2078001: client=localhost.localdomain[127.0.0.1], sasl_sender=root@mail.sitac.cl
    /var/log/maillog:Sep 29 08:15:49 mail postfix/smtpd[2303]: 0870C2078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 08:27:16 mail postfix/smtpd[6608]: EA1F52078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 08:28:15 mail postfix/smtpd[6608]: C879F2078001: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 12:30:13 mail postfix/smtpd[5036]: D41DC1D38646: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 29 12:30:14 mail postfix/smtpd[5036]: 870451D3865D: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 29 12:33:43 mail postfix/smtpd[6949]: 708431D38646: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 12:39:05 mail postfix/smtpd[9748]: 2164F1D38495: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 12:51:07 mail postfix/smtpd[9748]: 23A7D1D386D7: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 15:08:52 mail postfix/smtpd[5136]: 7A8061D3958D: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 15:37:48 mail postfix/smtpd[30218]: 2EBEC1D3958D: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 15:51:57 mail postfix/smtpd[4607]: 6519F1D39669: client=unknown[192.168.10.6], sasl_method=LOGIN, sasl_username=slarrondo@sitac.cl
    /var/log/maillog:Sep 29 16:02:28 mail postfix/smtpd[9615]: CBA7D1D39411: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 16:03:12 mail postfix/smtpd[9615]: 01E9F1D39411: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 16:20:37 mail postfix/smtpd[30466]: F08D11D38E04: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl
    /var/log/maillog:Sep 29 16:54:28 mail postfix/smtpd[13145]: B28701D3996F: client=unknown[192.168.10.7], sasl_method=PLAIN, sasl_username=hperez@sitac.cl
    /var/log/maillog:Sep 29 17:00:25 mail postfix/smtpd[13526]: 87E151D39523: client=unknown[192.168.10.21], sasl_method=LOGIN, sasl_username=lperez@sitac.cl


    Thanks maumar

  4. #14
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Hmmmm...

    If the Zimbra server is in the DMZ, then clients shouldn't be able to connect with private IP addresses.

    The (NAT policies on the) firewall should force the LAN users to access the Zimbra server on its Public IP. The logs would then show the firewall WAN IP as the connecting IP for those mailboxes in the log snippets posted here.

    In any event, I would ask the users listed in the logs to review their Sent Items folder to see if the emails being sent are truly theirs.

    Hope that helps,
    Mark

  5. #15
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Quote Originally Posted by ArcaneMagus View Post
    If your mail server is on the same network as workstation computers, or if it's traffic comes from the same public IP address then one of your workstation machines may be infected with a trojan/virus that is sending out spam email and since they come from the same IP as your server those blacklists will think your email server is sending out these messages.
    In case you didn't see, it doesn't matter if your Zimbra server is on a DMZ or not if one of your workstations is infected the spam it is sending out will still appear to come from the same public Ip address as your Zimbra server. This will cause it to be put on the blacklists you are on.
    Do you have a firewall in place that is blocking all outbound SMTP traffic from all computers besides your mail server?

  6. #16
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    348
    Rep Power
    8

    Default

    Code:
    grep sasl /var/log/maillog*|grep -v 192.168> report.txt
    use pastebin.com to paste report.txt

    anyway, from Sep 27 04:03:34 until Sep 29 17:00:25 it seems no abusing smtp auth, so the source of spamming
    should be coming form inside, a workstation infected

    as ArcaneMagus and the others has pointed out, only your zimbra in dmz should be allowed to use port 25 towards RED interface
    block any connection coming from lan toward RED port 25
    Last edited by maumar; 10-02-2009 at 03:05 PM.

  7. #17
    mtorres is offline Trained Alumni
    Join Date
    May 2008
    Location
    Sierra Vista, Az
    Posts
    74
    Rep Power
    7

    Default

    If your email server nats to the same thing the rest of your network does, it is probably a machine on your network somewhere. I had the same exact problem, I emailed the rbl that blacklisted us and they gave me some info to track the machine down and I replaced it with a new one and haven't been blacklisted in about 2 years now *knock on wood*. As everyone else is saying, you should block all outbound email traffic except for zimbra, that way if any of your machines do become spambots, you won't get blacklisted. I also have a sniffer (snort) running that will alert me if any computer on my network is trying to send emails other than zimbra.

  8. #18
    mvalenzuela.cl is offline Senior Member
    Join Date
    Sep 2007
    Location
    Santiago - Chile
    Posts
    69
    Rep Power
    7

    Default

    Quote Originally Posted by maumar View Post
    Code:
    grep sasl /var/log/maillog*|grep -v 192.168> report.txt
    use pastebin.com to paste report.txt

    anyway, from Sep 27 04:03:34 until Sep 29 17:00:25 it seems no abusing smtp auth, so the source of spamming
    should be coming form inside, a workstation infected

    as ArcaneMagus and the others has pointed out, only your zimbra in dmz should be allowed to use port 25 towards RED interface
    block any connection coming from lan toward RED port 25

    And then I do with the workstations that use client such as Outlook or Thunderbird?

  9. #19
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    If you are worried about them not being able to connect to the Zimbra server they should be able to talk to the server on it's DMZ but not to the Internet on port 25... however if you need them to be able to send email using external mail accounts via port 25 then there isn't much you can do without an advanced firewall that can do things like limit the number of connections to a certain port / min.

    Here we simply don't allow external mail accounts so blocking port 25 for all but the email server is not an issue.

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 8
    Last Post: 01-20-2009, 01:06 PM
  2. zmamavisdctl stopped and won't restart
    By alto in forum Installation
    Replies: 2
    Last Post: 04-18-2008, 12:41 AM
  3. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM
  4. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM
  5. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 11:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •