Results 1 to 9 of 9

Thread: webmail spoofed

  1. #1
    christopherquigl is offline Junior Member
    Join Date
    Apr 2007
    Posts
    8
    Rep Power
    8

    Default webmail spoofed

    We ran an old Zimbra server for 4 years with no major problems. It was hacked last weekend. We were black listed.

    I put a new opensource Zimbra server 6.0.4 GA together with CentOS 5.4.

    We started falling off of black lists and everything was looking great.

    3 days later I started to see several spoof messages to mainly Yahoo.com and a few to other sites from our server. This Friday we were called by someone who received one of these spoofed messages. We are from Kansas and she was from Florida.

    They are coming from valid user accounts. Changing passwords does not fix the problem. 25, 80, 110, 143, 443, 993, 995 & 7071 are the only ports open to the WAN. When I put the new server together I used a different admin password. The messages are coming from 127.0.0.1. The Zimbra.log shows a warning of a possible open relay but sends the message.

    If I disable the mail feature for the users, the problem goes away. We do not need this feature because almost everybody is using their own mail client and do not use the web client. I am just wondering how this is happening.

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Check if indeed you are a Open Relay. If it says you are then go into the Admin GUI and see what you have defined the MTA networks; or from the command line
    Code:
    su - zimbra
    zmprov gs `zmhostname` zimbraMtaMyNetworks

  3. #3
    christopherquigl is offline Junior Member
    Join Date
    Apr 2007
    Posts
    8
    Rep Power
    8

    Default

    It is nice to see you suggested the same site I have been using. I checked again and we are not an open relay and on 0 black lists now.

    The last spoofed message was sent right before I blocked LDAP with our local firewall. I believe that is what stopped the spoofing. Earlier I thought it might have been the webmail but I was wrong.

    I just reentered one of the accounts that was being spoofed and am watching the messages that go through it. So far nothing has happened.

  4. #4
    blazeking is offline Advanced Member
    Join Date
    May 2008
    Location
    California!
    Posts
    226
    Rep Power
    7

    Default

    Quote Originally Posted by christopherquigl View Post
    We ran an old Zimbra server for 4 years with no major problems. It was hacked last weekend. We were black listed.

    3 days later I started to see several spoof messages to mainly Yahoo.com and a few to other sites from our server. This Friday we were called by someone who received one of these spoofed messages. We are from Kansas and she was from Florida.

    They are coming from valid user accounts. Changing passwords does not fix the problem. 25, 80, 110, 143, 443, 993, 995 & 7071 are the only ports open to the WAN. When I put the new server together I used a different admin password. The messages are coming from 127.0.0.1. The Zimbra.log shows a warning of a possible open relay but sends the message.

    If I disable the mail feature for the users, the problem goes away. We do not need this feature because almost everybody is using their own mail client and do not use the web client. I am just wondering how this is happening.
    Curious - Did the message you were spamming involve "godoverkim@yahoo.com" and look like this:

    Greetings!!!
    You have a bank draft of $780,000.00 USD , which await the outstanding payment of $475USD.Contact the TNT courier company for claims with your information.> Contact person Mr. West Oduduwa,Email:tntcours27@live.com Tel;+234-813-829-2665


    We were also recently hacked, with Zimbra Support telling us "someone has effectively written a spam client that logs into zimbra via SOAP (sending an agent string of zclient) and sends email. It's likely that your user had a simple password that was cracked, and then they logged in and started spamming from it." I'm wondering if anyone else has had this issue.

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Hmmm, this is very interesting from a security perspective. I wonder if SOAP calls can be controlled via ACLs ?

  6. #6
    christopherquigl is offline Junior Member
    Join Date
    Apr 2007
    Posts
    8
    Rep Power
    8

    Default

    Yes that is it. Several of our users do have simple passwords. We have been changing them a few at a time thinking the same thing.

  7. #7
    blazeking is offline Advanced Member
    Join Date
    May 2008
    Location
    California!
    Posts
    226
    Rep Power
    7

    Default

    What is both concerning and amazing to me is that these attacks are targeted specifically at Zimbra installations. While the user's password is the weak link, it's the "hackers" that are targeting Zimbra servers through SOAP requests. Our organization went with the "unheard of" Zimbra, rather than the often attacked/exploited Microsoft or IBM. Guess those days are over. Lol!

  8. #8
    Dirk's Avatar
    Dirk is offline Moderator
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    I may also suggest that too many ports are open. We have only port 25 to enable mail reception, and port 443 to enable ssl webmail, open to the World Wild Web.

  9. #9
    blazeking is offline Advanced Member
    Join Date
    May 2008
    Location
    California!
    Posts
    226
    Rep Power
    7

    Default

    Quote Originally Posted by Dirk View Post
    I may also suggest that too many ports are open. We have only port 25 to enable mail reception, and port 443 to enable ssl webmail, open to the World Wild Web.
    I've got these ports open through the firewall - as recommended here - Firewall Configuration - Zimbra :: Wiki:

    80
    443
    993
    143
    25

    Does that look correct? Can I close 80 while still redirecting http to https?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. force Webmail user to send email with "smtp auth"
    By bonadio in forum Developers
    Replies: 11
    Last Post: 01-26-2012, 10:26 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  3. [SOLVED] Webmail install (only webmail)
    By cetterra in forum Installation
    Replies: 1
    Last Post: 01-21-2009, 05:32 PM
  4. [SOLVED] webmail slow to send
    By knabe in forum Administrators
    Replies: 1
    Last Post: 09-28-2008, 07:56 PM
  5. Strip Out Just WebMail
    By bsimzer in forum Developers
    Replies: 1
    Last Post: 11-22-2005, 11:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •