| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
01-16-2010, 05:32 AM
| | |  webmail spoofed
We ran an old Zimbra server for 4 years with no major problems. It was hacked last weekend. We were black listed.
I put a new opensource Zimbra server 6.0.4 GA together with CentOS 5.4.
We started falling off of black lists and everything was looking great.
3 days later I started to see several spoof messages to mainly Yahoo.com and a few to other sites from our server. This Friday we were called by someone who received one of these spoofed messages. We are from Kansas and she was from Florida.
They are coming from valid user accounts. Changing passwords does not fix the problem. 25, 80, 110, 143, 443, 993, 995 & 7071 are the only ports open to the WAN. When I put the new server together I used a different admin password. The messages are coming from 127.0.0.1. The Zimbra.log shows a warning of a possible open relay but sends the message.
If I disable the mail feature for the users, the problem goes away. We do not need this feature because almost everybody is using their own mail client and do not use the web client. I am just wondering how this is happening.  |
01-16-2010, 11:49 PM
| | |
Check if indeed you are a Open Relay. If it says you are then go into the Admin GUI and see what you have defined the MTA networks; or from the command line Code: su - zimbra
zmprov gs `zmhostname` zimbraMtaMyNetworks
__________________  |
01-20-2010, 12:30 PM
| | |
It is nice to see you suggested the same site I have been using. I checked again and we are not an open relay and on 0 black lists now.
The last spoofed message was sent right before I blocked LDAP with our local firewall. I believe that is what stopped the spoofing. Earlier I thought it might have been the webmail but I was wrong.
I just reentered one of the accounts that was being spoofed and am watching the messages that go through it. So far nothing has happened. |
01-20-2010, 02:42 PM
| | Advanced Member | |
Posts: 204
| |
Quote:
Originally Posted by christopherquigl  We ran an old Zimbra server for 4 years with no major problems. It was hacked last weekend. We were black listed.
3 days later I started to see several spoof messages to mainly Yahoo.com and a few to other sites from our server. This Friday we were called by someone who received one of these spoofed messages. We are from Kansas and she was from Florida.
They are coming from valid user accounts. Changing passwords does not fix the problem. 25, 80, 110, 143, 443, 993, 995 & 7071 are the only ports open to the WAN. When I put the new server together I used a different admin password. The messages are coming from 127.0.0.1. The Zimbra.log shows a warning of a possible open relay but sends the message.
If I disable the mail feature for the users, the problem goes away. We do not need this feature because almost everybody is using their own mail client and do not use the web client. I am just wondering how this is happening. | Curious - Did the message you were spamming involve "godoverkim@yahoo.com" and look like this: Greetings!!!
You have a bank draft of $780,000.00 USD , which await the outstanding payment of $475USD.Contact the TNT courier company for claims with your information.> Contact person Mr. West Oduduwa,Email:tntcours27@live.com Tel;+234-813-829-2665
We were also recently hacked, with Zimbra Support telling us "someone has effectively written a spam client that logs into zimbra via SOAP (sending an agent string of zclient) and sends email. It's likely that your user had a simple password that was cracked, and then they logged in and started spamming from it." I'm wondering if anyone else has had this issue. |
01-20-2010, 04:28 PM
| | |
Hmmm, this is very interesting from a security perspective. I wonder if SOAP calls can be controlled via ACLs ?
__________________ |
02-09-2010, 02:56 PM
| | |
Yes that is it. Several of our users do have simple passwords. We have been changing them a few at a time thinking the same thing. |
02-09-2010, 03:21 PM
| | Advanced Member | |
Posts: 204
| |
What is both concerning and amazing to me is that these attacks are targeted specifically at Zimbra installations. While the user's password is the weak link, it's the "hackers" that are targeting Zimbra servers through SOAP requests. Our organization went with the "unheard of" Zimbra, rather than the often attacked/exploited Microsoft or IBM. Guess those days are over. Lol! |
02-10-2010, 04:31 AM
| | |
I may also suggest that too many ports are open. We have only port 25 to enable mail reception, and port 443 to enable ssl webmail, open to the World Wild Web. |
02-10-2010, 08:09 AM
| | Advanced Member | |
Posts: 204
| |
Quote:
Originally Posted by Dirk I may also suggest that too many ports are open. We have only port 25 to enable mail reception, and port 443 to enable ssl webmail, open to the World Wild Web. | I've got these ports open through the firewall - as recommended here - Firewall Configuration - Zimbra :: Wiki:
80
443
993
143
25
Does that look correct? Can I close 80 while still redirecting http to https? | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
