Results 1 to 4 of 4

Thread: Help... my Zimbra is sending SPAM to the world!!!

  1. #1
    dwidman is offline New Member
    Join Date
    Mar 2010
    Posts
    3
    Rep Power
    5

    Default Help... my Zimbra is sending SPAM to the world!!!

    Hello friends,

    I have a Zimbra mail server, Release 6.0.3_GA_1915.UBUNTU8 UBUNTU8 FOSS edition.

    A couple of days ago, our server went nuts and started to send SPAM to the world. After looking to the log files, I found that the spammers are using one of our users account. We immediately blocked the account and the SPAM stopped. But I can see in the logs that the spammers are still trying to send SPAM, and I would like to close the door.

    Here is what I found on the /var/log/zimbra.log file:

    Code:
    Mar 12 00:11:49 mail postfix/smtpd[32610]: warning: unknown[201.240.141.141]: SASL LOGIN authentication failed: authentication failure
    Mar 12 00:11:49 mail saslauthd[32511]: zmauth: authenticating against elected url 'https://mail.icla.com.br:7071/service/admin/soap/' ...
    Mar 12 00:11:49 mail saslauthd[32511]: zmpost: url='https://mail.icla.com.br:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for samuel.goncalves@icla.com.br</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>btpool0-0:https://127.0.1.1:7071/service/admin/soap/:1268363509908:102d015cbfeae78d</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
    Mar 12 00:11:49 mail saslauthd[32511]: auth_zimbra: samuel.goncalves@icla.com.br auth failed: authentication failed for samuel.goncalves@icla.com.br
    Mar 12 00:11:49 mail saslauthd[32511]: do_auth         : auth failure: [user=samuel.goncalves@icla.com.br] [service=smtp] [realm=icla.com.br] [mech=zimbra] [reason=Unknown]
    Mar 12 00:11:49 mail postfix/smtpd[32588]: warning: unknown[186.81.49.144]: SASL LOGIN authentication failed: authentication failure
    Mar 12 00:11:50 mail postfix/smtpd[32588]: disconnect from unknown[186.81.49.144]
    Mar 12 00:11:50 mail postfix/smtpd[3246]: connect from 14.85-85-248.dynamic.clientes.euskaltel.es[85.85.248.14]
    Mar 12 00:11:50 mail postfix/smtpd[11465]: connect from 201-26-84-32.dsl.telesp.net.br[201.26.84.32]
    Mar 12 00:11:50 mail saslauthd[32516]: zmauth: authenticating against elected url 'https://mail.icla.com.br:7071/service/admin/soap/' ...
    Mar 12 00:11:51 mail saslauthd[32516]: zmpost: url='https://mail.icla.com.br:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for samuel.goncalves@icla.com.br</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>btpool0-0:https://127.0.1.1:7071/service/admin/soap/:1268363511030:102d015cbfeae78d</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
    Mar 12 00:11:51 mail saslauthd[32516]: auth_zimbra: samuel.goncalves@icla.com.br auth failed: authentication failed for samuel.goncalves@icla.com.br
    Mar 12 00:11:51 mail saslauthd[32516]: do_auth         : auth failure: [user=samuel.goncalves@icla.com.br] [service=smtp] [realm=icla.com.br] [mech=zimbra] [reason=Unknown]
    Mar 12 00:11:51 mail postfix/smtpd[11465]: warning: 201-26-84-32.dsl.telesp.net.br[201.26.84.32]: SASL LOGIN authentication failed: authentication failure
    Mar 12 00:11:51 mail saslauthd[32511]: zmauth: authenticating against elected url 'https://mail.icla.com.br:7071/service/admin/soap/' ...
    Mar 12 00:11:51 mail saslauthd[32511]: zmpost: url='https://mail.icla.com.br:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for samuel.goncalves@icla.com.br</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>btpool0-3:https://127.0.1.1:7071/service/admin/soap/:1268363511358:102d015cbfeae78d</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
    Mar 12 00:11:51 mail saslauthd[32511]: auth_zimbra: samuel.goncalves@icla.com.br auth failed: authentication failed for samuel.goncalves@icla.com.br
    So as I understand, the spammer/hacker is using a SOAP backdoor by the admin pages. By the way, the 7071 port is closed to the outside access on our firewall.

    Now this is what I have on the /opt/zimbra/log/audit.log

    Code:
    2010-03-11 21:52:13,104 WARN  [btpool0-77:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
    count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:13,315 WARN  [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
    count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:16,009 WARN  [btpool0-77:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:16,275 WARN  [btpool0-77:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:19,632 WARN  [btpool0-77:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
    count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:19,954 WARN  [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
    count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:34,233 WARN  [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:34,398 WARN  [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:36,806 WARN  [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
    count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:40,781 WARN  [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
    count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:42,816 WARN  [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    2010-03-11 21:52:43,744 WARN  [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
    This is after I locked the account.

    And this is what I have on the /opt/zimbra/log/mailbox.log

    Code:
    2010-03-12 00:03:43,914 INFO  [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    2010-03-12 00:03:43,983 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    2010-03-12 00:03:44,107 INFO  [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
    2010-03-12 00:03:44,163 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
    2010-03-12 00:03:44,371 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    2010-03-12 00:03:44,421 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
    2010-03-12 00:03:44,627 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    2010-03-12 00:03:44,710 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
    2010-03-12 00:03:45,124 INFO  [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    2010-03-12 00:03:45,212 INFO  [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
    2010-03-12 00:03:45,216 WARN  [btpool0-2] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/127.0.1.1:7071 remote=/127.0.1.1:53493]
    2010-03-12 00:03:46,212 INFO  [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    2010-03-12 00:03:46,253 INFO  [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
    2010-03-12 00:03:48,532 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    2010-03-12 00:03:48,656 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
    2010-03-12 00:03:49,341 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    2010-03-12 00:03:49,443 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
    2010-03-12 00:03:49,706 INFO  [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
    I renamed the account...

    It looks like the attack is comming from port 127.0.1.1 ???? Is my linux hacked? Perhaps a rootkit? I run the rootkit tests and nothing was wrong.

    So this is what I'm trying to do and I just don't have the knowledge to this, so that's why I need your help:

    1) The email that is being sent have a sender name of a different domain. So how can I set zimbra/postfix to just send mail with the "FROM:" tag just from my own domain and not accept other domains like "hotmail.com", etc that is happening?

    2) How can I stop this attacks??? I don't want to spend valuable bandwith and CPU just denying a silly attack from spammers every 1 second.

    3) Any other ideas/suggestions to make my Zimbra safer are welcome.

    Thanks,

    David

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by dwidman View Post
    2) How can I stop this attacks??? I don't want to spend valuable bandwith and CPU just denying a silly attack from spammers every 1 second.
    The answer to that would be to improve your password security and make users change them at regular intervals, check the details in the Admin UI.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    phianez is offline Starter Member
    Join Date
    Mar 2010
    Posts
    2
    Rep Power
    5

    Default

    Quote Originally Posted by dwidman View Post
    Hello friends,

    1) The email that is being sent have a sender name of a different domain. So how can I set zimbra/postfix to just send mail with the "FROM:" tag just from my own domain and not accept other domains like "hotmail.com", etc that is happening?

    Thanks,

    David
    This is a good one...
    Anyone can share how to do this? only allow the mail from my domain ONLY..

  4. #4
    alherman is offline Member
    Join Date
    May 2010
    Posts
    12
    Rep Power
    5

    Default

    POSTCONF smtpd_reject_unlisted_recipient no ---become yes

    file = zmmta.cf

    try change that file (from no become yes) and restart all services.

    n see log.

    i have also same happend last month.
    br,
    al

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  2. slapd message error
    By smoke in forum Administrators
    Replies: 7
    Last Post: 04-27-2008, 03:23 PM
  3. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 09:56 PM
  4. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  5. Mail logs
    By Rick Baker in forum Installation
    Replies: 8
    Last Post: 01-17-2006, 04:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •