Results 1 to 8 of 8

Thread: SPAM being relayed through server using zmpost

  1. #1
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default SPAM being relayed through server using zmpost

    I found a few threads that contained similar zimbra.log messages, but no answers. How are they connecting, and what method are they using to send thousands of SPAM messages outbound? Is there a way to block this?

    May 26 15:23:48 myhost saslauthd[25313]: zmpost: url='https://myserver.com:7071/service/admin/soap/' returned buffer->data=
    '<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="
    7437"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_6970dfdcaeb aed5ca0a775fa8c96e1
    f11d83d438_69643d33363a62613365326136312d376238352 d346462342d396662312d3038326334333462346439643b657 8703d31333a31323735303835
    3432383435373b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>imax</skin></AuthResponse></soap:Bo
    dy></soap:Envelope>', hti->error=''
    May 26 15:23:48 myhost saslauthd[25313]: auth_zimbra: someuser@myserver.com auth OK
    May 26 15:23:48 myhost saslauthd[25316]: zmauth: authenticating against elected url 'https://myserver.com:7071/service/admin/soap/' ...
    May 26 15:23:48 myhost postfix/smtpd[22978]: 885EF22827A: client=unknown[41.138.187.61], sasl_method=LOGIN, sasl_username=someuser@myserver.com
    May 26 15:23:48 myhost postfix/smtpd[22904]: connect from unknown [41.138.187.61]
    May 26 15:23:48 myhost postfix/smtpd[22973]: disconnect from unknown[41.138.187.61]

    The result was thousands of emails being sent outbound, and ultimately getting blocked by major sites.

    The IP address is from Nigeria (no surprise, since the SPAM content is similar to a variety of schemes asking for credit card info...)

    The account had been compromised, and since disabled. But how can this be prevented? (And please don't say use better passwords, or block Nigeria.)
    The connection could come from anywhere.

    The admin GUI interface requires a user with admin privileges. This user did not. But it is my understanding that using the admin soap url will authorize on their behalf, and execute commands. This seems scripted, as if from a CLI interface. Are they using telnet, puTTY, or some other web based form to inject their command stream?

    Please, I need help in understanding how this works.

  2. #2
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    The logs you showing are ligit if the USER or SPAMMER have a valid password.
    zimbra's saslauthd uses zimbra's soap api to authenticate.
    your account got compromised and the spammer relayed emails..you already know that but i am just confirming it
    How to stop it--> you cannot if your account password is compromised.

    BUT you can reduce the surface area of attack by

    a) blocked the admin port on public ip..assuming you are running splitdns with internal resolution of your zimbra FQDN
    b) regularly use user passwords or use really strong password
    c) most imp: put some policy server i.e: policyd which can limit the number of emails a user can send out in certain time..this way even if your account is compromised or user got virus infection sending emails out then the user will be blocked form sending emails out once it reaches the limit.
    * from our experience 100-200 SMTP auth emails per user is good limit or even less of most of the corporate emails, you can set the number you like.
    * this will stop 100,000 emails getting relayed out by compromised account and getting you black listed by other ISP's and RBL's

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  3. #3
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default

    Thanks Raj,

    We were already looking into policyd.
    I think limiting the number of messages is a good start.
    We will also change the user password characteristics requirements.

  4. #4
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default

    I have inherited this system, and several things have been partially installed:

    razor2, pyzor, SPF, and now I am trying to install policyd.
    Some of the threads and wiki's I have found talk about testing with spamassassin from the command line. For the life of me, I cannot find spamassassin anywhere as an executable on this system. Is it called something else in the Zimbra world?

    Is there one collective how-to anywhere that provides comprehensive instructions on how to install, configure, and test all of the above?

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by blueflametuna View Post
    Is there one collective how-to anywhere that provides comprehensive instructions on how to install, configure, and test all of the above?
    You may want to start with this page: Improving Anti-spam system - Zimbra :: Wiki

    Before you install policyd I'd suggest you get your server secure (user password, block unnecessary ports as Raj has already mentioned), fix your SPF (there are external sites to check those records), perhaps install domainkeys (I use dk-milter on my CentOS server) and when you've locked it down you can then investigate installing policyd. I assume that your external access to the Zimbra Web UI is using https and not http?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default

    Yes, we are making some of those changes, (the DNS records to implement SPF, stronger passwords, etc.) But with respect to policyd, there seems to be some differences in the installation and configuration procedure as described in the Wiki at Improving Anti-spam system - Zimbra :: Wiki, the postfix-policyd wiki, Postfix Policyd - Zimbra :: Wiki, and the INSTALL instructions that came with the policyd v2 tarball.
    In the latter, there is something called "cluebringer". I am assuming that is the webui piece. They also mention a patch to work with amavisd.

    I am just a bit leary about making changes that might upset the Zimbra suite.
    And what does all this do to complicate future upgrades?

  7. #7
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default How to install and configure policyd ?

    I hate to be a pest, but should I open a new thread to find out how to install and configure policyd? The INSTALL instructions in the tarball (called cluebringer) do not match the instructions in the wiki.

    Thanks!

  8. #8
    VS-Francesco is offline Member
    Join Date
    Apr 2007
    Location
    Italy, Verona
    Posts
    11
    Rep Power
    8

    Default

    Hi I've the same problem also if I change password, someone can help me?
    Spammers break SMTP Auth of user Admin via soap?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 10:27 AM
  2. LDAP Upgrade Failures
    By Bharanisr in forum Administrators
    Replies: 4
    Last Post: 08-27-2009, 11:19 AM
  3. failed to install zimbra cos of zmmailboxd
    By aljoshab in forum Installation
    Replies: 4
    Last Post: 12-09-2008, 02:33 AM
  4. Is my server being used to forward spam?
    By sgb in forum Administrators
    Replies: 11
    Last Post: 03-07-2006, 12:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •