SPAM being relayed through server using zmpost

[blueflametuna]

I found a few threads that contained similar zimbra.log messages, but no answers. How are they connecting, and what method are they using to send thousands of SPAM messages outbound? Is there a way to block this?

May 26 15:23:48 myhost saslauthd[25313]: zmpost: url='https://myserver.com:7071/service/admin/soap/' returned buffer->data=
'<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="
7437"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_6970dfdcaeb aed5ca0a775fa8c96e1
f11d83d438_69643d33363a62613365326136312d376238352 d346462342d396662312d3038326334333462346439643b657 8703d31333a31323735303835
3432383435373b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>imax</skin></AuthResponse></soap:Bo
dy></soap:Envelope>', hti->error=''
May 26 15:23:48 myhost saslauthd[25313]: auth_zimbra: someuser@myserver.com auth OK
May 26 15:23:48 myhost saslauthd[25316]: zmauth: authenticating against elected url 'https://myserver.com:7071/service/admin/soap/' ...
May 26 15:23:48 myhost postfix/smtpd[22978]: 885EF22827A: client=unknown[41.138.187.61], sasl_method=LOGIN, sasl_username=someuser@myserver.com
May 26 15:23:48 myhost postfix/smtpd[22904]: connect from unknown [41.138.187.61]
May 26 15:23:48 myhost postfix/smtpd[22973]: disconnect from unknown[41.138.187.61]

The result was thousands of emails being sent outbound, and ultimately getting blocked by major sites.

The IP address is from Nigeria (no surprise, since the SPAM content is similar to a variety of schemes asking for credit card info...)

The account had been compromised, and since disabled. But how can this be prevented? (And please don't say use better passwords, or block Nigeria.)
The connection could come from anywhere.

The admin GUI interface requires a user with admin privileges. This user did not. But it is my understanding that using the admin soap url will authorize on their behalf, and execute commands. This seems scripted, as if from a CLI interface. Are they using telnet, puTTY, or some other web based form to inject their command stream?

Please, I need help in understanding how this works.

[raj]

The logs you showing are ligit if the USER or SPAMMER have a valid password.
zimbra's saslauthd uses zimbra's soap api to authenticate.
your account got compromised and the spammer relayed emails..you already know that but i am just confirming it
How to stop it--> you cannot if your account password is compromised.

BUT you can reduce the surface area of attack by

a) blocked the admin port on public ip..assuming you are running splitdns with internal resolution of your zimbra FQDN
b) regularly use user passwords or use really strong password
c) most imp: put some policy server i.e: policyd which can limit the number of emails a user can send out in certain time..this way even if your account is compromised or user got virus infection sending emails out then the user will be blocked form sending emails out once it reaches the limit.
* from our experience 100-200 SMTP auth emails per user is good limit or even less of most of the corporate emails, you can set the number you like.
* this will stop 100,000 emails getting relayed out by compromised account and getting you black listed by other ISP's and RBL's

Raj

[blueflametuna]

Thanks Raj,

We were already looking into policyd.
I think limiting the number of messages is a good start.
We will also change the user password characteristics requirements.

[blueflametuna]

I have inherited this system, and several things have been partially installed:

razor2, pyzor, SPF, and now I am trying to install policyd.
Some of the threads and wiki's I have found talk about testing with spamassassin from the command line. For the life of me, I cannot find spamassassin anywhere as an executable on this system. Is it called something else in the Zimbra world?

Is there one collective how-to anywhere that provides comprehensive instructions on how to install, configure, and test all of the above?

[phoenix]

Quote:

Originally Posted by blueflametuna

Is there one collective how-to anywhere that provides comprehensive instructions on how to install, configure, and test all of the above?

You may want to start with this page: Improving Anti-spam system - Zimbra :: Wiki

Before you install policyd I'd suggest you get your server secure (user password, block unnecessary ports as Raj has already mentioned), fix your SPF (there are external sites to check those records), perhaps install domainkeys (I use dk-milter on my CentOS server) and when you've locked it down you can then investigate installing policyd. I assume that your external access to the Zimbra Web UI is using https and not http?

[blueflametuna]

Yes, we are making some of those changes, (the DNS records to implement SPF, stronger passwords, etc.) But with respect to policyd, there seems to be some differences in the installation and configuration procedure as described in the Wiki at Improving Anti-spam system - Zimbra :: Wiki, the postfix-policyd wiki, Postfix Policyd - Zimbra :: Wiki, and the INSTALL instructions that came with the policyd v2 tarball.
In the latter, there is something called "cluebringer". I am assuming that is the webui piece. They also mention a patch to work with amavisd.

I am just a bit leary about making changes that might upset the Zimbra suite.
And what does all this do to complicate future upgrades?

[blueflametuna]

I hate to be a pest, but should I open a new thread to find out how to install and configure policyd? The INSTALL instructions in the tarball (called cluebringer) do not match the instructions in the wiki.

Thanks!

[VS-Francesco]

Hi I've the same problem also if I change password, someone can help me?
Spammers break SMTP Auth of user Admin via soap?