Results 1 to 7 of 7

Thread: mailbox log -indicate ip spammer how to

  1. #1
    alherman is offline Member
    Join Date
    May 2010
    Posts
    12
    Rep Power
    5

    Smile mailbox log -indicate ip spammer how to

    hi all,

    i have this log from mailbox.log, here is the log :
    2010-06-21 13:37:12,867 INFO [Pop3Server-6700] [ip=72.13.5.196;] account - authentication failed for hoops (no such account)
    2010-06-21 13:37:12,867 INFO [Pop3Server-6700] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
    2010-06-21 13:37:12,870 INFO [Pop3Server-6625] [ip=72.13.5.196;] pop - quit from client
    2010-06-21 13:37:12,870 INFO [Pop3Server-6625] [] ProtocolHandler - Handler exiting normally
    2010-06-21 13:37:12,870 INFO [Pop3Server-6625] [ip=72.13.5.196;] pop - connected
    2010-06-21 13:37:12,886 INFO [Pop3Server-6694] [ip=72.13.5.196;] account - authentication failed for hanson (no such account)
    2010-06-21 13:37:12,886 INFO [Pop3Server-6694] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
    2010-06-21 13:37:12,899 INFO [Pop3Server-6673] [ip=72.13.5.196;] account - authentication failed for honey (no such account)
    2010-06-21 13:37:12,899 INFO [Pop3Server-6673] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
    2010-06-21 13:37:12,907 INFO [Pop3Server-6676] [ip=72.13.5.196;] pop - quit from client
    2010-06-21 13:37:13,229 INFO [Pop3Server-6731] [ip=72.13.5.196;] account - authentication failed for george (no such account)
    2010-06-21 13:37:13,229 INFO [Pop3Server-6731] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
    2010-06-21 13:37:13,232 INFO [Pop3Server-6703] [ip=72.13.5.196;] account - authentication failed for isaac (no such account)
    2010-06-21 13:37:13,232 INFO [Pop3Server-6703] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
    2010-06-21 13:37:13,263 INFO [Pop3Server-6642] [ip=72.13.5.196;] account - authentication failed for guido (no such account)
    2010-06-21 13:37:13,263 INFO [Pop3Server-6642] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
    2010-06-21 13:37:13,271 INFO [Pop3Server-6386] [ip=72.13.5.196;] account - authentication failed for hockey (no such account)
    2010-06-21 13:37:13,271 INFO [Pop3Server-6386] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
    2010-06-21 13:37:13,278 INFO [Pop3Server-6729] [ip=72.13.5.196;] pop - quit from client


    how do i block ipaddress in zimbra? coz the spammer using same ip address? i mean if spammer using same ip to access some users id (there is no users id like that in my zimbra) can direct to blacklist ip? how to do that?

    sorry newbie... thanks
    5.0.9_GA_2533.RHEL5_20080815132719 CentOS5 FOSS edition


    alherman

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Search the forums or wiki for the word 'restrict' and you'll find details of how to block an IP. You should also look at the wiki article on Improving the anti-spam system especially the option "Discarding Emails Sent to Invalid Addresses ". You also shouldn't have your POP or IMAP exposed to the internet unless they are using SSL connections.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    alherman is offline Member
    Join Date
    May 2010
    Posts
    12
    Rep Power
    5

    Default

    thq for tips, i will check it.

    thq a lot man

  4. #4
    alherman is offline Member
    Join Date
    May 2010
    Posts
    12
    Rep Power
    5

    Default

    Hi phoenix,
    as u mentioned about "Discarding Emails Sent to Invalid Addresses", yes i check my config, and add some change like this (like wiki said).
    POSTCONF smtpd_reject_unlisted_recipient yes

    and i work, i see in log/zimbra.log some report said address rejected.

    but your ide also mentioned about "restrict" and how to block ip, i search and not find any clue, can u give other explain?

    sorry i am newbie in linux and also in zimbra.

    thq

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by alherman View Post
    but your ide also mentioned about "restrict" and how to block ip, i search and not find any clue, can u give other explain?
    The articles on how to block an IP address are in the wiki: Advanced Hacking Articles - Zimbra :: Wiki However, that's not a particularly good technique for blocking spam as their IP address will change regularly. What you should be looking at is using RBLs (amongst other things), check the wiki articles (and search the forums) for techniques to improve the anti-spam system and try some of them.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    alherman, your example isn't necessarily showing a spammer--it's someone trying to hack into your system via POP. Not sure what is in the wiki article that relates to that.

    How I would deal with it:

    First, as phoenix says, POP & IMAP (and HTTP to Zimbra) should go over secure connections if you're allowing people to use them from outside your network. That'll keep people's passwords from being sniffed.

    Second, I'd use WHOIS to find the netrange of the computer that's attempting the hacking. In many cases, it's going to be coming from another country and you can just block their access to POP/IMAP/HTTP(S) at your firewall. In this case, though, it's coming from a company in the US, so you have to decide if you want to just firewall off that one IP address, or their whole netrange.

    EDIT: if you don't have, or can't modify, a firewall at the border of your network, then you could probably use iptables/netfilter in Linux.

  7. #7
    alherman is offline Member
    Join Date
    May 2010
    Posts
    12
    Rep Power
    5

    Default

    hi ewilen n Phonenix,

    thanks for advice, now i did implement Ossec in my centos/zimbra.

    yes, this early morning show me warning level 10/7, yes some random ip hasbeen try hard to bruteforce admin dan root password.

    1. can ossec be able to hold? i mean ossec will block this treat?
    2. what function ossec? i mean only warn us by email or include block that ip?

    thnks man.
    al

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 210
    Last Post: 01-17-2012, 01:19 AM
  2. Errors installing Outlook Connector
    By Tim G in forum Zimbra Connector for Outlook
    Replies: 57
    Last Post: 05-05-2011, 02:27 PM
  3. mailbox log
    By tiarra in forum Administrators
    Replies: 4
    Last Post: 07-27-2009, 10:07 PM
  4. Replies: 3
    Last Post: 07-13-2009, 05:54 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •