| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
06-21-2010, 04:10 AM
| | |  mailbox log -indicate ip spammer how to
hi all,
i have this log from mailbox.log, here is the log :
2010-06-21 13:37:12,867 INFO [Pop3Server-6700] [ip=72.13.5.196;] account - authentication failed for hoops (no such account)
2010-06-21 13:37:12,867 INFO [Pop3Server-6700] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
2010-06-21 13:37:12,870 INFO [Pop3Server-6625] [ip=72.13.5.196;] pop - quit from client
2010-06-21 13:37:12,870 INFO [Pop3Server-6625] [] ProtocolHandler - Handler exiting normally
2010-06-21 13:37:12,870 INFO [Pop3Server-6625] [ip=72.13.5.196;] pop - connected
2010-06-21 13:37:12,886 INFO [Pop3Server-6694] [ip=72.13.5.196;] account - authentication failed for hanson (no such account)
2010-06-21 13:37:12,886 INFO [Pop3Server-6694] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
2010-06-21 13:37:12,899 INFO [Pop3Server-6673] [ip=72.13.5.196;] account - authentication failed for honey (no such account)
2010-06-21 13:37:12,899 INFO [Pop3Server-6673] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
2010-06-21 13:37:12,907 INFO [Pop3Server-6676] [ip=72.13.5.196;] pop - quit from client
2010-06-21 13:37:13,229 INFO [Pop3Server-6731] [ip=72.13.5.196;] account - authentication failed for george (no such account)
2010-06-21 13:37:13,229 INFO [Pop3Server-6731] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
2010-06-21 13:37:13,232 INFO [Pop3Server-6703] [ip=72.13.5.196;] account - authentication failed for isaac (no such account)
2010-06-21 13:37:13,232 INFO [Pop3Server-6703] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
2010-06-21 13:37:13,263 INFO [Pop3Server-6642] [ip=72.13.5.196;] account - authentication failed for guido (no such account)
2010-06-21 13:37:13,263 INFO [Pop3Server-6642] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
2010-06-21 13:37:13,271 INFO [Pop3Server-6386] [ip=72.13.5.196;] account - authentication failed for hockey (no such account)
2010-06-21 13:37:13,271 INFO [Pop3Server-6386] [ip=72.13.5.196;] pop - -ERR login failed (PASS ****)
2010-06-21 13:37:13,278 INFO [Pop3Server-6729] [ip=72.13.5.196;] pop - quit from client
how do i block ipaddress in zimbra? coz the spammer using same ip address? i mean if spammer using same ip to access some users id (there is no users id like that in my zimbra) can direct to blacklist ip? how to do that?
sorry newbie... thanks
5.0.9_GA_2533.RHEL5_20080815132719 CentOS5 FOSS edition
alherman  |
06-21-2010, 04:28 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,313
| |
Search the forums or wiki for the word 'restrict' and you'll find details of how to block an IP. You should also look at the wiki article on Improving the anti-spam system especially the option "Discarding Emails Sent to Invalid Addresses ". You also shouldn't have your POP or IMAP exposed to the internet unless they are using SSL connections.
__________________
Regards
Bill
|
06-21-2010, 07:51 PM
| | |
thq for tips, i will check it.
thq a lot man |
06-21-2010, 09:28 PM
| | |
Hi phoenix,
as u mentioned about "Discarding Emails Sent to Invalid Addresses", yes i check my config, and add some change like this (like wiki said).
POSTCONF smtpd_reject_unlisted_recipient yes
and i work, i see in log/zimbra.log some report said address rejected.
but your ide also mentioned about "restrict" and how to block ip, i search and not find any clue, can u give other explain?
sorry i am newbie in linux and also in zimbra.
thq |
06-21-2010, 10:52 PM
| | Zimbra Consultant & Moderator | |
Posts: 20,313
| |
Quote:
Originally Posted by alherman  but your ide also mentioned about "restrict" and how to block ip, i search and not find any clue, can u give other explain? | The articles on how to block an IP address are in the wiki: Advanced Hacking Articles - Zimbra :: Wiki However, that's not a particularly good technique for blocking spam as their IP address will change regularly. What you should be looking at is using RBLs (amongst other things), check the wiki articles (and search the forums) for techniques to improve the anti-spam system and try some of them.
__________________
Regards
Bill
|
06-22-2010, 11:33 AM
| | |
alherman, your example isn't necessarily showing a spammer--it's someone trying to hack into your system via POP. Not sure what is in the wiki article that relates to that.
How I would deal with it:
First, as phoenix says, POP & IMAP (and HTTP to Zimbra) should go over secure connections if you're allowing people to use them from outside your network. That'll keep people's passwords from being sniffed.
Second, I'd use WHOIS to find the netrange of the computer that's attempting the hacking. In many cases, it's going to be coming from another country and you can just block their access to POP/IMAP/HTTP(S) at your firewall. In this case, though, it's coming from a company in the US, so you have to decide if you want to just firewall off that one IP address, or their whole netrange.
EDIT: if you don't have, or can't modify, a firewall at the border of your network, then you could probably use iptables/netfilter in Linux. |
06-23-2010, 12:07 AM
| | |
hi ewilen n Phonenix,
thanks for advice, now i did implement Ossec in my centos/zimbra.
yes, this early morning show me warning level 10/7, yes some random ip hasbeen try hard to bruteforce admin dan root password.
1. can ossec be able to hold? i mean ossec will block this treat?
2. what function ossec? i mean only warn us by email or include block that ip?
thnks man.
al | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
