Spamming In Zimbra By Users Account With Weak Password

[haris-bytecraft]

Hi

have this occurs problem to a Zimbra server. Spammer will used any
account they can breach to spam. More than 6000 spam email will be
send for every successfully try before we found out.

Ok I know you know we know, we need to ask users to change and use
harden password. Yes, we are doing it, so its going to
take time until the users used to it. At this moments, sysadmin busy
with locked accounts due to accounts try by outsider. We have set the
policy after 3 times login failure, account will locked but this burden our sysadmin.

For information, this attack is using the login using HTML.

Re: Dealing with compromised Zimbra accounts

Help with compromised accounts

I have use this script to delete the account email, after locked the account.

HOWTO: Remove mail from postfix queue based on from email or rcpto email address

Can anyone share any information how they enject the spam emails so I can block using http filter?

Thanks.

[Dirk]

I'd suggest setting the accounts to lock after 2 or three wrong password attempts, but then unlock after 10 minutes. Inform the users that accounts wont be unlocked and they should just wait 15 mins and try again.

That delay shouldnt upset the user too much, will take the burden off support and will prevent brute force attacks because ~10 password attempts per hour is a lot less than a hacker will be happy with.