Results 1 to 2 of 2

Thread: Hacked account sending spam

  1. #1
    Rodrigo Brunelli Riguetto is offline Starter Member
    Join Date
    Jun 2011
    Posts
    1
    Rep Power
    3

    Default Hacked account sending spam

    Hi,

    We had a user account sending spam through our Zimbra Server 7 server. The server is configured to block account after 10 unsucessully login attempt, but the cracker got the password yet.

    The messages sent by the spammer had sender with different domain configured in Zimbra. Is there any way to block the sending of messages whose sender's domain is not configured in Zimbra?

    Following is the log generated in the spammer login:

    zimbra.log
    Jun 1 00:17:20 mailserver postfix/smtpd[1075]: connect from unknown[189.104.113.254]
    Jun 1 00:17:21 mailserver saslauthd[28352]: zmauth: authenticating against elected url 'https://mailserver.mydomain.com:7071/service/admin/soap/' ...
    Jun 1 00:17:21 mailserver saslauthd[28352]: zmpost: url='https://mailserver.mydomain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="2393"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_4a602a3a97f 18a0a88915d014f8da93c32b48002_69643d33363a32313366 393536622d653039622d346437342d626531642d3233363037 366661386665383b6578703d31333a31333037303731303431 3336393b76763d313a313b747970653d363a7a696d6272613b </authToken><lifetime>172800000</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Jun 1 00:17:21 mailserver saslauthd[28352]: auth_zimbra: spamuser auth OK
    Jun 1 00:17:21 mailserver postfix/smtpd[1075]: E737B778001: client=unknown[189.104.113.254], sasl_method=PLAIN, sasl_username=spamuser

    mailbox.log
    2011-06-01 00:17:21,327 INFO [btpool0-255://mailserver.mydomain.com:7071/service/admin/soap/] [ip=192.168.0.235;] soap - AuthRequest

    audit.log
    2011-06-01 00:17:21,369 INFO [btpool0-255://mailserver.mydomain.com:7071/service/admin/soap/] [name=spamuser@mydomain.com;ip=192.168.0.235;] security - cmd=Auth; account=spamuser@mydomain.com; protocol=soap;
    Thanks,

    Rodrigo

  2. #2
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    you should research about the following

    reject_sender_login_mismatch
    Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.

    man page: Postfix Configuration Parameters
    enableing it may affact ALIASES to send email thru SMTP AUTH, so please test and research before you apply.
    Will fix spammer problem for sure but it mat affact other things

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Lot of mails deferred
    By pigui in forum Administrators
    Replies: 17
    Last Post: 04-10-2012, 05:15 AM
  2. Email Server Sending Spam
    By profediego in forum Administrators
    Replies: 5
    Last Post: 05-04-2011, 09:37 AM
  3. Help mail server broadcast spam
    By sh1n_b3 in forum Administrators
    Replies: 0
    Last Post: 01-19-2011, 07:44 PM
  4. Replies: 3
    Last Post: 07-19-2007, 02:00 AM
  5. Problem sending mail from another account in Outlook
    By UTSCSE in forum Zimbra Connector for Outlook
    Replies: 4
    Last Post: 01-25-2007, 05:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •