Hi,
We had a user account sending spam through our Zimbra Server 7 server. The server is configured to block account after 10 unsucessully login attempt, but the cracker got the password yet.
The messages sent by the spammer had sender with different domain configured in Zimbra. Is there any way to block the sending of messages whose sender's domain is not configured in Zimbra?
Following is the log generated in the spammer login:
Quote:
zimbra.log
Jun 1 00:17:20 mailserver postfix/smtpd[1075]: connect from unknown[189.104.113.254]
Jun 1 00:17:21 mailserver saslauthd[28352]: zmauth: authenticating against elected url 'https://mailserver.mydomain.com:7071/service/admin/soap/' ...
Jun 1 00:17:21 mailserver saslauthd[28352]: zmpost: url='https://mailserver.mydomain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="2393"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_4a602a3a97f 18a0a88915d014f8da93c32b48002_69643d33363a32313366 393536622d653039622d346437342d626531642d3233363037 366661386665383b6578703d31333a31333037303731303431 3336393b76763d313a313b747970653d363a7a696d6272613b </authToken><lifetime>172800000</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Jun 1 00:17:21 mailserver saslauthd[28352]: auth_zimbra: spamuser auth OK
Jun 1 00:17:21 mailserver postfix/smtpd[1075]: E737B778001: client=unknown[189.104.113.254], sasl_method=PLAIN, sasl_username=spamuser
mailbox.log
2011-06-01 00:17:21,327 INFO [btpool0-255://mailserver.mydomain.com:7071/service/admin/soap/] [ip=192.168.0.235;] soap - AuthRequest
audit.log
2011-06-01 00:17:21,369 INFO [btpool0-255://mailserver.mydomain.com:7071/service/admin/soap/] [name=spamuser@mydomain.com;ip=192.168.0.235;] security - cmd=Auth; account=spamuser@mydomain.com; protocol=soap;
|
Thanks,
Rodrigo
Bugzilla
Wiki
Source
Hacked account sending spam 
Linear Mode
