Succesfull hacking attempts on Zimbra mailboxes (webmail)
Since a couple of months, we suffer from accounts being hacked by spambots who sent lots of spam (which in some cases causes our outgoing smtp server being blacklisted).
To my understanding, this is what happens:
• Spambots try to logon to the Zimbra webmail interface. It seems sometimes they succeed, even when some users have complex random passwords with special characters (&,#!,…).
• Once logged on, they start to send batch mails to a lot of e-mail addresses at ounce. Most of the times, e-mailadresses on yahoo.com, Verizon.net and Comcast.net are targeted.
• What we’ve just find out, is that the spambot also configures a forwarding of all further incoming e-mail to another address (in this case: firstname.lastname@example.org) without leaving a copy in the actual mailbox. They do so, to make sure the user won’t be suspicious about the returning non-deliverable messages. Of course, this also causes the user not to receive valid e-mail in his/her mailbox anymore. Also, there are no traces of spam in sent items in the user’s mailbox.
The first hacked accounts we’ve encountered still had the sent spam mails in their place and the non-deliverables in the inbox. They getting smarter and smarter.
• When logging on to the admin webinterface, the last logon date doesn’t correspond to the date the incident happened. For some reason, the last logon date is not updated when the spambots do their job.
• We could trace this because our Zimbra servers are using a smart host for all outgoing e-mail (who were used to sent the spam) and and a couple of separate mx anti-virus/spam servers to handle all incoming e-mail (who received the non-deliverables) routed to the Zimbra servers.
• Unfortunately, I can’t find out the source of the spambots. What ip address did they use to logon to the webinterface? I couldn’t find those details in the Zimbra log files. Is there a specific location where webmail logons (and failed attempts) are logged to? I am aware there’s a setting that causes accounts being locked after x failed logon attempts within x minutes. But this will really cause some frustrations at our users and helpdesk.
• We’re currently using Zimbra ZCS 6.0.7 but are planning to upgrade to 7.1.0 in august. Is there a better protection in ZCS 7 against accounts being hacked?
• Of course, we would like to know if there is some advice to prevent such successful hacking attempts in the future.
Thanks in advance