Need help with tracking down compromised account(s)

[r3zon8]

couple accounts i have found are spamming and causing the barracudas to crawl..

i started by deleting the accounts but i still see one of those accounts sending mail out..? doesnt quite make sense to me.

what should be my next steps to identify and close those accounts that are spamming

[phoenix]

You haven't really given much information about the problem but you might want to start by looking at some of these threads: site:zimbra.com +"compromised account" - Yahoo! Search Results

[Yves Pires]

watch --interval=1 'tail -n1000 /var/log/auth.log | grep 'auth_zimbra:''

change pass of compromised account should stop spam, also make strong password rules.

[raj]

run the following as ROOT

tail -n 100000 /var/log/maillog | grep "sasl_username=" > smtpauthlogins.txt

see which sasl_username=xxxxxxxxxxxx is repeating a lot..that is the compromised account as spammers will log-in tons of times.

Raj

[r3zon8]

watch --interval=1 'tail -n1000 /var/log/auth.log | grep 'auth_zimbra:''

change pass of compromised account should stop spam, also make strong password rules.

i agree, i even went as far as deleting the acct and i still see spam being sent from that particular account.

[r3zon8]

run the following as ROOT


see which sasl_username=xxxxxxxxxxxx is repeating a lot..that is the compromised account as spammers will log-in tons of times.

Raj

my /var/log/maillog is empty

[r3zon8]

also, something common is that each account that seems to be spamming is using ZCO/Outlook for email.

ive had each of the offices scan the owners machine for malware/spyware and they are reporting all the machines are clean now.

[r3zon8]

excerpt form audit..

2011-07-14 17:23:23,405 INFO [btpool0-3723://localhost/service/soap/AuthRequest] [name=trbrown@mydomain.com;oip=41.220.69.33;ua=zcli ent/6.0.7_GA_2473.RHEL4;] security - cmd=Auth; account=trbrown@mydomain.com; protocol=soap;


seem to be connecting from Nigeria...

[phoenix]

i agree, i even went as far as deleting the acct and i still see spam being sent from that particular account.

A deleted account is completely removed from the server (including all email) so it can't be sending email from that account - it doesn't exist.

I guess you have strong password enforcement on your server (if you don't, you should)?

[r3zon8]

A deleted account is completely removed from the server (including and email) so it can't be sending email from that account - it doesn't exist.

makes sense...but how is it these accounts are still generating outgoing mail?

2011-07-16 07:56:09,359 INFO [btpool0-808://localhost/service/soap/SendMsgRequest] [name=jdolan@mydomain.com;mid=396;oip=74.115.0.36;u a=zclient/6.0.7_GA_2473.RHEL4;] mailop - adding contact llerarhynez@yahoo.com: id=22350, folderId=13, folderName=Emailed Contacts.

excerpt from mailbox.log. heres that account authenticating this morning over zclient. originating ip is an anonymous proxy. they spam from 8am to 5pm then stop.