Results 1 to 10 of 10

Thread: Need help with tracking down compromised account(s)

  1. #1
    r3zon8 is offline Intermediate Member
    Join Date
    Jan 2011
    Posts
    23
    Rep Power
    4

    Default Need help with tracking down compromised account(s)

    couple accounts i have found are spamming and causing the barracudas to crawl..

    i started by deleting the accounts but i still see one of those accounts sending mail out..? doesnt quite make sense to me.

    what should be my next steps to identify and close those accounts that are spamming

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,448
    Rep Power
    56

    Default

    You haven't really given much information about the problem but you might want to start by looking at some of these threads: site:zimbra.com +"compromised account" - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Yves Pires is offline Senior Member
    Join Date
    Jun 2011
    Posts
    52
    Rep Power
    4

    Default

    watch --interval=1 'tail -n1000 /var/log/auth.log | grep 'auth_zimbra:''

    change pass of compromised account should stop spam, also make strong password rules.

  4. #4
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    run the following as ROOT
    tail -n 100000 /var/log/maillog | grep "sasl_username=" > smtpauthlogins.txt
    see which sasl_username=xxxxxxxxxxxx is repeating a lot..that is the compromised account as spammers will log-in tons of times.

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  5. #5
    r3zon8 is offline Intermediate Member
    Join Date
    Jan 2011
    Posts
    23
    Rep Power
    4

    Default

    Quote Originally Posted by Yves Pires View Post
    watch --interval=1 'tail -n1000 /var/log/auth.log | grep 'auth_zimbra:''

    change pass of compromised account should stop spam, also make strong password rules.
    i agree, i even went as far as deleting the acct and i still see spam being sent from that particular account.

  6. #6
    r3zon8 is offline Intermediate Member
    Join Date
    Jan 2011
    Posts
    23
    Rep Power
    4

    Default

    Quote Originally Posted by raj View Post
    run the following as ROOT


    see which sasl_username=xxxxxxxxxxxx is repeating a lot..that is the compromised account as spammers will log-in tons of times.

    Raj

    my /var/log/maillog is empty

  7. #7
    r3zon8 is offline Intermediate Member
    Join Date
    Jan 2011
    Posts
    23
    Rep Power
    4

    Default

    also, something common is that each account that seems to be spamming is using ZCO/Outlook for email.

    ive had each of the offices scan the owners machine for malware/spyware and they are reporting all the machines are clean now.

  8. #8
    r3zon8 is offline Intermediate Member
    Join Date
    Jan 2011
    Posts
    23
    Rep Power
    4

    Default

    excerpt form audit..

    2011-07-14 17:23:23,405 INFO [btpool0-3723://localhost/service/soap/AuthRequest] [name=trbrown@mydomain.com;oip=41.220.69.33;ua=zcli ent/6.0.7_GA_2473.RHEL4;] security - cmd=Auth; account=trbrown@mydomain.com; protocol=soap;


    seem to be connecting from Nigeria...

  9. #9
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,448
    Rep Power
    56

    Default

    Quote Originally Posted by r3zon8 View Post
    i agree, i even went as far as deleting the acct and i still see spam being sent from that particular account.
    A deleted account is completely removed from the server (including all email) so it can't be sending email from that account - it doesn't exist.

    I guess you have strong password enforcement on your server (if you don't, you should)?
    Last edited by phoenix; 07-16-2011 at 10:50 PM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    r3zon8 is offline Intermediate Member
    Join Date
    Jan 2011
    Posts
    23
    Rep Power
    4

    Default

    Quote Originally Posted by phoenix View Post
    A deleted account is completely removed from the server (including and email) so it can't be sending email from that account - it doesn't exist.
    makes sense...but how is it these accounts are still generating outgoing mail?

    2011-07-16 07:56:09,359 INFO [btpool0-808://localhost/service/soap/SendMsgRequest] [name=jdolan@mydomain.com;mid=396;oip=74.115.0.36;u a=zclient/6.0.7_GA_2473.RHEL4;] mailop - adding contact llerarhynez@yahoo.com: id=22350, folderId=13, folderName=Emailed Contacts.

    excerpt from mailbox.log. heres that account authenticating this morning over zclient. originating ip is an anonymous proxy. they spam from 8am to 5pm then stop.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Multiple Mail Accounts, Folders
    By skwdenyer in forum Users
    Replies: 12
    Last Post: 12-01-2013, 08:52 PM
  2. Accounts compromised - changed forwarding
    By blueflametuna in forum Administrators
    Replies: 10
    Last Post: 02-08-2011, 02:21 PM
  3. Missing Accounts in Backup!
    By Yopofun in forum Administrators
    Replies: 2
    Last Post: 12-08-2010, 01:22 PM
  4. Delete old archive accounts?
    By fnbwaseca in forum Administrators
    Replies: 0
    Last Post: 11-29-2010, 09:17 AM
  5. Inaccurate number accounts used
    By zbowden in forum Administrators
    Replies: 1
    Last Post: 12-10-2007, 06:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •