Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: SPAM relay help, SASL auth'ing

  1. #11
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    My response was to edelvall, not you.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  2. #12
    edelvall is offline Active Member
    Join Date
    May 2009
    Location
    Lima, Peru
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by quanah View Post
    Your comment makes no sense. IMAP is used to check mail. There is no way to send mail via IMAP.

    --Quanah
    Good morning,

    to start let me paste the content of my original support ticket:

    Problem:

    We have noticed lots of connections from external IPs:
    May 6 12:32:31 mail postfix/smtps/smtpd[24771]: 48A221D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe
    May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe

    They are sending email using this and other accounts causing us to be blocked on external blacklists and rendering our email system unusable.

    Below a source of one of those emails:
    ################################################## ##########
    Return-Path: validuseraccount@mail.domain.tdl
    Received: from mail.domain.tdl (LHLO mail.domain.tdl) (w.x.y.z)
    by mail.fdrnet.edu with LMTP; Mon, 6 May 2013 12:31:22 -0500 (PET)
    Received: from localhost (localhost [127.0.0.1])
    by mail.domain.tdl (Postfix) with ESMTP id 2A0141D432DE
    for <anotheruser@mail.domain.tdl>; Mon, 6 May 2013 12:31:22 -0500 (PET)
    X-Spam-Flag: NO
    X-Spam-Score: -6.774
    X-Spam-Level:
    X-Spam-Status: No, score=-6.774 tagged_above=-10 required=4 tests=[AM.WBL=-10,
    ALL_TRUSTED=-1, BAYES_50=0.8, DATE_IN_PAST_96_XX=3.405,
    TVD_SPACE_RATIO=0.001, T_KHOP_NO_FULL_NAME=0.01,
    T_UNKNOWN_ORIGIN=0.01] autolearn=no
    Received: from mail.domain.tdl ([127.0.0.1])
    by localhost (mail.domain.tdl [127.0.0.1]) (amavisd-new, port 10032)
    with ESMTP id 0q2bfv-kI5An for <anotheruser@mail.domain.tdl>;
    Mon, 6 May 2013 12:31:21 -0500 (PET)
    Received: from localhost (localhost [127.0.0.1])
    by mail.domain.tdl (Postfix) with ESMTP id CD6611D432E0
    for <anotheruser@mail.domain.tdl>; Mon, 6 May 2013 12:31:21 -0500 (PET)
    X-Virus-Scanned: amavisd-new at mail.domain.tdl
    Received: from mail.domain.tdl ([127.0.0.1])
    by localhost (mail.domain.tdl [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id 5vDpw-f050f5 for <anotheruser@mail.domain.tdl>;
    Mon, 6 May 2013 12:31:21 -0500 (PET)
    Received: from localhost (76.sub-174-241-96.myvzw.com [174.241.96.76])
    by mail.domain.tdl (Postfix) with ESMTPSA id 8E2C61D432DE
    for <anotheruser@mail.domain.tdl>; Mon, 6 May 2013 12:31:20 -0500 (PET)
    Date: Tue, 9 Apr 2013 17:28:32 +0100
    From: IMAP4rev1 ACL <validuseraccount@mail.domain.tdl>
    To: Patsy La Torre <anotheruser@mail.domain.tdl>
    Subject: FW:
    Content-Type: text/plain;
    Message-Id: <20130506173120.8E2C61D432DE@mail.domain.tdl>

    http://mkdesign.sakura.ne.jp/iarkva.php
    ################################################## ##########

    Action:

    $ zmcontrol -v
    Release 8.0.3.GA.5664.UBUNTU10.64 UBUNTU10_64 NETWORK edition.

    We have disabled access to imap(s) from the outside using our firewall and that seems to have stopped them.
    Now that we are in the same context, let me focus on this line:

    From: IMAP4rev1 ACL <validuseraccount@mail.domain.tdl>
    Connections were authenticated using that account, password was changed but they still had access to use the account to send email.

    We closed IMAP access on the firewall and we noticed that it stopped. It only happened when IMAP was available.

    These are facts, not judgements. Do you have an idea about why is this happening? In the comments you will find other people that are having similar issues. Help us gather proper data rather than tell me "what I saying makes no sense". Give us hints on how to gather information that will help you and your experts narrow down the issue to a cause and be able to provide a solution.

    This is happening, not just to, me but to other people.

    Thank you.
    Release 8.0.3.GA.5664.UBUNTU10.64 UBUNTU10_64 NETWORK edition.

  3. #13
    n4bbq is offline Senior Member
    Join Date
    Oct 2008
    Location
    Dahlonega, Ga
    Posts
    53
    Rep Power
    6

    Default

    iptables could be a great asset to you my friend...

  4. #14
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    1) A person can put *anything* in a "From" field. Just because it says "IMAP4rev1" is meaningless. I could but "George Washington", "moon beam", or whatever else I wanted in that part of the From: header.

    2) "May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe" shows they are connected to Postfix. Postfix *only* supports port 25/587/465 (The SMTP/SMTPS/SUBMISSION ports). It has ZERO support for IMAP. It also *clearly* shows that they authenticated successfully to your Postfix service at some point. Most spammers I've seen use a *persistent* connection. I.e., all they have to do is auth once, and keep the connection open, sending many thousands of emails. The only way to close off that connection is to change the user's password and then restart postfix. If you have external AD Auth enabled AND you have local fallback enabled, changing the password in AD may have ZERO effect if the LOCAL fallback password is the same as the old password.

    Again, this has ZERO to do with IMAP. Whatever you did about the IMAP port was unrelated to their stopping of sending spam.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #15
    edelvall is offline Active Member
    Join Date
    May 2009
    Location
    Lima, Peru
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by quanah View Post
    1) A person can put *anything* in a "From" field. Just because it says "IMAP4rev1" is meaningless. I could but "George Washington", "moon beam", or whatever else I wanted in that part of the From: header.

    2) "May 6 12:32:38 mail postfix/smtps/smtpd[27584]: E5B791D432CB: client=76.sub-174-241-96.myvzw.com[174.241.96.76], sasl_method=LOGIN, sasl_username=srengiff@amersol.edu.pe" shows they are connected to Postfix. Postfix *only* supports port 25/587/465 (The SMTP/SMTPS/SUBMISSION ports). It has ZERO support for IMAP. It also *clearly* shows that they authenticated successfully to your Postfix service at some point. Most spammers I've seen use a *persistent* connection. I.e., all they have to do is auth once, and keep the connection open, sending many thousands of emails. The only way to close off that connection is to change the user's password and then restart postfix. If you have external AD Auth enabled AND you have local fallback enabled, changing the password in AD may have ZERO effect if the LOCAL fallback password is the same as the old password.

    Again, this has ZERO to do with IMAP. Whatever you did about the IMAP port was unrelated to their stopping of sending spam.
    Yes, agreed that the FROM field is easy to forge.

    If point 2 it so "obvious", why the support person that replied to my ticked said to tweak the "AV Score" to prevent less spam to come in? I totally follow you on the postfix path and concur.

    few questions arise:
    first: what is the "LOCAL fallback password"? and were it is setup? these are AD accounts, do they still have a password inside zimbra?
    second: "postfix reload" will kill the sessions? or needs to be "postfix restart", or even a "zmcontrol restart"?
    third: is there a way to limit the amount of email per second that an account can send? (cbpolicyd I guess?)
    fourth: why in the world I was not lucky enough to get you to help me with my ticket at the beginning!! LOL

    Thanks,
    Release 8.0.3.GA.5664.UBUNTU10.64 UBUNTU10_64 NETWORK edition.

  6. #16
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    Quote Originally Posted by edelvall View Post
    Yes, agreed that the FROM field is easy to forge.

    If point 2 it so "obvious", why the support person that replied to my ticked said to tweak the "AV Score" to prevent less spam to come in? I totally follow you on the postfix path and concur.

    few questions arise:
    first: what is the "LOCAL fallback password"? and were it is setup? these are AD accounts, do they still have a password inside zimbra?
    second: "postfix reload" will kill the sessions? or needs to be "postfix restart", or even a "zmcontrol restart"?
    third: is there a way to limit the amount of email per second that an account can send? (cbpolicyd I guess?)
    fourth: why in the world I was not lucky enough to get you to help me with my ticket at the beginning!! LOL

    Thanks,
    1) It can fallback to the OpenLDAP instance that ships with Zimbra, particularly if the user ever tried to "change" their password via the Zimbra interface:
    LDAP Authentication - Zimbra :: Wiki

    2) For postfix, I would personally do "postfix stop" followed by "postfix start" to ensure it is stopped/started.

    3) Yes, it should be possible to configure via cbpolicyd.

    4) I am not a member of the support team. I'm one of the lead engineers.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Problem SPAM RELAY
    By Nando_br in forum Administrators
    Replies: 3
    Last Post: 05-05-2011, 12:55 PM
  2. Spam relay via Zimbra
    By mzcktyler in forum Administrators
    Replies: 11
    Last Post: 01-23-2011, 08:36 AM
  3. SPAM Relay?
    By rbriguetto in forum Administrators
    Replies: 0
    Last Post: 08-17-2010, 11:12 AM
  4. Spam: Relay from any IP if authenticated
    By andremta in forum Administrators
    Replies: 4
    Last Post: 07-06-2009, 06:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •