Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: SPAM relay help, SASL auth'ing

  1. #1
    wdingus is offline Member
    Join Date
    Feb 2008
    Location
    Tennessee
    Posts
    13
    Rep Power
    7

    Default SPAM relay help, SASL auth'ing

    It's happening right now, to my account, and so far we've not been able to stop it. We've restarted Zimbra, changed passwords, etc...

    /var/log/zimbra.log
    Sep 26 18:53:20 mail postfix/smtpd[20893]: connect from unknown[116.193.158.138]
    Sep 26 18:53:21 mail postfix/smtpd[11197]: 18E3E40BE420: client=60-249-165-131.HINET-IP.hinet.net[60.249.165.131], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 18:53:21 mail postfix/cleanup[11201]: 18E3E40BE420: message-id=<OUTLOOK-IDM-80b74662-f4a0-a9ec-afee-d89553defab1@trml-1>

    Active Directory authentication, Zimbra zcs-NETWORK-7.1.1_GA_3196.RHEL5_64.20110527001604, CentOS 5.8 x86_64.

    Suggestions? What should we look for? They're connecting in and apparently auth'ing as me and then sending out tons of SPAM. I'm getting tons of bounce messages back. We've not been blacklisted anywhere yet but I figure that's next. We've confirmed from some of the headers in the bounced emails that the spam is originating here, not some other open relay with my address as the from:

    Thanks.

    PS. OS was not fully updated, "yum update" is upgrading cyrus-sasl from 2.1.22-5 to 2.1.22-7 now. Not sure if related or not...

  2. #2
    wdingus is offline Member
    Join Date
    Feb 2008
    Location
    Tennessee
    Posts
    13
    Rep Power
    7

    Default

    CentOS is fully updated now and the server rebooted for good measure. My password has been changed to a complex one I've never used a variant of anywhere. I don't login from any windows PCs so I'm moderately confident I'm not being keylogged or anything of that sort... When I do login to the Zimbra webmail interface this type of sasl_username message does not appear in the logs. Neither when I send an email. So I'm not sure what is even causing these log entries, what type of access to the server. Other than something to relay SPAMs that is...

    Overnight last night:

    Sep 26 19:59:36 mail postfix/smtpd[18505]: B64B040BE420: client=host162-160-static.89-94-b.business.telecomitalia.it[94.89.160.162], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 20:04:26 mail postfix/smtpd[21688]: 05BEC40BE420: client=host162-160-static.89-94-b.business.telecomitalia.it[94.89.160.162], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 20:23:05 mail postfix/smtpd[755]: 1838940BE422: client=unknown[94.74.143.151], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 20:27:57 mail postfix/smtpd[3667]: 1293540BE422: client=unknown[94.74.143.151], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 20:41:23 mail postfix/smtpd[12386]: 36CD940BE423: client=net-93-67-62-69.cust.dsl.vodafone.it[93.67.62.69], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 21:05:50 mail postfix/smtpd[27459]: 7D77840BE422: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 21:41:01 mail postfix/smtpd[17331]: 1FBEE40BE422: client=196.Red-79-148-114.staticIP.rima-tde.net[79.148.114.196], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 21:46:55 mail postfix/smtpd[20821]: 947F740BE424: client=196.Red-79-148-114.staticIP.rima-tde.net[79.148.114.196], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 22:31:22 mail postfix/smtpd[16253]: 09B9040BE422: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 26 22:34:02 mail postfix/smtpd[17857]: CCE4340BE424: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
    Sep 27 03:30:11 mail postfix/smtpd[10492]: F0F6340BE422: client=203-59-129-176.perm.iinet.net.au[203.59.129.176], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

    Firewall is configured to allow only the following access to the mail server:


    PORT STATE SERVICE
    25/tcp open smtp
    80/tcp open http
    443/tcp open https
    465/tcp open smtps
    993/tcp open imaps

  3. #3
    wdingus is offline Member
    Join Date
    Feb 2008
    Location
    Tennessee
    Posts
    13
    Rep Power
    7

    Default

    Well after some checking we at least now know that log entries like this result from "auth before smtp". Employees using Apple mail.app and/or Thunderbird are producing the same types of entries. Outlook/ZCO and/or webmail users do not.

    With a fair amount of confidence, these connections are not supplying my current active directory password. So what is happening? It would seem that they've discovered a way to bypass and/or spoof that authentication. Thoughts? Has nobody dealt with anything like this before?
    Last edited by wdingus; 09-27-2012 at 06:11 AM. Reason: misspelling

  4. #4
    n.bochev is offline Active Member
    Join Date
    Aug 2009
    Location
    Bulgaria
    Posts
    25
    Rep Power
    5

    Default

    Quote Originally Posted by wdingus View Post
    Well after some checking we at least now know that log entries like this result from "auth before smtp". Employees using Apple mail.app and/or Thunderbird are producing the same types of entries. Outlook/ZCO and/or webmail users do not.

    With a fair amount of confidence, these connections are not supplying my current active directory password. So what is happening? It would seem that they've discovered a way to bypass and/or spoof that authentication. Thoughts? Has nobody dealt with anything like this before?
    I am having 3 cases in 1 week, where people got their accounts compromised, all on zimbra servers ( 3 different ones ), thus producing a lot of spam. Clients seemed to authenticate also.

  5. #5
    gbos is offline Junior Member
    Join Date
    Dec 2007
    Location
    Guelph, On
    Posts
    6
    Rep Power
    7

    Default Resolution to this?

    We're seeing something which MAY be the same symptoms. Was there ever a resolution or a fix/workaround? Thanks!
    Gerrit Bos
    CCS, U. of Guelph
    Ontario, Canada

  6. #6
    edelvall is offline Active Member
    Join Date
    May 2009
    Location
    Lima, Peru
    Posts
    25
    Rep Power
    6

    Default

    Hi,
    We had this issue too with our NETWORK-7.1.4_GA_2555.UBUNTU10_64 (cs-patch-7.1.4_GA_2568) installation.
    Before calling support we decided to update to NETWORK-7.2.1_GA_2790.UBUNTU10_64 because the security updates, updated java/tomcat etc...
    Spammers were still able to INJECT email and sent it through our system (200,000 messages). This pushed us to make an UPGRADE to NETWORK-8.0.0_GA_5434.UBUNTU10_64 because it was a recommended update due to security updates (BTW, I was not able to find a list of those updates anywhere). We also decide to close (temporarily) any kind of access to our server other than the web mail interface.

    After this, the problem stop. we had no need to put a ticket to support and we have being monitoring our system closely to see if the issue appears again.

    About the v8, we got lot of complains about the new interface and some missing features but that's something else. I expected that version NETWORK-7.2.1_GA_2790.UBUNTU10_64 solved this issues but it seems that it did not.

    I only found two issues that may have cause this, one is a XSS and the other is a Java security issue.

    We are expecting 8.1 or something to fix other issues.

    Hope this helps.

    Eduardo
    Release 8.0.3.GA.5664.UBUNTU10.64 UBUNTU10_64 NETWORK edition.

  7. #7
    wdingus is offline Member
    Join Date
    Feb 2008
    Location
    Tennessee
    Posts
    13
    Rep Power
    7

    Default

    [root@mail log]# grep -i MYNAME mailbox.log | grep ip= | grep -v '204.My.Net\|127.0.0.1' | grep authenticated
    2013-05-03 17:00:44,848 INFO [ImapSSLServer-1223] [name=MYNAME@MYDOMAIN.com;ip=206.74.82.86;] imap - user MYNAME@MYDOMAIN.com authenticated, mechanism=LOGIN [TLS]

    That IP is somewhere in South Carolina. It's not me, I have no connection with anything or anyone and that network.

    Three minutes later I received the first of a dozen or so bounced emails. Which were to addresses in my address book which are no longer valid but I just hadn't removed yet. This is on Zimbra NE 7.2.3 with AD integration. They don't have my password, it's not used anywhere else. My computer doesn't run a Windows OS, nobody keylogged it. This looks very much like some form of security flaw in Zimbra IMO. Suggestions?

  8. #8
    edelvall is offline Active Member
    Join Date
    May 2009
    Location
    Lima, Peru
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by wdingus View Post
    [root@mail log]# grep -i MYNAME mailbox.log | grep ip= | grep -v '204.My.Net\|127.0.0.1' | grep authenticated
    2013-05-03 17:00:44,848 INFO [ImapSSLServer-1223] [name=MYNAME@MYDOMAIN.com;ip=206.74.82.86;] imap - user MYNAME@MYDOMAIN.com authenticated, mechanism=LOGIN [TLS]

    That IP is somewhere in South Carolina. It's not me, I have no connection with anything or anyone and that network.

    Three minutes later I received the first of a dozen or so bounced emails. Which were to addresses in my address book which are no longer valid but I just hadn't removed yet. This is on Zimbra NE 7.2.3 with AD integration. They don't have my password, it's not used anywhere else. My computer doesn't run a Windows OS, nobody keylogged it. This looks very much like some form of security flaw in Zimbra IMO. Suggestions?
    We have the same scenario here, Zimbra + AD. The only solution we found to stop this was to close external IMAP access. I opened a ticket but got absurd responses from the person assigned to the case. I believe it is wrong. everything point to the IMAP proxy, probable related to NGINX issues that have been active lately. e have no problems using the exchange connections.
    Release 8.0.3.GA.5664.UBUNTU10.64 UBUNTU10_64 NETWORK edition.

  9. #9
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,265
    Rep Power
    10

    Default

    Your comment makes no sense. IMAP is used to check mail. There is no way to send mail via IMAP.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  10. #10
    wdingus is offline Member
    Join Date
    Feb 2008
    Location
    Tennessee
    Posts
    13
    Rep Power
    7

    Default

    Quote Originally Posted by quanah View Post
    Your comment makes no sense. IMAP is used to check mail. There is no way to send mail via IMAP.
    My initial complaint was about someone logging into my account and reading my email. They harvested addresses they could spam, pretending to be me. I can't do much about people sending fake mail as me... What is most concerning is their apparent ability to login to our mail accounts, bypassing passwords and security mechanisms.

    If they got in via IMAP, via some security hole specifically in it, and other connection methods are safe, we'll block that externally as well. Thanks.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Problem SPAM RELAY
    By Nando_br in forum Administrators
    Replies: 3
    Last Post: 05-05-2011, 12:55 PM
  2. Spam relay via Zimbra
    By mzcktyler in forum Administrators
    Replies: 11
    Last Post: 01-23-2011, 08:36 AM
  3. SPAM Relay?
    By rbriguetto in forum Administrators
    Replies: 0
    Last Post: 08-17-2010, 11:12 AM
  4. Spam: Relay from any IP if authenticated
    By andremta in forum Administrators
    Replies: 4
    Last Post: 07-06-2009, 06:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •