Zimbra hacked =(
Hi there, we have been hacked. I wonder if anyone could help get to the bottom of it. Mails have been sent out from addresses that do not exist within zimbra. (ra@ourdomain, co@ourdomainde@ourdomain ,ki@ourdomain ,lu@ourdomain , by@ourdomain, cy@ourdomain) I have no idea how they have been sent.. the only reason i knew there was a problem at first was a number of users reported they had bounce messages for things they had not sent. It turns out they were members of a list (NUT@our domain). the sever has had its network cable unplugged but, i can still see things that are being added to the queue.
Can I make it so zimbra will only send mail when a user has Authenticated and has a valid address? What is the best way to diagnose if there is a virus or if there is an account
Using IMAP over ssl. Can a user send mail without authenticating?
I have looked through log file after log file but am lost as to making anything tally..
Please help. We are a high school that starts term on monday -(
Thanks in advance
Most likely an account has been compromised, and they are using that account to relay spam through your server.
Run this command as root:
tail -n 100000 /var/log/mail.log | grep "sasl_username=" > smtpauthlogins.txt
Then view smtpauthlogins.txt, and change the password for the account you see using SASL authentication over and over. I had the same issue yesterday, and this cleared it right up.
If nothing else, it is worth a shot.
Best of luck!
Sorry for the slow reply, the server is offline so im not getting notifications.. must change my address on here.. thanks for the info. Very helpful. one account came up quite a lot. I will change its password. Im going to enforce password complexity for the whole domain I think..