Results 1 to 8 of 8

Thread: Zimbra Admin account attacked by spam.

  1. #1
    emnzava's Avatar
    emnzava is offline Active Member
    Join Date
    Sep 2010
    Location
    Tanzania
    Posts
    25
    Rep Power
    4

    Default Zimbra Admin account attacked by spam.

    Hi,

    Am facing an issue on our mail server where by users can login to their inbox but no new mails are coming to their inbox.

    When i decided to look on the logs, i saw zimbra admin account (admin@domain.com) seems to be compromised by spam. I see weird mail(fgagfjatd@mail.com) sending mails to admin@domain.com

    Now how can i get rig of this problem.

    There are total of 450 mailboxes.

    Queue is about 64,835

    This is how the server is configured so far.

    Zimbra Version
    Code:
    Release 8.0.2.GA.5569.UBUNTU10.64 UBUNTU10_64 NETWORK edition.
    Zimbra is setup to accept TLS Authentication only
    Enable authentication=TRUE
    TLS authentication only=TRUE

    MTA Trusted Networks
    Code:
    127.0.0.0/8 192.168.0.5/32
    zimbraMtaRestriction
    Code:
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_rbl_client reject_rbl_client dnsbl.njabl.org
    zimbraMtaRestriction: reject_rbl_client reject_rbl_client cbl.abuseat.org
    zimbraMtaRestriction: reject_rbl_client reject_rbl_client bl.spamcop.ne
    zimbraMtaRestriction: reject_rbl_client          reject_rbl_client dnsbl.sorbs.net
    zimbraMtaRestriction: reject_rbl_client reject_rbl_client sbl.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client reject_rbl_client relays.mail-abuse.org
    Now this is what i see from /var/log/zimbra.log
    Code:
    Oct 10 12:55:08 mail postfix/smtpd[3982]: A632425E869A: client=localhost.localdomain[127.0.0.1]
    Oct 10 12:55:08 mail postfix/cleanup[13466]: A632425E869A: message-id=<C524e193400fb@MSD-MARSHAL.msd.com>
    Oct 10 12:55:08 mail amavis[29589]: (29589-01-34) FWD from <> -> <fgagfjatd@mail.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A632425E869A
    Oct 10 12:55:08 mail postfix/smtpd[3982]: B2FDA25E8707: client=localhost.localdomain[127.0.0.1]
    Oct 10 12:55:08 mail postfix/cleanup[13573]: B2FDA25E8707: message-id=<C524e193400fb@MSD-MARSHAL.msd.com>
    Oct 10 12:55:08 mail amavis[29589]: (29589-01-34) FWD from <> -> <admin@msd.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B2FDA25E8707
    Oct 10 12:55:08 mail amavis[29589]: (29589-01-34) Passed CLEAN {RelayedInbound,RelayedOpenRelay}, [192.168.0.6]:44991 [192.168.0.6] <> -> <fgagfjatd@mail.com>,<admin@msd.com>, Queue-ID: 0DC2F255E033, Message-ID: <C524e193400fb@MSD-MARSHAL.msd.com>, mail_id: qNbd6YHVX3rb, Hits: 4.227, size: 1899, queued_as: A632425E869A/B2FDA25E8707, 5143 ms
    Oct 10 12:55:08 mail postfix/smtp[9988]: 0DC2F255E033: to=<fgagfjatd@mail.com>, orig_to=<admin@msd.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=34, delay=13212, delays=5586/7620/0.01/5.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A632425E869A)
    Oct 10 12:55:08 mail postfix/smtp[9988]: 0DC2F255E033: to=<admin@msd.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=34, delay=13212, delays=5586/7620/0.01/5.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A632425E869A)
    Oct 10 12:55:08 mail postfix/qmgr[3385]: 0DC2F255E033: removed
    And from mail.log
    Code:
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<hmaruzuku@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<hmaruzuku@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<hmchunga@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<hmchunga@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5809]: NOQUEUE: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<root@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5809]: NOQUEUE: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<root@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5809]: NOQUEUE: reject: RCPT from unknown[192.168.0.6]: 550 5.1.1 <root@msd.com>: Recipient address rejected: msd.com; from=<> to=<root@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5809]: disconnect from unknown[192.168.0.6]
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<inderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<inderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: reject: RCPT from unknown[192.168.0.6]: 550 5.1.1 <inderimo@msd.com>: Recipient address rejected: msd.com; from=<> to=<inderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<info@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<info@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<jmakani@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<jmakani@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: reject: RCPT from unknown[192.168.0.6]: 550 5.1.1 <jmakani@msd.com>: Recipient address rejected: msd.com; from=<> to=<jmakani@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5809]: connect from unknown[192.168.0.6]
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<lnderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
    Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<lnderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>

    Any ideas on how to solve this?

    Regards
    The quieter you become,The more you are able to hear,,,,,

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Your Admin account should not be open to the internet, you should also enforce Strong passwords on all your mail accounts. Change the password on your Admin account to a strong password and that should stop any immediate problem of it sending spam. Search the forums for "compromised account" and read that plus the other threads on the topic of a compromised (or spam sending system).
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    emnzava's Avatar
    emnzava is offline Active Member
    Join Date
    Sep 2010
    Location
    Tanzania
    Posts
    25
    Rep Power
    4

    Default

    Thank you Bill.

    If i understood you correctly. Do you mean other users can login via web access through internet with exception of Admin?

    How can i set it up that way? Is there a place in Zimbra admin Interface to block admin to login from internet?

    Also, one more thing,,, is there a place on zimbra admin that allows to set login attemp limit?

    Regards
    The quieter you become,The more you are able to hear,,,,,

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by emnzava View Post
    If i understood you correctly. Do you mean other users can login via web access through internet with exception of Admin?
    Are you behind a firewall or NAT router? If it's either of those then block port 7071.

    Quote Originally Posted by emnzava View Post
    Also, one more thing,,, is there a place on zimbra admin that allows to set login attemp limit?
    Yes you can set the number of failed logins. As I've already mentioned, strong passwords would be a good starting place.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    emnzava's Avatar
    emnzava is offline Active Member
    Join Date
    Sep 2010
    Location
    Tanzania
    Posts
    25
    Rep Power
    4

    Default

    Yes am behind Firewall, and i have implemented strong password already.

    Port 7071 is already blocked but admin can login as normal user as well, can that bring any issues on security, considering admin account has administrative privileges?

    Thanks one again
    The quieter you become,The more you are able to hear,,,,,

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by emnzava View Post
    Port 7071 is already blocked but admin can login as normal user as well, can that bring any issues on security, considering admin account has administrative privileges?
    That has no other privileges that any other mail user, it's only when they login to the Admin UI that they can make changes. You can also disable that Admin user account and create another one with a more secure (well, less obvious) user name.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    emnzava's Avatar
    emnzava is offline Active Member
    Join Date
    Sep 2010
    Location
    Tanzania
    Posts
    25
    Rep Power
    4

    Default

    That's appear to be a good idea. I will change user name for admin.

    I wish CAPTCHA method can be applied as well on admin login page. Is this possible?

    Thanks for your help.
    The quieter you become,The more you are able to hear,,,,,

  8. #8
    KiegKhan is offline Active Member
    Join Date
    Jul 2009
    Posts
    41
    Rep Power
    6

    Default Deny Admin logon from internet

    Hi Bill, I notice you reply to this message about how to limit the Admin interface, port 7071, from the internet, but I would like to know if it is possible to limit the Admin user from logging into the webmail, port 443, site from the internet. Admin get a lot of emails about my systems, so I only want to access that account from inside my network. With Microsoft Exchange Server I would do this by using Outlook application internally and Outlook Web Access (OWA) externally. Each of these can be configured per user.
    Is there anyway to restrict a user such that they could logon from the LAN but not from the Internet?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 06-12-2014, 09:20 PM
  2. Replies: 3
    Last Post: 06-05-2013, 01:19 AM
  3. Replies: 0
    Last Post: 06-20-2012, 12:59 AM
  4. Spam training e-mails go to catchall instead of spam account
    By richard-hdd in forum Administrators
    Replies: 9
    Last Post: 08-20-2007, 09:10 AM
  5. content filter attacked?
    By ahhhh in forum Administrators
    Replies: 2
    Last Post: 03-26-2007, 05:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •