Results 1 to 4 of 4

Thread: Server send phishing messages

  1. #1
    addiakogiannis is offline Starter Member
    Join Date
    Jan 2013
    Posts
    2
    Rep Power
    2

    Exclamation Server send phishing messages

    Dear all,

    We are using the latest version of Zimbra ose. Suddenly we saw pilled up messages in que (about 7.500) all from customerservice.net domain (that does not belong to us) and we had several blocks from other servers telling us that the server sends phising messages (propably from that domain)

    Need your assistance on how to solve this

    bellow a part from log

    Code:
    Mar 31 12:20:30 mail postfix/smtpd[577]: 4FEF13462D4: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<alster@istar.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:30 mail postfix/smtpd[18524]: 5DF993462D5: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<tonerre@videotron.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:30 mail postfix/smtpd[13507]: 21FC43462D2: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<blob@sympatico.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:31 mail postfix/smtpd[577]: 4FEF13462D4: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<stevecollins@videotron.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:31 mail postfix/smtpd[18524]: 5DF993462D5: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<khwu@interchange.ubc.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:31 mail postfix/smtpd[13507]: 21FC43462D2: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<aopen@bc.sys.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:32 mail postfix/smtpd[577]: 4FEF13462D4: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<jackson@lara.on.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:32 mail postfix/smtpd[18524]: 5DF993462D5: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<shdow@simcom.on.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:32 mail postfix/smtpd[13507]: 21FC43462D2: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<victor@sci-fi.lib.calpoly.edu> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:33 mail postfix/smtpd[577]: 4FEF13462D4: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<swil@intergate.bc.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:33 mail postfix/smtpd[18524]: 5DF993462D5: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<4maw8@qlink.queensu.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:33 mail postfix/smtpd[13507]: 21FC43462D2: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<jfelde@mb.sympatico.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:34 mail postfix/smtpd[18524]: 5DF993462D5: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<bonzai@aei.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:34 mail postfix/smtpd[577]: 4FEF13462D4: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<eliu@po-box.mcgill.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:34 mail postfix/smtpd[13507]: 21FC43462D2: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<yu131295@yorku.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:35 mail postfix/error[2235]: 0E9E83462D1: to=<no_reply@customerservice.net>, relay=none, delay=0.02, delays=0.02/0/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to customerservice.net[209.15.13.134]:25: Connection timed out)
    Mar 31 12:20:35 mail postfix/smtpd[18524]: 5DF993462D5: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<dkaneva@rogers.wave.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:35 mail postfix/smtpd[577]: 4FEF13462D4: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<joneskr@nbnet.nb.ca> proto=ESMTP helo=<[178.32.60.195]>
    Mar 31 12:20:35 mail postfix/smtpd[13507]: 21FC43462D2: filter: RCPT from unknown[178.32.60.195]: <no_reply@customerservice.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<no_reply@customerservice.net> to=<jaro@nbnet.nb.ca> proto=ESMTP helo=<[178.32.60.195]>

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,504
    Rep Power
    57

    Default

    Quote Originally Posted by addiakogiannis View Post
    We are using the latest version of Zimbra ose.
    You should always give the exact version of ZCS by posting the output of the following command:

    [CODE]zmcontrol -v[/QUOTE]

    Quote Originally Posted by addiakogiannis View Post
    Suddenly we saw pilled up messages in que (about 7.500) all from customerservice.net domain (that does not belong to us) and we had several blocks from other servers telling us that the server sends phising messages (propably from that domain)
    Have you looked at any of the forums threads that cover the subject of "open relay" (have you checked if your server is an open relay) or 'compromised account'?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    addiakogiannis is offline Starter Member
    Join Date
    Jan 2013
    Posts
    2
    Rep Power
    2

    Default

    Sorry about that

    my version is Release 8.0.6.GA.5922.UBUNTU12.64 UBUNTU12_64 FOSS edition.

    Using this Network Tools: DNS,IP,Email I verified that it is not an open relay.
    How can I check/trace thatt I have a compromised account? Is there a way to block the messages?

  4. #4
    nitsew is offline Intermediate Member
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Try running this command:

    tail -n 100000 /var/log/mail.log | grep "sasl_username=" > /tmp/smtpauthlogins.txt

    Then look through /tmp/smtpauthlogins.txt for any accounts that are authenticating far too often.

    Hope this helps...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Cannot send out messages
    By vernalcity in forum Installation
    Replies: 2
    Last Post: 12-01-2010, 09:45 AM
  2. [SOLVED] Cleaning phishing messages from mailboxes?
    By woody in forum Administrators
    Replies: 1
    Last Post: 03-01-2010, 10:57 AM
  3. Replies: 0
    Last Post: 08-20-2009, 12:19 PM
  4. Replies: 1
    Last Post: 01-12-2009, 03:38 AM
  5. FEECH (maybe :-) - Phishing Warning
    By Baylink in forum Developers
    Replies: 0
    Last Post: 08-22-2008, 05:32 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •