Results 1 to 8 of 8

Thread: What is going on here? Hacker, spammer, misconfiguration?

  1. #1
    jclawson is offline New Member
    Join Date
    Apr 2008
    Posts
    3
    Rep Power
    7

    Default What is going on here? Hacker, spammer, misconfiguration?

    I was looking at my mail queue and noticed some peculiar entries in my deferred queue.

    The recipient is from some weird domain that I do not host and the sender is service@paypal.com. The Origin IP is 127.0.0.1 and origin host localhost.localdomain.

    It appears that MY server is trying to send email as service.paypal.com. If this is correct how can I determine who / how this is being sent and put a stop to it?

    I looked at my mail stats summary emails and it sys that paypal.com is the top sender.

    Thanks for your help.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Welcome to the forums.

    That would be spam that's being sent to you. There's an article in the wiki that gives some tips for improving the anti-spam system, read that and make any modification you see fit. There are also several threads in the forums on making improvements, search for them.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    jclawson is offline New Member
    Join Date
    Apr 2008
    Posts
    3
    Rep Power
    7

    Default

    I am confused by the information the queue shows. It appears that it is being sent to a different domain. These emails are being deferred by the other server because of various reasons... it doesn't exist... grey listing... etc. The TO email address is not for a domain that I host.

    It appears to me that someone is using my server to send mail to other people because it says the email originated from localhost.localdomain.

    How do you know this mail is being delivered TO me instead of FROM me?

    Thanks for the spam tip though. I will definitely check that out.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by jclawson View Post
    How do you know this mail is being delivered TO me instead of FROM me?
    Unless you have made changes to your Zimbra install, by default it is not an Open Relay and is not being used by a spammer. It is likely that the mail is being sent to you, if you wish the check if you're a relay there are plenty of test sites that will test your server. Try these for starters:

    Mail Relay Test - Email Relaying, Testing and Tracking
    Anonymous Relay Test
    Mail relay testing
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,366
    Rep Power
    10

    Default

    Quote Originally Posted by jclawson View Post
    I am confused by the information the queue shows. It appears that it is being sent to a different domain. These emails are being deferred by the other server because of various reasons... it doesn't exist... grey listing... etc. The TO email address is not for a domain that I host.

    It appears to me that someone is using my server to send mail to other people because it says the email originated from localhost.localdomain.

    How do you know this mail is being delivered TO me instead of FROM me?

    Thanks for the spam tip though. I will definitely check that out.
    A lot of that header info can be forged; it's clearly a spammer.

    Sometimes a spammer's email server will HELO with 127.0.0.1 or even your server's own IP. The section in that wiki article that I wrote referring to adding HELO checks (to screen for private IPs) to Postfix will get rid of these kinds of emails.

    Even if you don't make those changes to your system, since Postfix can't deliver these messages, they will just hang around in the deferred queue and eventually get purged.

    Hope that helps,
    Mark

  6. #6
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    717
    Rep Power
    9

    Default

    If zimbra is reporting 127.0.0.1 as source of spam, that's a bug.

    You haven't provided enough information to allow more than guessing.

    There are several other possibilities, such as vacation autoreplies to spam, spam hitting an account that forwards, a non-zimbra server on your subnet as a source of spam (zimbra allows relaying from your localnets by default), a bug in a formail script (is zimbra running on a shared host?), and the increasingly prevalent abuse of usernames & passwords compromised by phishing or dictionary attacks to actually log on and send spam.

    In my ISAC role I'd be particularly interested in the last possibility. I have not yet heard of that affecting zimbra sites, just a lot of exchange, squirrelmail, and horde/imp sites. Please post or PM to me the full headers of a message in queue. I don't remember if the admin web lets you get that, but su - zimbra ; postcat postfix/spool/deferred/2/25ADB34DF or somesuch will work.

  7. #7
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    717
    Rep Power
    9

    Default

    Redacted version:

    ~zimbra/postfix/sbin/postcat FILENAME will display full headers without the binary junk.

    127.0.0.1 is just an artifact of the way that zimbra's amavisd talks to itself.

    Looks like the mail originated at ********* which is a compromised Exchange server. Google for that IP address turns up a phishing complaint more than a month ago.

    Do you have a user that forwards to the intended final recipient ************?

    ldapsearch -h mail.*****.com -x zimbraprefmailforwardingaddress=**********

    Could also be a filter rule or distribution list. To search for any reference to that domain anywhere,

    openldap/sbin/slapcat -f conf/slapd.conf|less -p**********

    If it's not a forward, then it's a bug, misconfiguration, or stolen password.

    The time on insertion was ***********. Look through /var/log/zimbra.log around that time to make sure they haven't stolen one of your users' passwords and used it to relay.

  8. #8
    jclawson is offline New Member
    Join Date
    Apr 2008
    Posts
    3
    Rep Power
    7

    Default

    Just so future visitors can figure this one out. I believe the culprit was a dictionary password. I was getting a lot of connections like:

    Apr 11 06:46:13 mail postfix/smtpd[7404]: 721FE74024A: client=unknown[***********], sasl_method=PLAIN, sasl_username=****

    The above ip is the compromised exchange server ip.

    I am probably going to write a shell script that creates a report of login user to ip address so it will be easy to pick out when an account may have been compromised.

    Thanks again for all of your help.
    Last edited by jclawson; 04-12-2008 at 02:15 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Blacklisting spammer IP
    By apnatek in forum Administrators
    Replies: 2
    Last Post: 08-08-2007, 05:47 PM
  2. I'm a spammer ????
    By rmvg in forum Users
    Replies: 4
    Last Post: 03-31-2006, 10:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •