Compromise Account Pls. Help

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
1257jigzaw
Posts: 3
Joined: Sat Sep 13, 2014 3:56 am

Compromise Account Pls. Help

Postby 1257jigzaw » Tue Aug 12, 2014 1:46 am

Hi Guys,
first of all here is our Zimbra server details:
OS - Centos 5.6

Zimbra open source 7.1.3
Needing badly your help regarding with one of our account email has been compromised, I have already identify the specific account and already changed the password for 20 times already and Invalidate sessions and closed the account but is still sending spam emails. I have already tried to block the public ip address that is using but no success at all, it just keeps changing its IP address. I`m a bit newbie in zimbra administering so if can anyone help me.
Thank you very much..


chauvetp
Outstanding Member
Outstanding Member
Posts: 350
Joined: Fri Sep 12, 2014 11:28 pm

Compromise Account Pls. Help

Postby chauvetp » Tue Aug 12, 2014 7:56 am

First off - upgrade Zimbra ASAP. The version you have vulnerable to multiple security issues. Go to version 7.2.7.
Secondly, if you have changed the password and the account keeps connecting, how is it connecting? Is it connecting via SMTP? Web client?

If its SMTP, and you're sure the account is closed then there is no way it could keep connecting with that password from different IPs. It is either connecting via a different password (i.e. you changed the external authentication password but left the local password active, or vice-versa) or its sending without authenticating. If that is the issue, then how? Do you have an overly permissive setting in postfix's allowed networks? (zmprov gs server-name zimbraMtaMyNetworks).
1257jigzaw
Posts: 3
Joined: Sat Sep 13, 2014 3:56 am

Compromise Account Pls. Help

Postby 1257jigzaw » Wed Aug 13, 2014 7:12 pm

Thank you for the reply.. Im also planning to update our system. but for the meantime is there a way to stop it.. I already erase the specific account that is trying to send spam emails and also DISCARD all outgoing emails from the specific account:
Aug 14 07:51:32 smtp2 postfix/smtpd[12867]: NOQUEUE: discard: RCPT from host-static-93-116-62-52.moldtelecom.md[93.116.62.52]: : Sender address triggers DISCARD action; from= to= proto=ESMTP helo=

Aug 14 07:51:32 smtp2 postfix/smtpd[12867]: 50EDAA0BA3: client=host-static-93-116-62-52.moldtelecom.md[93.116.62.52], sasl_method=LOGIN, sasl_username=XXXX@domain.com

Aug 14 07:51:34 smtp2 postfix/smtpd[12867]: NOQUEUE: discard: RCPT from host-static-93-116-62-52.moldtelecom.md[93.116.62.52]: : Sender address triggers DISCARD action; from= to= proto=ESMTP helo=

Aug 14 07:51:34 smtp2 postfix/smtpd[12867]: CEDCEA0BA3: client=host-static-93-116-62-52.moldtelecom.md[93.116.62.52], sasl_method=LOGIN, sasl_username=XXXX@domain.com
But the next problem is, it is creating many fake accounts from same domain and keeps sending fake emails so all of our outgoing emails is now being blocked and blacklisted. So pls. help to stop this. thank you very much
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 926
Joined: Sat Sep 13, 2014 12:47 am

Compromise Account Pls. Help

Postby liverpoolfcfan » Thu Aug 14, 2014 3:46 am

Have you checked your system for rogue zimlets, etc. as mentioned in the security advisories?

Do you have port 7071 (the admin port) open to the internet?

Have you configured external authentication but allowed fallback to local?
1257jigzaw
Posts: 3
Joined: Sat Sep 13, 2014 3:56 am

Compromise Account Pls. Help

Postby 1257jigzaw » Tue Aug 19, 2014 3:55 am

I have already contained the sending of spam and sending of fake emails i just added the parameter reject_unlisted_sender to cat /opt/zimbra/conf/postfix_recipient_restrictions.cf all outgoing emails from the spammer is being DISCARDED.
Guys do i have to update my APACHE and OpenSSH for this?? is there any issues on updating those?

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 8 guests