hacked account keeps sending after password changed and blocked

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
gusans
Posts: 24
Joined: Thu Sep 25, 2014 9:02 am

hacked account keeps sending after password changed and blocked

Post by gusans »

hi, I'm having a very strange problem.

I have a lot of spam being sent from an account. I changed the password, blocked the account and clear all deferred messages from admin console. but I keep seeing new outgoing mail being deferred on the console and on mail.log from this account.

these line keeps showing up on mail.log:

zimbra@mail:~$ zmcontrol -v
Release 8.7.11.GA.1854.UBUNTU16.64 UBUNTU16_64 FOSS edition.

Apr 2 19:44:35 mail postfix/qmgr[30254]: 895193EA0C8: from=<user@mydomain>, size=1363, nrcpt=1 (queue active)
Apr 2 19:44:35 mail postfix/smtp[22262]: 585343B386C: to=<tototo3478@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=29, delay=365247, delays=363473/1774/0/0.16, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 3EF2F5A95FD)

any ideas? don't know where to start looking.

thanks in advance
User avatar
scantec
Advanced member
Advanced member
Posts: 75
Joined: Mon May 05, 2014 11:55 am

Re: hacked account keeps sending after password changed and blocked

Post by scantec »

I've seen that kind of behaviour on a 8.6 - which was unpatched for a while,

Those connections come from external?

Do you have 8.7.11 Patch 1 installed?
gusans
Posts: 24
Joined: Thu Sep 25, 2014 9:02 am

Re: hacked account keeps sending after password changed and blocked

Post by gusans »

hi! thanks for your reply.

I've just patched my installation but doesn't solve the problem.

from the undelivered mail returned to sender I can see that mails come from external connections:

Received: from [127.0.0.1] (unknown [200.66.125.225])
by mail.mydomain (Postfix) with ESMTPSA id 9EACA48DF5A
for <kpistole@bellsouth.net>; Thu, 29 Mar 2018 22:37:15 -0300 (-03)
From: user@mydomain
User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 313
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

Re: hacked account keeps sending after password changed and blocked

Post by tonster »

You need to make sure you restart postfix if you change a password and have spam being sent. Most spammers use persistent connections and it can take awhile for one to drop and stop the flow of spam.

Sent from my SM-G950U using Tapatalk
Post Reply