Account compromised impossibile to stop spam

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Postby cesko446 » Thu Sep 20, 2018 1:40 pm

zimico wrote:I think you should not allow whole subnet, change to, for example:

Code: Select all

zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 192.168.5.1/32 192.168.5.3/32'
postfix reload

Use firewall to block smtp port on Web server. In my experience, do not allow web server having email server function.
Regards.


Firewalled web served and modified zimbraMtaMyNetworks.. Keeps spamming and spamming

Unbelieavable... Rly.. I've just changed IP this could be the problem? I really don't know how to stop it... :((((((((


phoenix
Ambassador
Ambassador
Posts: 25702
Joined: Fri Sep 12, 2014 9:56 pm

Re: Account compromised impossibile to stop spam

Postby phoenix » Thu Sep 20, 2018 1:47 pm

Do you actually know where the spam is originating? Could you possibly have an infected/compromised machine on you network?
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Postby cesko446 » Thu Sep 20, 2018 2:52 pm

phoenix wrote:Do you actually know where the spam is originating? Could you possibly have an infected/compromised machine on you network?


Hi and tnx for your support

This is mail.log when spamming

Sep 20 14:47:59 mail postfix/qmgr[13032]: A01BA602AC: removed
Sep 20 14:47:59 mail postfix/amavisd/smtpd[14620]: connect from localhost[127.0.0.1]
Sep 20 14:47:59 mail postfix/amavisd/smtpd[14620]: 51EF1602AC: client=localhost[127.0.0.1]
Sep 20 14:47:59 mail postfix/cleanup[16462]: 51EF1602AC: message-id=<E838F036-36FB-D531-7081-8868A2A8D666@446.it>
Sep 20 14:47:59 mail postfix/qmgr[13032]: 51EF1602AC: from=<francesco@446.it>, size=2333, nrcpt=1 (queue active)
Sep 20 14:47:59 mail postfix/smtp[16463]: 0E5FD603AF: to=<lerica123gh@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.29, delays=0.1/0/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 51EF1602AC)
Sep 20 14:47:59 mail postfix/qmgr[13032]: 0E5FD603AF: removed
Sep 20 14:47:59 mail postfix/smtp[16466]: 51EF1602AC: to=<lerica123gh@yahoo.com>, relay=gateway.veloce.ovh[192.168.5.4]:26, delay=0.04, delays=0.01/0/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5907C80778)
Sep 20 14:47:59 mail postfix/qmgr[13032]: 51EF1602AC: removed
Sep 20 14:48:00 mail postfix/smtps/smtpd[16097]: NOQUEUE: filter: RCPT from unknown[177.66.225.182]: <francesco@446.it>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<francesco@446.it> to=<toddyjim@gmail.com> proto=ESMTP helo=<192.168.0.07>
Sep 20 14:48:00 mail postfix/smtps/smtpd[16097]: 04B08602AC: client=unknown[177.66.225.182], sasl_method=LOGIN, sasl_username=francesco
Sep 20 14:48:01 mail postfix/cleanup[16462]: 04B08602AC: message-id=<1B337FE1-3D3B-AA31-2518-F043AD533D60@446.it>
Sep 20 14:48:01 mail postfix/qmgr[13032]: 04B08602AC: from=<francesco@446.it>, size=880, nrcpt=1 (queue active)
Sep 20 14:48:01 mail postfix/dkimmilter/smtpd[14676]: connect from localhost[127.0.0.1]
Sep 20 14:48:01 mail postfix/dkimmilter/smtpd[14676]: 72DC6603AF: client=localhost[127.0.0.1]
Sep 20 14:48:01 mail postfix/cleanup[16462]: 72DC6603AF: message-id=<1B337FE1-3D3B-AA31-2518-F043AD533D60@446.it>
Sep 20 14:48:01 mail postfix/qmgr[13032]: 72DC6603AF: from=<francesco@446.it>, size=1344, nrcpt=1 (queue active)
Sep 20 14:48:01 mail postfix/smtp[16465]: 04B08602AC: to=<toddyjim@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.1, delays=1.9/0/0/0.18, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 72DC6603AF)
Sep 20 14:48:01 mail postfix/qmgr[13032]: 04B08602AC: removed
Sep 20 14:48:01 mail postfix/amavisd/smtpd[14600]: connect from localhost[127.0.0.1]
Sep 20 14:48:01 mail postfix/amavisd/smtpd[14600]: B19CE602AC: client=localhost[127.0.0.1]
Sep 20 14:48:01 mail postfix/cleanup[16462]: B19CE602AC: message-id=<1B337FE1-3D3B-AA31-2518-F043AD533D60@446.it>
Sep 20 14:48:01 mail postfix/qmgr[13032]: B19CE602AC: from=<francesco@446.it>, size=2344, nrcpt=1 (queue active)
Sep 20 14:48:01 mail postfix/smtp[16463]: 72DC6603AF: to=<toddyjim@gmail.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.29, delays=0.1/0/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B19CE602AC)
Sep 20 14:48:01 mail postfix/qmgr[13032]: 72DC6603AF: removed
Sep 20 14:48:01 mail postfix/smtp[16466]: B19CE602AC: to=<toddyjim@gmail.com>, relay=gateway.veloce.ovh[192.168.5.4]:26, delay=0.04, delays=0.01/0/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BA13580778)
Sep 20 14:48:01 mail postfix/qmgr[13032]: B19CE602AC: removed
Sep 20 14:48:02 mail postfix/smtps/smtpd[16097]: NOQUEUE: filter: RCPT from unknown[177.66.225.182]: <francesco@446.it>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<francesco@446.it> to=<wildoneusa@aol.com> proto=ESMTP helo=<192.168.0.07>
Sep 20 14:48:02 mail postfix/smtps/smtpd[16097]: 6010D603CD: client=unknown[177.66.225.182], sasl_method=LOGIN, sasl_username=francesco
Sep 20 14:48:03 mail postfix/cleanup[16462]: 6010D603CD: message-id=<9CE89034-C470-9717-B5FA-89AA21A6BE57@446.it>
Sep 20 14:48:03 mail postfix/qmgr[13032]: 6010D603CD: from=<francesco@446.it>, size=789, nrcpt=1 (queue active)
Sep 20 14:48:03 mail postfix/dkimmilter/smtpd[14655]: connect from localhost[127.0.0.1]
Sep 20 14:48:03 mail postfix/dkimmilter/smtpd[14655]: C13DA603DB: client=localhost[127.0.0.1]
Sep 20 14:48:03 mail postfix/cleanup[16462]: C13DA603DB: message-id=<9CE89034-C470-9717-B5FA-89AA21A6BE57@446.it>
Sep 20 14:48:03 mail postfix/qmgr[13032]: C13DA603DB: from=<francesco@446.it>, size=1253, nrcpt=1 (queue active)
Sep 20 14:48:03 mail postfix/smtp[16465]: 6010D603CD: to=<wildoneusa@aol.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=2, delays=1.8/0/0/0.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as C13DA603DB)
Sep 20 14:48:03 mail postfix/qmgr[13032]: 6010D603CD: removed
Sep 20 14:48:04 mail postfix/amavisd/smtpd[14659]: connect from localhost[127.0.0.1]
Sep 20 14:48:04 mail postfix/amavisd/smtpd[14659]: 0D6F0603CD: client=localhost[127.0.0.1]
Sep 20 14:48:04 mail postfix/cleanup[16462]: 0D6F0603CD: message-id=<9CE89034-C470-9717-B5FA-89AA21A6BE57@446.it>
Sep 20 14:48:04 mail postfix/qmgr[13032]: 0D6F0603CD: from=<francesco@446.it>, size=2253, nrcpt=1 (queue active)
Sep 20 14:48:04 mail postfix/amavisd/smtpd[14659]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 20 14:48:04 mail postfix/smtp[16463]: C13DA603DB: to=<wildoneusa@aol.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.28, delays=0.1/0.01/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0D6F0603CD)
Sep 20 14:48:04 mail postfix/qmgr[13032]: C13DA603DB: removed
Sep 20 14:48:04 mail postfix/smtp[16466]: 0D6F0603CD: to=<wildoneusa@aol.com>, relay=gateway.veloce.ovh[192.168.5.4]:26, delay=0.03, delays=0.01/0/0.02/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 13AE280778)
Sep 20 14:48:04 mail postfix/qmgr[13032]: 0D6F0603CD: removed
Sep 20 14:48:04 mail postfix/smtps/smtpd[16097]: disconnect from unknown[177.66.225.182] ehlo=1 auth=1 mail=10 rcpt=10 data=10 commands=32

And attached my gateway filter

Tnx for support. Rly.
Attachments
gateway.jpg
gateway.jpg (53.71 KiB) Viewed 306 times
User avatar
gabrieles
Advanced member
Advanced member
Posts: 50
Joined: Tue Feb 14, 2017 9:40 am

Re: Account compromised impossibile to stop spam

Postby gabrieles » Thu Sep 20, 2018 3:13 pm

Go for steps:
- Disable authentication at MTA level, then restart MTA service.
- Restrict zimbraMtaMynetworks to the mailserver only.

It can't spam this way, if keeps spamming it wil come from the machine itself.
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Postby cesko446 » Thu Sep 20, 2018 3:17 pm

gabrieles wrote:Go for steps:
- Disable authentication at MTA level, then restart MTA service.
- Restrict zimbraMtaMynetworks to the mailserver only.

It can't spam this way, if keeps spamming it wil come from the machine itself.


How to enforce this one: Disable authentication at MTA level, then restart MTA service.
Restrict zimbraMtaMynetworks to the mailserver only. Done.
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Postby cesko446 » Thu Sep 20, 2018 8:10 pm

gabrieles wrote:Go for steps:
- Disable authentication at MTA level, then restart MTA service.
- Restrict zimbraMtaMynetworks to the mailserver only.

It can't spam this way, if keeps spamming it wil come from the machine itself.



I used this:

Code: Select all

 zmprov modifyServer mail.veloce.ovh zimbraMtaAuthEnabled FALSE

and this:

Code: Select all

 zmprov modifyServer mail.veloce.ovh zimbraMtaSaslAuthEnable no


And I can't send or receive but they keep spamming. I'm getting crazy. :)

What the hell is that?!
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 281
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P6
Contact:

Re: Account compromised impossibile to stop spam

Postby JDunphy » Thu Sep 20, 2018 9:46 pm

One thing you might consider is to prevent them by rejecting the email if they attempt to use multiple recipients per email. Set it just below what they are using. For example, if they are sending 20 then setting it to 19 will abort that submission... note the current default so you can reset it after all this is resolved.

Code: Select all

su - zimbra
postconf | grep recipient_limit
postconf -e 'smtpd_recipient_limit=19'
/opt/zimbra/postfix/sbin/postfix reload

That should give you some time to investigate this further. Watch your logs, everything should be in there with how many they are sending per instance.
User avatar
gabrieles
Advanced member
Advanced member
Posts: 50
Joined: Tue Feb 14, 2017 9:40 am

Re: Account compromised impossibile to stop spam

Postby gabrieles » Fri Sep 21, 2018 7:42 am

cesko446 wrote:zimbraMtaAuthEnabled FALSE
zimbraMtaSaslAuthEnable no
Restrict zimbraMtaMynetworks to the mailserver only. Done.

Then by definition only the local machine can send unauthenticated. Check if has been compromised, check auth.log, who, last, crontabs ...

Return to “Administrators”

Who is online

Users browsing this forum: DualBoot and 32 guests