Account compromised impossibile to stop spam

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Account compromised impossibile to stop spam

Post by cesko446 »

Hi there,
I have a strange problem with my zimbra server:

zimbra@mail:~$ zmcontrol -v
Release 8.8.9.GA.3019.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.

Installed on Ubuntu Linux 16.04 updated and upgraded

zimbra@mail:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"
NAME="Ubuntu"
VERSION="16.04.5 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.5 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Now the problem: I use a gateway server as a smarthost for all email inbound and outbounb.
I've noticed a unusual activity regarding my account (I'm Francesco :O). I see a lot of spam mail from my account. Thinking about a compromised password I have changed status of my account from active to maintenance and i have change password.
For a while everything was fine but suddenly spam activity from my address restarts. To stop it I had to block outgoing mail gateway's side as a filter.
It's impossibile that one client is infected because i've setup a new password (64 chars) from ssh and restart and never login but spam keeps going on.
It's only on my account: francesco@446.it i've tried to delete my account and create cesko@446.it and when i added francesco@446.it as alias spam keeps going on!!!

This is the evidence:
grep sasl_username /var/log/mail.log

Sep 19 09:32:52 mail postfix/smtps/smtpd[14967]: 63F0860379: client=unknown[191.53.201.152], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:27 mail postfix/smtps/smtpd[20122]: 8D5D960379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:28 mail postfix/smtps/smtpd[20122]: 42B916037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:28 mail postfix/smtps/smtpd[20122]: D101860379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:29 mail postfix/smtps/smtpd[20122]: 562676037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:29 mail postfix/smtps/smtpd[20122]: BC35560379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:30 mail postfix/smtps/smtpd[20122]: 485A36037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:30 mail postfix/smtps/smtpd[20122]: EE2B360379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:31 mail postfix/smtps/smtpd[20122]: 896886037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:32 mail postfix/smtps/smtpd[20122]: 2FC6860379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:32 mail postfix/smtps/smtpd[20122]: CCB0E60379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:01 mail postfix/smtps/smtpd[21979]: 56D7B60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:04 mail postfix/smtps/smtpd[21979]: 3CD4060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:06 mail postfix/smtps/smtpd[21979]: 934EF60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:09 mail postfix/smtps/smtpd[21979]: 1F81D60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:11 mail postfix/smtps/smtpd[21979]: 7BFB960379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:13 mail postfix/smtps/smtpd[21979]: E0CB060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:16 mail postfix/smtps/smtpd[21979]: 3672E60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:19 mail postfix/smtps/smtpd[21979]: 8063060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:22 mail postfix/smtps/smtpd[21979]: 4191660379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:24 mail postfix/smtps/smtpd[21979]: B48F860379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:40 mail postfix/smtps/smtpd[24194]: 3A17A60379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:42 mail postfix/smtps/smtpd[24194]: 8E08360379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:44 mail postfix/smtps/smtpd[24194]: E466160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:47 mail postfix/smtps/smtpd[24194]: 5229360379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:49 mail postfix/smtps/smtpd[24194]: 9607960379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:51 mail postfix/smtps/smtpd[24194]: D5D6160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:54 mail postfix/smtps/smtpd[24194]: 38F9760379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:56 mail postfix/smtps/smtpd[24194]: 8ADBB60379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:58 mail postfix/smtps/smtpd[24194]: E030160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:51:01 mail postfix/smtps/smtpd[24194]: 472E160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:06 mail postfix/smtps/smtpd[24194]: DD04D6037B: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:09 mail postfix/smtps/smtpd[24194]: CFFF460379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:12 mail postfix/smtps/smtpd[24194]: 29B9860379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:14 mail postfix/smtps/smtpd[24194]: 5E9AF60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:16 mail postfix/smtps/smtpd[24194]: BF76B60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:19 mail postfix/smtps/smtpd[24194]: 1D2C360379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:21 mail postfix/smtps/smtpd[24194]: 4EF9A60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:23 mail postfix/smtps/smtpd[24194]: 9B5A360379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:26 mail postfix/smtps/smtpd[24194]: 07AAB60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:28 mail postfix/smtps/smtpd[24194]: 3A7FB60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:41 mail postfix/smtps/smtpd[26569]: 78D7960379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:43 mail postfix/smtps/smtpd[26569]: 8D8DA60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:45 mail postfix/smtps/smtpd[26569]: A6B7260379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:47 mail postfix/smtps/smtpd[26569]: C02EC60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:49 mail postfix/smtps/smtpd[26569]: DB7A460379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:52 mail postfix/smtps/smtpd[26569]: 02A6B60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:54 mail postfix/smtps/smtpd[26569]: 1A82560379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:56 mail postfix/smtps/smtpd[26569]: 3215E60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:58 mail postfix/smtps/smtpd[26569]: 0D45E60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:56:00 mail postfix/smtps/smtpd[26569]: 2571460379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:07 mail postfix/smtps/smtpd[26569]: 2D84960379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:09 mail postfix/smtps/smtpd[26569]: CB25460379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:11 mail postfix/smtps/smtpd[26569]: F2FB160379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:14 mail postfix/smtps/smtpd[26569]: 27D7660379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:16 mail postfix/smtps/smtpd[26569]: 4ED6160379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:18 mail postfix/smtps/smtpd[26569]: 75DAA60379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:20 mail postfix/smtps/smtpd[26569]: 9DD8260379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:22 mail postfix/smtps/smtpd[26569]: C843260379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:24 mail postfix/smtps/smtpd[26569]: EFF8C60379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:27 mail postfix/smtps/smtpd[26569]: 26AC060379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco

Those are obviously a fraud.
How is it possibile? On the ubuntu box i have already launched rkhunter without any evidence. Admin port (7071) is firewalled.

Can you help me guys?
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Account compromised impossibile to stop spam

Post by gabrieles »

cesko446 wrote:... i've setup a new password (64 chars) from ssh and restart ...
what exactly you restarted?
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Post by cesko446 »

Hi and tnx for the reply:

My tests:
Change password, zmcontrol restart, set active -> spam
Changed password, set active, zmcontrol restar -> spam
Changed password, zmcontrol stop, shutdown vm, set active -> spam
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Account compromised impossibile to stop spam

Post by phoenix »

Have you checked that your server is not an open relay?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Post by cesko446 »

Hello there and tnx for replay.
It's not an open relay
My mail server is: mail.veloce.ovh and my gateway is gateway.veloce.ovh.

I have a virtual configuration so mail.veloce.ovh is 192.168.5.2 and gateway.veloce.ovh is 192.168.5.2

192.168.5.2 has opened 993, 995, 465, 587 (send everything to 192.168.5.4 port 26 intranet)
192.168.5.4 has opened 25

all ports all port-forwarded

Attached test from mxtoolbox
Attachments
from mxtoolbox
from mxtoolbox
openrelaycheck.jpg (103.44 KiB) Viewed 4662 times
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Account compromised impossibile to stop spam

Post by L. Mark Stone »

cesko446 wrote:Hi and tnx for the reply:

My tests:
Change password, zmcontrol restart, set active -> spam
Changed password, set active, zmcontrol restar -> spam
Changed password, zmcontrol stop, shutdown vm, set active -> spam
Sounds like it could be the Mailsploit bug....
https://bugzilla.zimbra.com/show_bug.cgi?id=108709

If fixed, you should see for example:

Code: Select all

zimbra@zimbra:~$ zmprov ga john.doe@missioncriticalemail.com zimbraPrefShortEmailAddress
# name john.doe@missioncriticalemail.com
zimbraPrefShortEmailAddress: FALSE
If set to TRUE, then you are exposed and for all of your mailboxes change it to FALSE.

Other things to check:
Are you the only Admin account on your Zimbra server?

Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?

Are you enforcing a match between the SASL Authenticated user and the From address when sending emails? https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 . <<== For older versions

For later versions of Zimbra this is fixed, when fixed you should see for example on 8.8.8:

Code: Select all

zimbra@zimbra:~$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | grep mismatch
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
zimbra@zimbra:~$ 
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Account compromised impossibile to stop spam

Post by gabrieles »

L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?
or a malicious wordpress plugin installed on your 446.it website?
Have you explicitly set the website ip address into zimbraMtaMynetworks?
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Post by cesko446 »

L. Mark Stone wrote:
Sounds like it could be the Mailsploit bug....
https://bugzilla.zimbra.com/show_bug.cgi?id=108709

If fixed, you should see for example:

Code: Select all

zimbra@zimbra:~$ zmprov ga john.doe@missioncriticalemail.com zimbraPrefShortEmailAddress
# name john.doe@missioncriticalemail.com
zimbraPrefShortEmailAddress: FALSE
If set to TRUE, then you are exposed and for all of your mailboxes change it to FALSE.
It was TRUE and now it's FALSE. No spam just for a while then it started again.
L. Mark Stone wrote: Other things to check:
Are you the only Admin account on your Zimbra server?
Yes I am the only one but francesco@446.it is not an administrator.
L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?
It's quite strange but i deleted that account from all my devices and I hace changed password also from this laptop (brand new)
L. Mark Stone wrote: Are you enforcing a match between the SASL Authenticated user and the From address when sending emails? https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 . <<== For older versions

For later versions of Zimbra this is fixed, when fixed you should see for example on 8.8.8:

Code: Select all

zimbra@zimbra:~$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | grep mismatch
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
zimbra@zimbra:~$ 
This is my file smtpd_sender_restrictions.cf
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%

Is it right?
So many tnx for help!

Hope that helps,
Mark
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Post by cesko446 »

gabrieles wrote:
L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?
or a malicious wordpress plugin installed on your 446.it website?
Have you explicitly set the website ip address into zimbraMtaMynetworks?
Many tnx for your contribute:
I have just deleted 446.it and veloce.ovh wordpress.

Code: Select all

zmprov gs mail.veloce.ovh zimbraMtaMyNetworks
# name mail.veloce.ovh
zimbraMtaMyNetworks: 127.0.0.0/8 [::1]/128 192.168.5.0/24

192.168.5.1 mail
192.168.5.2 web
192.168.5.3 gateway
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Account compromised impossibile to stop spam

Post by zimico »

I think you should not allow whole subnet, change to, for example:

Code: Select all

zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 192.168.5.1/32 192.168.5.3/32'
postfix reload
Use firewall to block smtp port on Web server. In my experience, do not allow web server having email server function.
Regards.
Post Reply