Account compromised impossibile to stop spam
Account compromised impossibile to stop spam
Hi there,
I have a strange problem with my zimbra server:
zimbra@mail:~$ zmcontrol -v
Release 8.8.9.GA.3019.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.
Installed on Ubuntu Linux 16.04 updated and upgraded
zimbra@mail:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"
NAME="Ubuntu"
VERSION="16.04.5 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.5 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
Now the problem: I use a gateway server as a smarthost for all email inbound and outbounb.
I've noticed a unusual activity regarding my account (I'm Francesco :O). I see a lot of spam mail from my account. Thinking about a compromised password I have changed status of my account from active to maintenance and i have change password.
For a while everything was fine but suddenly spam activity from my address restarts. To stop it I had to block outgoing mail gateway's side as a filter.
It's impossibile that one client is infected because i've setup a new password (64 chars) from ssh and restart and never login but spam keeps going on.
It's only on my account: francesco@446.it i've tried to delete my account and create cesko@446.it and when i added francesco@446.it as alias spam keeps going on!!!
This is the evidence:
grep sasl_username /var/log/mail.log
Sep 19 09:32:52 mail postfix/smtps/smtpd[14967]: 63F0860379: client=unknown[191.53.201.152], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:27 mail postfix/smtps/smtpd[20122]: 8D5D960379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:28 mail postfix/smtps/smtpd[20122]: 42B916037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:28 mail postfix/smtps/smtpd[20122]: D101860379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:29 mail postfix/smtps/smtpd[20122]: 562676037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:29 mail postfix/smtps/smtpd[20122]: BC35560379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:30 mail postfix/smtps/smtpd[20122]: 485A36037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:30 mail postfix/smtps/smtpd[20122]: EE2B360379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:31 mail postfix/smtps/smtpd[20122]: 896886037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:32 mail postfix/smtps/smtpd[20122]: 2FC6860379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:32 mail postfix/smtps/smtpd[20122]: CCB0E60379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:01 mail postfix/smtps/smtpd[21979]: 56D7B60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:04 mail postfix/smtps/smtpd[21979]: 3CD4060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:06 mail postfix/smtps/smtpd[21979]: 934EF60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:09 mail postfix/smtps/smtpd[21979]: 1F81D60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:11 mail postfix/smtps/smtpd[21979]: 7BFB960379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:13 mail postfix/smtps/smtpd[21979]: E0CB060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:16 mail postfix/smtps/smtpd[21979]: 3672E60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:19 mail postfix/smtps/smtpd[21979]: 8063060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:22 mail postfix/smtps/smtpd[21979]: 4191660379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:24 mail postfix/smtps/smtpd[21979]: B48F860379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:40 mail postfix/smtps/smtpd[24194]: 3A17A60379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:42 mail postfix/smtps/smtpd[24194]: 8E08360379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:44 mail postfix/smtps/smtpd[24194]: E466160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:47 mail postfix/smtps/smtpd[24194]: 5229360379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:49 mail postfix/smtps/smtpd[24194]: 9607960379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:51 mail postfix/smtps/smtpd[24194]: D5D6160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:54 mail postfix/smtps/smtpd[24194]: 38F9760379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:56 mail postfix/smtps/smtpd[24194]: 8ADBB60379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:58 mail postfix/smtps/smtpd[24194]: E030160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:51:01 mail postfix/smtps/smtpd[24194]: 472E160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:06 mail postfix/smtps/smtpd[24194]: DD04D6037B: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:09 mail postfix/smtps/smtpd[24194]: CFFF460379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:12 mail postfix/smtps/smtpd[24194]: 29B9860379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:14 mail postfix/smtps/smtpd[24194]: 5E9AF60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:16 mail postfix/smtps/smtpd[24194]: BF76B60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:19 mail postfix/smtps/smtpd[24194]: 1D2C360379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:21 mail postfix/smtps/smtpd[24194]: 4EF9A60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:23 mail postfix/smtps/smtpd[24194]: 9B5A360379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:26 mail postfix/smtps/smtpd[24194]: 07AAB60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:28 mail postfix/smtps/smtpd[24194]: 3A7FB60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:41 mail postfix/smtps/smtpd[26569]: 78D7960379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:43 mail postfix/smtps/smtpd[26569]: 8D8DA60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:45 mail postfix/smtps/smtpd[26569]: A6B7260379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:47 mail postfix/smtps/smtpd[26569]: C02EC60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:49 mail postfix/smtps/smtpd[26569]: DB7A460379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:52 mail postfix/smtps/smtpd[26569]: 02A6B60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:54 mail postfix/smtps/smtpd[26569]: 1A82560379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:56 mail postfix/smtps/smtpd[26569]: 3215E60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:58 mail postfix/smtps/smtpd[26569]: 0D45E60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:56:00 mail postfix/smtps/smtpd[26569]: 2571460379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:07 mail postfix/smtps/smtpd[26569]: 2D84960379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:09 mail postfix/smtps/smtpd[26569]: CB25460379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:11 mail postfix/smtps/smtpd[26569]: F2FB160379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:14 mail postfix/smtps/smtpd[26569]: 27D7660379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:16 mail postfix/smtps/smtpd[26569]: 4ED6160379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:18 mail postfix/smtps/smtpd[26569]: 75DAA60379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:20 mail postfix/smtps/smtpd[26569]: 9DD8260379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:22 mail postfix/smtps/smtpd[26569]: C843260379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:24 mail postfix/smtps/smtpd[26569]: EFF8C60379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:27 mail postfix/smtps/smtpd[26569]: 26AC060379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Those are obviously a fraud.
How is it possibile? On the ubuntu box i have already launched rkhunter without any evidence. Admin port (7071) is firewalled.
Can you help me guys?
I have a strange problem with my zimbra server:
zimbra@mail:~$ zmcontrol -v
Release 8.8.9.GA.3019.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.
Installed on Ubuntu Linux 16.04 updated and upgraded
zimbra@mail:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"
NAME="Ubuntu"
VERSION="16.04.5 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.5 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
Now the problem: I use a gateway server as a smarthost for all email inbound and outbounb.
I've noticed a unusual activity regarding my account (I'm Francesco :O). I see a lot of spam mail from my account. Thinking about a compromised password I have changed status of my account from active to maintenance and i have change password.
For a while everything was fine but suddenly spam activity from my address restarts. To stop it I had to block outgoing mail gateway's side as a filter.
It's impossibile that one client is infected because i've setup a new password (64 chars) from ssh and restart and never login but spam keeps going on.
It's only on my account: francesco@446.it i've tried to delete my account and create cesko@446.it and when i added francesco@446.it as alias spam keeps going on!!!
This is the evidence:
grep sasl_username /var/log/mail.log
Sep 19 09:32:52 mail postfix/smtps/smtpd[14967]: 63F0860379: client=unknown[191.53.201.152], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:27 mail postfix/smtps/smtpd[20122]: 8D5D960379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:28 mail postfix/smtps/smtpd[20122]: 42B916037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:28 mail postfix/smtps/smtpd[20122]: D101860379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:29 mail postfix/smtps/smtpd[20122]: 562676037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:29 mail postfix/smtps/smtpd[20122]: BC35560379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:30 mail postfix/smtps/smtpd[20122]: 485A36037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:30 mail postfix/smtps/smtpd[20122]: EE2B360379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:31 mail postfix/smtps/smtpd[20122]: 896886037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:32 mail postfix/smtps/smtpd[20122]: 2FC6860379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:32 mail postfix/smtps/smtpd[20122]: CCB0E60379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:01 mail postfix/smtps/smtpd[21979]: 56D7B60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:04 mail postfix/smtps/smtpd[21979]: 3CD4060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:06 mail postfix/smtps/smtpd[21979]: 934EF60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:09 mail postfix/smtps/smtpd[21979]: 1F81D60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:11 mail postfix/smtps/smtpd[21979]: 7BFB960379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:13 mail postfix/smtps/smtpd[21979]: E0CB060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:16 mail postfix/smtps/smtpd[21979]: 3672E60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:19 mail postfix/smtps/smtpd[21979]: 8063060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:22 mail postfix/smtps/smtpd[21979]: 4191660379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:24 mail postfix/smtps/smtpd[21979]: B48F860379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:40 mail postfix/smtps/smtpd[24194]: 3A17A60379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:42 mail postfix/smtps/smtpd[24194]: 8E08360379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:44 mail postfix/smtps/smtpd[24194]: E466160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:47 mail postfix/smtps/smtpd[24194]: 5229360379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:49 mail postfix/smtps/smtpd[24194]: 9607960379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:51 mail postfix/smtps/smtpd[24194]: D5D6160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:54 mail postfix/smtps/smtpd[24194]: 38F9760379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:56 mail postfix/smtps/smtpd[24194]: 8ADBB60379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:58 mail postfix/smtps/smtpd[24194]: E030160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:51:01 mail postfix/smtps/smtpd[24194]: 472E160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:06 mail postfix/smtps/smtpd[24194]: DD04D6037B: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:09 mail postfix/smtps/smtpd[24194]: CFFF460379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:12 mail postfix/smtps/smtpd[24194]: 29B9860379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:14 mail postfix/smtps/smtpd[24194]: 5E9AF60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:16 mail postfix/smtps/smtpd[24194]: BF76B60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:19 mail postfix/smtps/smtpd[24194]: 1D2C360379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:21 mail postfix/smtps/smtpd[24194]: 4EF9A60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:23 mail postfix/smtps/smtpd[24194]: 9B5A360379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:26 mail postfix/smtps/smtpd[24194]: 07AAB60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:28 mail postfix/smtps/smtpd[24194]: 3A7FB60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:41 mail postfix/smtps/smtpd[26569]: 78D7960379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:43 mail postfix/smtps/smtpd[26569]: 8D8DA60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:45 mail postfix/smtps/smtpd[26569]: A6B7260379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:47 mail postfix/smtps/smtpd[26569]: C02EC60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:49 mail postfix/smtps/smtpd[26569]: DB7A460379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:52 mail postfix/smtps/smtpd[26569]: 02A6B60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:54 mail postfix/smtps/smtpd[26569]: 1A82560379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:56 mail postfix/smtps/smtpd[26569]: 3215E60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:58 mail postfix/smtps/smtpd[26569]: 0D45E60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:56:00 mail postfix/smtps/smtpd[26569]: 2571460379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:07 mail postfix/smtps/smtpd[26569]: 2D84960379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:09 mail postfix/smtps/smtpd[26569]: CB25460379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:11 mail postfix/smtps/smtpd[26569]: F2FB160379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:14 mail postfix/smtps/smtpd[26569]: 27D7660379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:16 mail postfix/smtps/smtpd[26569]: 4ED6160379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:18 mail postfix/smtps/smtpd[26569]: 75DAA60379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:20 mail postfix/smtps/smtpd[26569]: 9DD8260379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:22 mail postfix/smtps/smtpd[26569]: C843260379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:24 mail postfix/smtps/smtpd[26569]: EFF8C60379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:27 mail postfix/smtps/smtpd[26569]: 26AC060379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Those are obviously a fraud.
How is it possibile? On the ubuntu box i have already launched rkhunter without any evidence. Admin port (7071) is firewalled.
Can you help me guys?
Re: Account compromised impossibile to stop spam
what exactly you restarted?cesko446 wrote:... i've setup a new password (64 chars) from ssh and restart ...
Re: Account compromised impossibile to stop spam
Hi and tnx for the reply:
My tests:
Change password, zmcontrol restart, set active -> spam
Changed password, set active, zmcontrol restar -> spam
Changed password, zmcontrol stop, shutdown vm, set active -> spam
My tests:
Change password, zmcontrol restart, set active -> spam
Changed password, set active, zmcontrol restar -> spam
Changed password, zmcontrol stop, shutdown vm, set active -> spam
Re: Account compromised impossibile to stop spam
Have you checked that your server is not an open relay?
Re: Account compromised impossibile to stop spam
Hello there and tnx for replay.
It's not an open relay
My mail server is: mail.veloce.ovh and my gateway is gateway.veloce.ovh.
I have a virtual configuration so mail.veloce.ovh is 192.168.5.2 and gateway.veloce.ovh is 192.168.5.2
192.168.5.2 has opened 993, 995, 465, 587 (send everything to 192.168.5.4 port 26 intranet)
192.168.5.4 has opened 25
all ports all port-forwarded
Attached test from mxtoolbox
It's not an open relay
My mail server is: mail.veloce.ovh and my gateway is gateway.veloce.ovh.
I have a virtual configuration so mail.veloce.ovh is 192.168.5.2 and gateway.veloce.ovh is 192.168.5.2
192.168.5.2 has opened 993, 995, 465, 587 (send everything to 192.168.5.4 port 26 intranet)
192.168.5.4 has opened 25
all ports all port-forwarded
Attached test from mxtoolbox
- Attachments
-
- from mxtoolbox
- openrelaycheck.jpg (103.44 KiB) Viewed 4664 times
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: Account compromised impossibile to stop spam
Sounds like it could be the Mailsploit bug....cesko446 wrote:Hi and tnx for the reply:
My tests:
Change password, zmcontrol restart, set active -> spam
Changed password, set active, zmcontrol restar -> spam
Changed password, zmcontrol stop, shutdown vm, set active -> spam
https://bugzilla.zimbra.com/show_bug.cgi?id=108709
If fixed, you should see for example:
Code: Select all
zimbra@zimbra:~$ zmprov ga john.doe@missioncriticalemail.com zimbraPrefShortEmailAddress
# name john.doe@missioncriticalemail.com
zimbraPrefShortEmailAddress: FALSE
Other things to check:
Are you the only Admin account on your Zimbra server?
Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?
Are you enforcing a match between the SASL Authenticated user and the From address when sending emails? https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 . <<== For older versions
For later versions of Zimbra this is fixed, when fixed you should see for example on 8.8.8:
Code: Select all
zimbra@zimbra:~$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | grep mismatch
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
zimbra@zimbra:~$
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Account compromised impossibile to stop spam
or a malicious wordpress plugin installed on your 446.it website?L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?
Have you explicitly set the website ip address into zimbraMtaMynetworks?
Re: Account compromised impossibile to stop spam
It was TRUE and now it's FALSE. No spam just for a while then it started again.L. Mark Stone wrote:
Sounds like it could be the Mailsploit bug....
https://bugzilla.zimbra.com/show_bug.cgi?id=108709
If fixed, you should see for example:If set to TRUE, then you are exposed and for all of your mailboxes change it to FALSE.Code: Select all
zimbra@zimbra:~$ zmprov ga john.doe@missioncriticalemail.com zimbraPrefShortEmailAddress # name john.doe@missioncriticalemail.com zimbraPrefShortEmailAddress: FALSE
Yes I am the only one but francesco@446.it is not an administrator.L. Mark Stone wrote: Other things to check:
Are you the only Admin account on your Zimbra server?
It's quite strange but i deleted that account from all my devices and I hace changed password also from this laptop (brand new)L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?
This is my file smtpd_sender_restrictions.cfL. Mark Stone wrote: Are you enforcing a match between the SASL Authenticated user and the From address when sending emails? https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 . <<== For older versions
For later versions of Zimbra this is fixed, when fixed you should see for example on 8.8.8:
Code: Select all
zimbra@zimbra:~$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | grep mismatch %%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%% zimbra@zimbra:~$
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%
Is it right?
So many tnx for help!
Hope that helps,
Mark
Re: Account compromised impossibile to stop spam
Many tnx for your contribute:gabrieles wrote:or a malicious wordpress plugin installed on your 446.it website?L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?
Have you explicitly set the website ip address into zimbraMtaMynetworks?
I have just deleted 446.it and veloce.ovh wordpress.
Code: Select all
zmprov gs mail.veloce.ovh zimbraMtaMyNetworks
zimbraMtaMyNetworks: 127.0.0.0/8 [::1]/128 192.168.5.0/24
192.168.5.1 mail
192.168.5.2 web
192.168.5.3 gateway
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: Account compromised impossibile to stop spam
I think you should not allow whole subnet, change to, for example:
Use firewall to block smtp port on Web server. In my experience, do not allow web server having email server function.
Regards.
Code: Select all
zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 192.168.5.1/32 192.168.5.3/32'
postfix reload
Regards.