Account compromised impossibile to stop spam

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Post by cesko446 »

zimico wrote:I think you should not allow whole subnet, change to, for example:

Code: Select all

zmprov ms `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 192.168.5.1/32 192.168.5.3/32'
postfix reload
Use firewall to block smtp port on Web server. In my experience, do not allow web server having email server function.
Regards.
Firewalled web served and modified zimbraMtaMyNetworks.. Keeps spamming and spamming

Unbelieavable... Rly.. I've just changed IP this could be the problem? I really don't know how to stop it... :((((((((
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Account compromised impossibile to stop spam

Post by phoenix »

Do you actually know where the spam is originating? Could you possibly have an infected/compromised machine on you network?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Post by cesko446 »

phoenix wrote:Do you actually know where the spam is originating? Could you possibly have an infected/compromised machine on you network?
Hi and tnx for your support

This is mail.log when spamming

Sep 20 14:47:59 mail postfix/qmgr[13032]: A01BA602AC: removed
Sep 20 14:47:59 mail postfix/amavisd/smtpd[14620]: connect from localhost[127.0.0.1]
Sep 20 14:47:59 mail postfix/amavisd/smtpd[14620]: 51EF1602AC: client=localhost[127.0.0.1]
Sep 20 14:47:59 mail postfix/cleanup[16462]: 51EF1602AC: message-id=<E838F036-36FB-D531-7081-8868A2A8D666@446.it>
Sep 20 14:47:59 mail postfix/qmgr[13032]: 51EF1602AC: from=<francesco@446.it>, size=2333, nrcpt=1 (queue active)
Sep 20 14:47:59 mail postfix/smtp[16463]: 0E5FD603AF: to=<lerica123gh@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.29, delays=0.1/0/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 51EF1602AC)
Sep 20 14:47:59 mail postfix/qmgr[13032]: 0E5FD603AF: removed
Sep 20 14:47:59 mail postfix/smtp[16466]: 51EF1602AC: to=<lerica123gh@yahoo.com>, relay=gateway.veloce.ovh[192.168.5.4]:26, delay=0.04, delays=0.01/0/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5907C80778)
Sep 20 14:47:59 mail postfix/qmgr[13032]: 51EF1602AC: removed
Sep 20 14:48:00 mail postfix/smtps/smtpd[16097]: NOQUEUE: filter: RCPT from unknown[177.66.225.182]: <francesco@446.it>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<francesco@446.it> to=<toddyjim@gmail.com> proto=ESMTP helo=<192.168.0.07>
Sep 20 14:48:00 mail postfix/smtps/smtpd[16097]: 04B08602AC: client=unknown[177.66.225.182], sasl_method=LOGIN, sasl_username=francesco
Sep 20 14:48:01 mail postfix/cleanup[16462]: 04B08602AC: message-id=<1B337FE1-3D3B-AA31-2518-F043AD533D60@446.it>
Sep 20 14:48:01 mail postfix/qmgr[13032]: 04B08602AC: from=<francesco@446.it>, size=880, nrcpt=1 (queue active)
Sep 20 14:48:01 mail postfix/dkimmilter/smtpd[14676]: connect from localhost[127.0.0.1]
Sep 20 14:48:01 mail postfix/dkimmilter/smtpd[14676]: 72DC6603AF: client=localhost[127.0.0.1]
Sep 20 14:48:01 mail postfix/cleanup[16462]: 72DC6603AF: message-id=<1B337FE1-3D3B-AA31-2518-F043AD533D60@446.it>
Sep 20 14:48:01 mail postfix/qmgr[13032]: 72DC6603AF: from=<francesco@446.it>, size=1344, nrcpt=1 (queue active)
Sep 20 14:48:01 mail postfix/smtp[16465]: 04B08602AC: to=<toddyjim@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.1, delays=1.9/0/0/0.18, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 72DC6603AF)
Sep 20 14:48:01 mail postfix/qmgr[13032]: 04B08602AC: removed
Sep 20 14:48:01 mail postfix/amavisd/smtpd[14600]: connect from localhost[127.0.0.1]
Sep 20 14:48:01 mail postfix/amavisd/smtpd[14600]: B19CE602AC: client=localhost[127.0.0.1]
Sep 20 14:48:01 mail postfix/cleanup[16462]: B19CE602AC: message-id=<1B337FE1-3D3B-AA31-2518-F043AD533D60@446.it>
Sep 20 14:48:01 mail postfix/qmgr[13032]: B19CE602AC: from=<francesco@446.it>, size=2344, nrcpt=1 (queue active)
Sep 20 14:48:01 mail postfix/smtp[16463]: 72DC6603AF: to=<toddyjim@gmail.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.29, delays=0.1/0/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B19CE602AC)
Sep 20 14:48:01 mail postfix/qmgr[13032]: 72DC6603AF: removed
Sep 20 14:48:01 mail postfix/smtp[16466]: B19CE602AC: to=<toddyjim@gmail.com>, relay=gateway.veloce.ovh[192.168.5.4]:26, delay=0.04, delays=0.01/0/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BA13580778)
Sep 20 14:48:01 mail postfix/qmgr[13032]: B19CE602AC: removed
Sep 20 14:48:02 mail postfix/smtps/smtpd[16097]: NOQUEUE: filter: RCPT from unknown[177.66.225.182]: <francesco@446.it>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<francesco@446.it> to=<wildoneusa@aol.com> proto=ESMTP helo=<192.168.0.07>
Sep 20 14:48:02 mail postfix/smtps/smtpd[16097]: 6010D603CD: client=unknown[177.66.225.182], sasl_method=LOGIN, sasl_username=francesco
Sep 20 14:48:03 mail postfix/cleanup[16462]: 6010D603CD: message-id=<9CE89034-C470-9717-B5FA-89AA21A6BE57@446.it>
Sep 20 14:48:03 mail postfix/qmgr[13032]: 6010D603CD: from=<francesco@446.it>, size=789, nrcpt=1 (queue active)
Sep 20 14:48:03 mail postfix/dkimmilter/smtpd[14655]: connect from localhost[127.0.0.1]
Sep 20 14:48:03 mail postfix/dkimmilter/smtpd[14655]: C13DA603DB: client=localhost[127.0.0.1]
Sep 20 14:48:03 mail postfix/cleanup[16462]: C13DA603DB: message-id=<9CE89034-C470-9717-B5FA-89AA21A6BE57@446.it>
Sep 20 14:48:03 mail postfix/qmgr[13032]: C13DA603DB: from=<francesco@446.it>, size=1253, nrcpt=1 (queue active)
Sep 20 14:48:03 mail postfix/smtp[16465]: 6010D603CD: to=<wildoneusa@aol.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=2, delays=1.8/0/0/0.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as C13DA603DB)
Sep 20 14:48:03 mail postfix/qmgr[13032]: 6010D603CD: removed
Sep 20 14:48:04 mail postfix/amavisd/smtpd[14659]: connect from localhost[127.0.0.1]
Sep 20 14:48:04 mail postfix/amavisd/smtpd[14659]: 0D6F0603CD: client=localhost[127.0.0.1]
Sep 20 14:48:04 mail postfix/cleanup[16462]: 0D6F0603CD: message-id=<9CE89034-C470-9717-B5FA-89AA21A6BE57@446.it>
Sep 20 14:48:04 mail postfix/qmgr[13032]: 0D6F0603CD: from=<francesco@446.it>, size=2253, nrcpt=1 (queue active)
Sep 20 14:48:04 mail postfix/amavisd/smtpd[14659]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 20 14:48:04 mail postfix/smtp[16463]: C13DA603DB: to=<wildoneusa@aol.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.28, delays=0.1/0.01/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0D6F0603CD)
Sep 20 14:48:04 mail postfix/qmgr[13032]: C13DA603DB: removed
Sep 20 14:48:04 mail postfix/smtp[16466]: 0D6F0603CD: to=<wildoneusa@aol.com>, relay=gateway.veloce.ovh[192.168.5.4]:26, delay=0.03, delays=0.01/0/0.02/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 13AE280778)
Sep 20 14:48:04 mail postfix/qmgr[13032]: 0D6F0603CD: removed
Sep 20 14:48:04 mail postfix/smtps/smtpd[16097]: disconnect from unknown[177.66.225.182] ehlo=1 auth=1 mail=10 rcpt=10 data=10 commands=32

And attached my gateway filter

Tnx for support. Rly.
Attachments
gateway.jpg
gateway.jpg (53.71 KiB) Viewed 2575 times
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Account compromised impossibile to stop spam

Post by gabrieles »

Go for steps:
- Disable authentication at MTA level, then restart MTA service.
- Restrict zimbraMtaMynetworks to the mailserver only.

It can't spam this way, if keeps spamming it wil come from the machine itself.
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Post by cesko446 »

gabrieles wrote:Go for steps:
- Disable authentication at MTA level, then restart MTA service.
- Restrict zimbraMtaMynetworks to the mailserver only.

It can't spam this way, if keeps spamming it wil come from the machine itself.
How to enforce this one: Disable authentication at MTA level, then restart MTA service.
Restrict zimbraMtaMynetworks to the mailserver only. Done.
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Account compromised impossibile to stop spam

Post by cesko446 »

gabrieles wrote:Go for steps:
- Disable authentication at MTA level, then restart MTA service.
- Restrict zimbraMtaMynetworks to the mailserver only.

It can't spam this way, if keeps spamming it wil come from the machine itself.

I used this:

Code: Select all

 zmprov modifyServer mail.veloce.ovh zimbraMtaAuthEnabled FALSE
and this:

Code: Select all

 zmprov modifyServer mail.veloce.ovh zimbraMtaSaslAuthEnable no
And I can't send or receive but they keep spamming. I'm getting crazy. :)

What the hell is that?!
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Account compromised impossibile to stop spam

Post by JDunphy »

One thing you might consider is to prevent them by rejecting the email if they attempt to use multiple recipients per email. Set it just below what they are using. For example, if they are sending 20 then setting it to 19 will abort that submission... note the current default so you can reset it after all this is resolved.

Code: Select all

su - zimbra
postconf | grep recipient_limit
postconf -e 'smtpd_recipient_limit=19'
/opt/zimbra/postfix/sbin/postfix reload
That should give you some time to investigate this further. Watch your logs, everything should be in there with how many they are sending per instance.
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Account compromised impossibile to stop spam

Post by gabrieles »

cesko446 wrote: zimbraMtaAuthEnabled FALSE
zimbraMtaSaslAuthEnable no
Restrict zimbraMtaMynetworks to the mailserver only. Done.
Then by definition only the local machine can send unauthenticated. Check if has been compromised, check auth.log, who, last, crontabs ...
Post Reply