zimbra server is sending email without my authorization.

[gaelroma]

Hello there,

i Have a zimbra server 8.0.6. The info@ accout is receiving continuos email like this:

Undelivered Mail Returned to Sender

Code: Select all

This is the mail system at host mail.mydomain.xxx

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<stelissi@tin.it>: host smtp.tin.it[62.211.72.32] said: 550 RCPT
    TO:<stelissi@tin.it> SMTP delivery not allowed (in reply to RCPT TO
    command)

there are thousand of email liek this and the zimbra log said:

Code: Select all

Sep 27 12:53:31 mail postfix/smtpd[31575]: NOQUEUE: filter: RCPT from fw.mydomain.xxx[172.10.1.1]: <info@mydomain.xxx>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<info@mydomain.xxx> to=<6vellol@libero.it> proto=ESMTP helo=<WIN-4K804V6ADVQ>
Sep 27 12:53:31 mail postfix/smtpd[31575]: A2E4060F74C5: client=fw.mydomain.xxx[172.10.1.1]
Sep 27 12:53:31 mail postfix/cleanup[23304]: 9464060F74C3: message-id=<20180927105331.9464060F74C3@mail.mydomain.xxx>
Sep 27 12:53:31 mail amavis[18911]: (18911-02-302) Checking: aBuARQ99qyuG ORIGINATING/MYNETS [172.10.1.1] <info@mydomain.xxx> -> <r.perazzola@tiscali.it>
Sep 27 12:53:31 mail amavis[18911]: (18911-02-302) p001 1 Content-Type: text/html, size: 211 B, name:
Sep 27 12:53:31 mail postfix/qmgr[3576]: 9464060F74C3: from=<info@mydomain.xxx>, size=858, nrcpt=1 (queue active)
Sep 27 12:53:31 mail postfix/amavisd/smtpd[12862]: AB60460F74C4: client=localhost[127.0.0.1]
Sep 27 12:53:31 mail postfix/cleanup[23867]: AB60460F74C4: message-id=<20180927104112.1BFCE60B731D@mail.mydomain.xxx>
Sep 27 12:53:31 mail amavis[17008]: (17008-03-172) RjtGGQXli2XJ FWD from <info@mydomain.xxx> -> <stsam@libero.it>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AB60460F74C4
Sep 27 12:53:31 mail amavis[17008]: (17008-03-172) Passed CLEAN {RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:40098 [172.10.1.1] <info@mydomain.xxx> -> <stsam@libero.it>, Queue-ID: 552AE60F74CF, Message-ID: <20180927104112.1BFCE60B731D@mail.mydomain.xxx>, mail_id: RjtGGQXli2XJ, Hits: -1.273, size: 1800, queued_as: AB60460F74C4, dkim_sd=44247B92-B90E-11E8-92C2-5D28BD27C715:mydomain.xxx, 698 ms
Sep 27 12:53:31 mail amavis[17008]: (17008-03-172) TIMING-SA [total 623 ms, cpu 118 ms] - parse: 0.58 (0.1%), extract_message_metadata: 4.8 (0.8%), get_uri_detail_list: 0.23 (0.0%), tests_pri_-1000: 12 (1.9%), tests_pri_-950: 0.44 (0.1%), tests_pri_-900: 0.44 (0.1%), tests_pri_-400: 5 (0.8%), check_bayes: 4.6 (0.7%), b_tokenize: 1.43 (0.2%), b_tok_get_all: 1.06 (0.2%), b_comp_prob: 1.14 (0.2%), b_tok_touch_all: 0.09 (0.0%), b_finish: 0.26 (0.0%), tests_pri_-100: 2.3 (0.4%), check_spf: 0.15 (0.0%), tests_pri_0: 15 (2.4%), tests_pri_10: 575 (92.3%), check_razor2: 466 (74.9%), check_pyzor: 106 (17.1%), tests_pri_500: 1.43 (0.2%), get_report: 0.23 (0.0%)
Sep 27 12:53:31 mail amavis[17008]: (17008-03-172) size: 1800, TIMING [total 699 ms, cpu 139 ms, AM-cpu 21 ms, SA-cpu 118 ms] - lookup_ldap: 1.7 (0%)0, SMTP pre-DATA-flush: 0.3 (0%)0, SMTP DATA: 40 (6%)6, check_init: 0.1 (0%)6, digest_hdr: 0.8 (0%)6, digest_body_dkim: 1.8 (0%)6, collect_info: 1.0 (0%)7, mime_decode: 2.0 (0%)7, get-file-type1: 7 (1%)8, decompose_part: 0.3 (0%)8, parts_decode: 0.0 (0%)8, check_header: 0.3 (0%)8, spam-wb-list: 0.7 (0%)8, SA msg read: 0.2 (0%)8, SA parse: 0.9 (0%)8, SA check: 621 (89%)97, decide_mail_destiny: 2.7 (0%)97, notif-quar: 0.1 (0%)97, fwd-connect: 0.7 (0%)98, fwd-mail-pip: 13 (2%)99, fwd-rcpt-pip: 0.1 (0%)99, fwd-data-chkpnt: 0.0 (0%)99, write-header: 0.2 (0%)99, fwd-data-contents: 0.0 (0%)99, fwd-end-chkpnt: 0.9 (0%)100, prepare-dsn: 0.2 (0%)100, report: 0.6 (0%)100, main_log_entry: 1.7 (0%)100, update_snmp: 0.2 (0%)100, SMTP pre-response: 0.1 (0%)100, SMTP response: 0.1 (0%)100, unlink-1-files: 0.1 (0%)100, rundown: 0.4 (0%)100
Sep 27 12:53:31 mail amavis[17008]: (17008-03-172) size: 1800, RUSAGE minflt=10360+5199, majflt=0+0, nswap=0+0, inblock=0+0, oublock=40+0, msgsnd=0+0, msgrcv=0+0, nsignals=0+0, nvcsw=19+4, nivcsw=4+6, maxrss=111808+107612, ixrss=0+0, idrss=0+0, isrss=0+0, utime=0.073+0.045, stime=0.007+0.013
Sep 27 12:53:31 mail postfix/qmgr[3576]: AB60460F74C4: from=<info@mydomain.xxx>, size=2194, nrcpt=1 (queue active)
Sep 27 12:53:31 mail postfix/dkimmilter/smtpd[13142]: AC5C960F74C7: client=localhost[127.0.0.1]
Sep 27 12:53:31 mail postfix/error[18338]: AB60460F74C4: to=<stsam@libero.it>, relay=none, delay=0.02, delays=0.01/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host smtp-in.libero.it[213.209.1.129] refused to talk to me: 451 smtp-05.iol.local smtp-05.iol.local too many invalid recipients [smtp-05.iol.local; LIB_660])
Sep 27 12:53:31 mail postfix/smtp[23862]: 552AE60F74CF: to=<stsam@libero.it>, relay=127.0.0.1[127.0.0.1]:10032, conn_use=172, delay=398, delays=0.08/398/0/0.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AB60460F74C4)
Sep 27 12:53:31 mail postfix/qmgr[3576]: 552AE60F74CF: removed
Sep 27 12:53:31 mail postfix/cleanup[23304]: AC5C960F74C7: message-id=<20180927104653.D2BD260F74DC@mail.mydomain.xxx>
Sep 27 12:53:31 mail amavis[20606]: (20606-02-224) ESMTP:[127.0.0.1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20180927T125157-20606-FuuABbpM: <info@mydomain.xxx> -> <alessandra_pa80@libero.it> Received: from mail.mydomain.xxx ([127.0.0.1]) by localhost (mail.mydomain.xxx [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <alessandra_pa80@libero.it>; Thu, 27 Sep 2018 12:53:31 +0200 (CEST)
Sep 27 12:53:31 mail postfix/cleanup[23816]: A2E4060F74C5: message-id=<20180927105331.A2E4060F74C5@mail.mydomain.xxx>
Sep 27 12:53:31 mail postfix/qmgr[3576]: A2E4060F74C5: from=<info@mydomain.xxx>, size=862, nrcpt=1 (queue active)
Sep 27 12:53:31 mail amavis[20606]: (20606-02-224) Checking: sFkLBVnuLfXK ORIGINATING/MYNETS [172.10.1.1] <info@mydomain.xxx> -> <alessandra_pa80@libero.it>
Sep 27 12:53:31 mail amavis[20606]: (20606-02-224) p001 1 Content-Type: text/html, size: 214 B, name:
Sep 27 12:53:31 mail postfix/dkimmilter/smtpd[28004]: BAD0C60F74CA: client=localhost[127.0.0.1]
Sep 27 12:53:31 mail postfix/cleanup[23925]: BAD0C60F74CA: message-id=<20180927104653.D902E60F74DD@mail.mydomain.xxx>
Sep 27 12:53:31 mail postfix/smtpd[12759]: NOQUEUE: filter: RCPT from fw.mydomain.xxx[172.10.1.1]: <info@mydomain.xxx>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<info@mydomain.xxx> to=<polachiusa@libero.it> proto=ESMTP helo=<WIN-4K804V6ADVQ>
Sep 27 12:53:31 mail postfix/smtpd[12759]: BE45460F74C6: client=fw.mydomain.xxx[172.10.1.1]
Sep 27 12:53:31 mail amavis[18911]: (18911-02-302) aBuARQ99qyuG FWD from <info@mydomain.xxx> -> <r.perazzola@tiscali.it>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as AC5C960F74C7
Sep 27 12:53:31 mail postfix/qmgr[3576]: AC5C960F74C7: from=<info@mydomain.xxx>, size=1337, nrcpt=1 (queue active)
Sep 27 12:53:31 mail amavis[18911]: (18911-02-302) Passed CLEAN {RelayedOutbound}, ORIGINATING/MYNETS LOCAL [172.10.1.1]:51742 [172.10.1.1] <info@mydomain.xxx> -> <r.perazzola@tiscali.it>, Queue-ID: D2BD260F74DC, Message-ID: <20180927104653.D2BD260F74DC@mail.mydomain.xxx>, mail_id: aBuARQ99qyuG, Hits: -, size: 842, queued_as: AC5C960F74C7, 141 ms
Sep 27 12:53:31 mail amavis[18911]: (18911-02-302) size: 842, TIMING [total 142 ms, cpu 17 ms] - lookup_ldap: 2.2 (2%)2, SMTP pre-DATA-flush: 0.3 (0%)2, SMTP DATA: 39 (27%)29, check_init: 0.1 (0%)29, digest_hdr: 0.2 (0%)29, digest_body_dkim: 0.1 (0%)30, collect_info: 0.5 (0%)30, mime_decode: 1.9 (1%)31, get-file-type1: 7 (5%)36, decompose_part: 0.2 (0%)36, parts_decode: 0.0 (0%)36, check_header: 0.2 (0%)36, AV-scan-1: 2.9 (2%)38, decide_mail_destiny: 0.2 (0%)38, notif-quar: 0.1 (0%)39, fwd-connect: 0.7 (1%)39, fwd-mail-pip: 3.2 (2%)41, fwd-rcpt-pip: 0.1 (0%)41, fwd-data-chkpnt: 0.0 (0%)41, write-header: 0.1 (0%)41, fwd-data-contents: 0.0 (0%)42, fwd-end-chkpnt: 80 (56%)98, prepare-dsn: 0.3 (0%)98, report: 0.6 (0%)98, main_log_entry: 1.6 (1%)100, update_snmp: 0.2 (0%)100, SMTP pre-response: 0.1 (0%)100, SMTP response: 0.1 (0%)100, unlink-2-files: 0.1 (0%)100, rundown: 0.3 (0%)100
Sep 27 12:53:31 mail amavis[18911]: (18911-02-302) size: 842, RUSAGE minflt=2934+1265, majflt=0+0, nswap=0+0, inblock=0+0, oublock=24+0, msgsnd=0+0, msgrcv=0+0, nsignals=0+0, nvcsw=13+1, nivcsw=0+0, maxrss=110952+106916, ixrss=0+0, idrss=0+0, isrss=0+0, utime=0.008+0.002, stime=0.005+0.002
Sep 27 12:53:31 mail postfix/smtp[23812]: D2BD260F74DC: to=<r.perazzola@tiscali.it>, relay=127.0.0.1[127.0.0.1]:10026, conn_use=302, delay=398, delays=0.16/398/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as AC5C960F74C7)
Sep 27 12:53:31 mail postfix/qmgr[3576]: D2BD260F74DC: removed
Sep 27 12:53:31 mail amavis[17032]: (17032-01-181) ESMTP:[127.0.0.1]:10032 /opt/zimbra/data/amavisd/tmp/amavis-20180927T125011-17032-GeNSulJ1: <info@mydomain.xxx> -> <sttof66@libero.it> SIZE=1313 Received: from mail.mydomain.xxx ([127.0.0.1]) by localhost (mail.mydomain.xxx [127.0.0.1]) (amavisd-new, port 10032) with ESMTP for <sttof66@libero.it>; Thu, 27 Sep 2018 12:53:31 +0200 (CEST)
Sep 27 12:53:31 mail postfix/smtpd[31575]: NOQUEUE: filter: RCPT from fw.mydomain.xxx[172.10.1.1]: <info@mydomain.xxx>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<info@mydomain.xxx> to=<a.consorti1@tin.it> proto=ESMTP helo=<WIN-4K804V6ADVQ>
Sep 27 12:53:31 mail postfix/amavisd/smtpd[26018]: C973760F74CF: client=localhost[127.0.0.1]
Sep 27 12:53:31 mail postfix/cleanup[23816]: C973760F74CF: message-id=<20180927104112.4FDBC60B7325@mail.mydomain.xxx>
Sep 27 12:53:31 mail postfix/smtpd[31575]: C9C9360F74CC: client=fw.mydomain.xxx[172.10.1.1]

Now I read posts that said is likely a backscatter / NDR spam attack.

I have made even a rule for Policyd Web Administration to Reject Unlisted Domain and I am sure that the server is not an open relay.

How can I solve this nightmare?

The log with

Code: Select all

tail -f /var/log/zimbra.log

is continuosly printing line like above...

and worst the email account with the same zimbra server domain get smashed in the spam box.

please help. thanks

[pup_seba]

Last time I saw somthing like that, was due to an phising attack for where the user filled an online form with his credentials. So the spammers took over his account and under preferences they modyified the "reply to" address.

Maybe something like that happened to you? Check those values under the account "preferences" and if you see something weird in there, change the password for that account.

gl

[gaelroma]

Thank for the reply.

i don't think is a phishing because no one got email, in fact the first thing i did was change the password of all account.

Now i create a policy to restrict only domain of the server to send email, but i am going to delete the account info

[gaelroma]

Hello there,

on my zimbra log I see every 5 second an intrusion attempt

Code: Select all

Oct  2 21:18:07 mail saslauthd[3839]: zmauth: authenticating against elected url 'https://mail.mydomain.xxx:7071/service/admin/soap/' ...
Oct  2 21:18:07 mail saslauthd[3839]: zmpost: url='https://mail.mydomain.xxx:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [demo02@mydomain.xxx]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp2054798982-16852:https://172.10.1.12:7071/service/admin/soap/:1538507887994:1b120dcc22e58d7a</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Oct  2 21:18:07 mail saslauthd[3839]: auth_zimbra: demo02@mydomain.xxx auth failed: authentication failed for [demo02@mydomain.xxx]
Oct  2 21:18:07 mail saslauthd[3839]: do_auth         : auth failure: [user=demo02@mydomain.xxx] [service=smtp] [realm=mydomain.xxx] [mech=zimbra] [reason=Unknown]
Oct  2 21:18:07 mail postfix/smtpd[6973]: warning: fw.mydomain.xxx[172.10.1.1]: SASL LOGIN authentication failed: authentication failure
Oct  2 21:18:09 mail postfix/smtpd[6973]: disconnect from fw.mydomain.xxx[172.10.1.1]

The "authentication failed for" is made with random account.

Zimbrais behind a firewall so i cannot see the original IP to block this bot/user.

I would like to know I can I interrumpt this processes

May someone beetween us here can help?

Thanks

[pup_seba]

Hi,

All the zimbras I deploy are behind some sort of firewall but we still log the originating IP. Maybe your case is different, but I would recomend you to try this: https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

Once you make sure you are logging the originating IP (and this is important otherwise you will block logging for all your users), implement:
- DOS Filter (for temporary blocking IP)
- Jetty login policy via COS (for temporary blocking an account)

Regards,