Spam problem

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
vijendra
Posts: 12
Joined: Tue Mar 13, 2018 10:07 pm

Spam problem

Postby vijendra » Wed Nov 07, 2018 1:43 pm

Hi All,
I am running on zimbra 8.6 and now many of our user facing spam email from their own id and subject is "Change your password immediately. Your account has been hacked."

email should like

Subject: Change your password immediately. Your account has been hacked.

I greet you!

I have bad news for you.
11/08/2018 - on this day I hacked your operating system and got full access to your account xyz@example.com

It is useless to change the password, my malware intercepts it every time.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.

I want to say - you are a big pervert. You have unbridled fantasy!

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $811 is a very small amount for my silence.
Besides, I spent a lot of time on you!

I accept money only in Bitcoins.
My BTC wallet: 1B1Vov1LTLGLcVG3ycPQhQLe81V67FZpMZ

You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
It's easier than send money to a credit card!

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".

I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
This is a hacker code of honor.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don't be mad at me, everyone has their own work.
Farewell.


Can anyone help me on this.

Thanks,
Vijendra


User avatar
DualBoot
Outstanding Member
Outstanding Member
Posts: 803
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: Spam problem

Postby DualBoot » Fri Nov 09, 2018 1:40 pm

vijendra
Posts: 12
Joined: Tue Mar 13, 2018 10:07 pm

Re: Spam problem

Postby vijendra » Mon Nov 12, 2018 6:17 pm

IS there any way to scan ?
phoenix
Ambassador
Ambassador
Posts: 25772
Joined: Fri Sep 12, 2014 9:56 pm

Re: Spam problem

Postby phoenix » Mon Nov 12, 2018 6:50 pm

vijendra wrote:IS there any way to scan ?
Follow the instructions in the wiki articles that you've been given.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 301
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P7
Contact:

Re: Spam problem

Postby JDunphy » Mon Nov 12, 2018 7:35 pm

vijendra wrote:IS there any way to scan ?

Postfix is the simplest given you stated these are forged and dualcore has provided the links to stop this type of spam.

Another way at a little higher level is creating local SA rules which would provide you more options for future variations and a few examples to show you what is possible.
If you have SPF and DKIM enabled and want to stop incoming email where they are spoofing your domains.

Code: Select all

#spoofed from
header __SPFSENDER_FROM From =~ /\@example\.com|\@example\.net/i
meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score  SPOOFED_FROM 7
describe SPOOFED_FROM Not DKIM signed

Add the above to /opt/zimbra/data/spamassassin/localrules/sauser.cf then do the following as the zimbra user after you have made any changes.

Code: Select all

% /opt/zimbra/common/bin/spamassassin --lint

if it's clean without errors.. then do this

Code: Select all

% zmantispamctl restart

Likewise, you could do your own custom rule

Code: Select all

body VIJENDRA_BITCOIN /I accept money only in Bitcoins|I have bad news for you/i
score VIJENDRA_BITCOIN 5.0
describe VIJENDRA_BITCOIN example of a custom rule

or

Code: Select all

header VIJENDRA_ChangePSSWD Subject =~ /Change your password immediately|Your account has been hacked/i
score  VIJENDRA_ChangePSSWD  5.0
describe VIJENDRA_ChangePSSWD rule to change password

Note: Highly recommended you learn about running spamassassin with the -D option so you can test and verify your rules instead of testing them live with zimbra. If your rules fire, you will see VIJENDRA_BITCOIN, VIJENDRA_ChangePSSWD, etc in the header X-Spam-Status line in the email message. Adjust the score of each rule depending on your environment. If you score past 15 (default), it will not be delivered to the user's junk folder so be careful with too high of scores.
You could add this bitcoin rule to your local SA rules from this recent thread in the SA mailing list discussing your type of ransomware. http://spamassassin.1065346.n5.nabble.com/Bitcoin-update-td153164.html

Ref: https://wiki.apache.org/spamassassin/WritingRules

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 26 guests