compromised account sending SPAM

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
dparker
Posts: 7
Joined: Wed Dec 06, 2017 4:34 pm
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU16.64

compromised account sending SPAM

Post by dparker »

Recently I found a couple of accounts with really easy passwords that were compromised and sending out SPAM. I looked through the firewall rules for my Zimbra server and found that the following ports are open: 25, 80, 443, 465, 587, 993. I'm pretty sure 465, 587, and 993 are open so that people can use email clients on their phones, because if I turn that rule off I can't setup email on a smartphone anymore. I found the wiki page that lists out ports (https://wiki.zimbra.com/wiki/Ports) and noticed that 465 shouldn't even be used. 993 is what gets used for incoming mail, so took out 465.

Also, I just performed the Outgoing spamming solution documented here: https://wiki.zimbra.com/wiki/Spamming_troubleshooting

Is there anything else I can do that will stop the hacks?
Last edited by dparker on Wed Mar 20, 2019 3:09 pm, edited 1 time in total.
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: compromised account sending SPAM

Post by axslingr »

User avatar
akcurate-pbl
Posts: 12
Joined: Fri Nov 09, 2018 10:23 am

Re: compromised account sending SPAM

Post by akcurate-pbl »

Hi dparker,
a couple of accounts with really easy passwords that were compromised
First, I'd recommen you to set up password policies to avoid this: Configure > Class of Service > default > Advanced > Password:
- Minimum password length: 8
- Minimum upper case characters: 1
- Minimum lower case characters: 1
- Minimum punctuation characters: 1
- Minimum numeric characters: 1

Second, in order to avoid brute force attacks, AFAIK zimbra bans login attempts by default for a few minutes after a number of failed attempts. My experience is that it does not monitor all attempts. For that you can try Fail2Ban, which will ban specific IP addresses after a number of failed login attempts. The bad news is that it's not so easy to set up.

HTH,

Pedro.
ALP_88
Posts: 6
Joined: Thu Aug 25, 2016 1:48 am

Re: compromised account sending SPAM

Post by ALP_88 »

Hello, there is some way to limit the number of shipments per user per day and thus mitigate this type of problems. I have tried to use Cbpolicyd but without good results.

Thank you
Post Reply