Spam problem

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
vijendra
Posts: 14
Joined: Tue Mar 13, 2018 10:07 pm

Spam problem

Post by vijendra »

Hi All,
I am running on zimbra 8.6 and now many of our user facing spam email from their own id and subject is "Change your password immediately. Your account has been hacked."

email should like
Subject: Change your password immediately. Your account has been hacked.

I greet you!

I have bad news for you.
11/08/2018 - on this day I hacked your operating system and got full access to your account xyz@example.com

It is useless to change the password, my malware intercepts it every time.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.

I want to say - you are a big pervert. You have unbridled fantasy!

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $811 is a very small amount for my silence.
Besides, I spent a lot of time on you!

I accept money only in Bitcoins.
My BTC wallet: 1B1Vov1LTLGLcVG3ycPQhQLe81V67FZpMZ

You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
It's easier than send money to a credit card!

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".

I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
This is a hacker code of honor.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don't be mad at me, everyone has their own work.
Farewell.
Can anyone help me on this.

Thanks,
Vijendra
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Spam problem

Post by DualBoot »

Hello,

here some good practices to secure your mail service :
https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

Regards,
vijendra
Posts: 14
Joined: Tue Mar 13, 2018 10:07 pm

Re: Spam problem

Post by vijendra »

IS there any way to scan ?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Spam problem

Post by phoenix »

vijendra wrote:IS there any way to scan ?
Follow the instructions in the wiki articles that you've been given.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Spam problem

Post by JDunphy »

vijendra wrote:IS there any way to scan ?
Postfix is the simplest given you stated these are forged and dualcore has provided the links to stop this type of spam.

Another way at a little higher level is creating local SA rules which would provide you more options for future variations and a few examples to show you what is possible.
If you have SPF and DKIM enabled and want to stop incoming email where they are spoofing your domains.

Code: Select all

#spoofed from
header __SPFSENDER_FROM From =~ /\@example\.com|\@example\.net/i
meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score  SPOOFED_FROM 7
describe SPOOFED_FROM Not DKIM signed
Add the above to /opt/zimbra/data/spamassassin/localrules/sauser.cf then do the following as the zimbra user after you have made any changes.

Code: Select all

% /opt/zimbra/common/bin/spamassassin --lint
if it's clean without errors.. then do this

Code: Select all

% zmantispamctl restart
Likewise, you could do your own custom rule

Code: Select all

body VIJENDRA_BITCOIN /I accept money only in Bitcoins|I have bad news for you/i
score VIJENDRA_BITCOIN 5.0
describe VIJENDRA_BITCOIN example of a custom rule
or

Code: Select all

header VIJENDRA_ChangePSSWD Subject =~ /Change your password immediately|Your account has been hacked/i
score  VIJENDRA_ChangePSSWD  5.0
describe VIJENDRA_ChangePSSWD rule to change password
Note: Highly recommended you learn about running spamassassin with the -D option so you can test and verify your rules instead of testing them live with zimbra. If your rules fire, you will see VIJENDRA_BITCOIN, VIJENDRA_ChangePSSWD, etc in the header X-Spam-Status line in the email message. Adjust the score of each rule depending on your environment. If you score past 15 (default), it will not be delivered to the user's junk folder so be careful with too high of scores.
You could add this bitcoin rule to your local SA rules from this recent thread in the SA mailing list discussing your type of ransomware. http://spamassassin.1065346.n5.nabble.c ... 53164.html

Ref: https://wiki.apache.org/spamassassin/WritingRules
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: Spam problem

Post by davidkillingsworth »

#spoofed from
header __SPFSENDER_FROM From =~ /\@example\.com|\@example\.net/i
meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score SPOOFED_FROM 7
describe SPOOFED_FROM Not DKIM signed
Interesting.

We are getting a ton of email pretending to be admin@ouractualdomain.com, which shows the "name" of the from address to be "admin@ourdomain.com" but if you click on the name in zimbra webmail to see what the actual email address is, it shows the actual address asdlksasdf@somemaliciousdomian.co.in for example.

If I add the above code to my /opt/zimbra/data/spamassassin/localrules/sauser.cf without any other lines, will that be sufficient?

Also, am I correct in assuming that I need to change it from example.com and example.net to my actual domains?

Code: Select all

#spoofed from
header __SPFSENDER_FROM From =~ /\@mydomain1\.com|\@mydomain2\.com|\@mydomain3\.com/i
meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score  SPOOFED_FROM 7
describe SPOOFED_FROM Not DKIM signed
Would the above be correct if I had the actual domains mydomain1.com, mydomain2.com, and mydomain3.com configured as domains on my zimbra server?

Thanks,
David
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Spam problem

Post by JDunphy »

Not any more but it does handle most cases... There is a variation of spoofing that is signed by the spammer so my initial rule failed that case.
I do something extra now and use the Return-Path which is the envelope from address. You are correct that you add a string of domains. I keep it as 2 rules so I can track what they are trying.

Code: Select all

header __SPFSENDER_FROM From =~ /example\.com|example2\.com/i
#meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID && !DKIM_VALID_AU)
meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score  SPOOFED_FROM 7
describe SPOOFED_FROM Not DKIM signed

header __RETURNPATH_FROM Return-Path =~ /\@example\.com|\@example2\.com/i
meta SPOOFED_FROM_1 (!__RETURNPATH_FROM && __SPFSENDER_FROM && !DKIM_VALID_AU)
score  SPOOFED_FROM_1 7
describe SPOOFED_FROM_1 Spoofed Return-Path and From
I would recommend that you name these rules with your own prepend character... ie) J_SPOOFED_FROM and J_SPOOFED_FROM1 so you know home grown rules vs SA rules. Helps in debugging later especially when users build filters looking for these. Mine start with J so we all know who to blame for FP's. :-)

Ref: # Note:
# DKIM_VALID - DKIM correctly signed
# DKIM_VALID_AU - signed by author's domain
Post Reply