Compromised account

[ibraSitel]

hello,

we have an account that has been compromised and used for sending a lot of spam to random addresses and sometimes especially to yahoo addresses.
we're on a bunch of blacklists. (senderbase.org)


Any idea how to prevent this?

thanks.

Code: Select all

[zimbra@mail]$ zmcontrol -v
Release 8.7.1_GA_1670.RHEL7_64_20161025045328 RHEL7_64 NETWORK edition.

the compromised account and from where (there is other ip adresses):

Code: Select all

more /var/log/zimbra.log | grep sasl_method
Apr 23 08:25:31 mail postfix/smtps/smtpd[9225]: 6BAE3302E2C32: client=unknown[205.196.185.238], sasl_method=LOGIN, sasl_username=xxxx
Apr 23 08:25:32 mail postfix/smtps/smtpd[4130]: 5B020302E2C26: client=unknown[66.85.8.55], sasl_method=LOGIN, sasl_username=xxxxx
Apr 23 08:25:32 mail postfix/smtps/smtpd[3555]: 6DCA1302E2C34: client=host-72-175-37-115.kls-mt.client.bresnan.net[72.175.37.115], sasl_method=LOGIN, sasl_username=xxxx

[DualBoot]

hello,

teach your users about phishing. But first, you must set the account in maintenance mode and change the password. And last but not least tell your user whose account has been compromised
to not set the old password again.

Regards,

[Klug]

You need to restart postfix once the password is changed (or the cached credentials and opened sessions will still work).

I'm sorry the blog post is in french but you'll get the idea by reading the script and modifying it for your needs.
https://blog.network-studio.fr/2014/07/ ... ui-spamme/