Zimbra Forums

Hi there,
I have a strange problem with my zimbra server:

zimbra@mail:~$ zmcontrol -v
Release 8.8.9.GA.3019.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.

Installed on Ubuntu Linux 16.04 updated and upgraded

zimbra@mail:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"
NAME="Ubuntu"
VERSION="16.04.5 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.5 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Now the problem: I use a gateway server as a smarthost for all email inbound and outbounb.
I've noticed a unusual activity regarding my account (I'm Francesco :O). I see a lot of spam mail from my account. Thinking about a compromised password I have changed status of my account from active to maintenance and i have change password.
For a while everything was fine but suddenly spam activity from my address restarts. To stop it I had to block outgoing mail gateway's side as a filter.
It's impossibile that one client is infected because i've setup a new password (64 chars) from ssh and restart and never login but spam keeps going on.
It's only on my account: francesco@446.it i've tried to delete my account and create cesko@446.it and when i added francesco@446.it as alias spam keeps going on!!!

This is the evidence:
grep sasl_username /var/log/mail.log

Sep 19 09:32:52 mail postfix/smtps/smtpd[14967]: 63F0860379: client=unknown[191.53.201.152], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:27 mail postfix/smtps/smtpd[20122]: 8D5D960379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:28 mail postfix/smtps/smtpd[20122]: 42B916037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:28 mail postfix/smtps/smtpd[20122]: D101860379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:29 mail postfix/smtps/smtpd[20122]: 562676037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:29 mail postfix/smtps/smtpd[20122]: BC35560379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:30 mail postfix/smtps/smtpd[20122]: 485A36037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:30 mail postfix/smtps/smtpd[20122]: EE2B360379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:31 mail postfix/smtps/smtpd[20122]: 896886037A: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:32 mail postfix/smtps/smtpd[20122]: 2FC6860379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:43:32 mail postfix/smtps/smtpd[20122]: CCB0E60379: client=unknown[178.219.118.250], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:01 mail postfix/smtps/smtpd[21979]: 56D7B60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:04 mail postfix/smtps/smtpd[21979]: 3CD4060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:06 mail postfix/smtps/smtpd[21979]: 934EF60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:09 mail postfix/smtps/smtpd[21979]: 1F81D60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:11 mail postfix/smtps/smtpd[21979]: 7BFB960379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:13 mail postfix/smtps/smtpd[21979]: E0CB060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:16 mail postfix/smtps/smtpd[21979]: 3672E60379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:19 mail postfix/smtps/smtpd[21979]: 8063060379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:22 mail postfix/smtps/smtpd[21979]: 4191660379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:47:24 mail postfix/smtps/smtpd[21979]: B48F860379: client=162.37.235.186.geniosite.com.br[186.235.37.162], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:40 mail postfix/smtps/smtpd[24194]: 3A17A60379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:42 mail postfix/smtps/smtpd[24194]: 8E08360379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:44 mail postfix/smtps/smtpd[24194]: E466160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:47 mail postfix/smtps/smtpd[24194]: 5229360379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:49 mail postfix/smtps/smtpd[24194]: 9607960379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:51 mail postfix/smtps/smtpd[24194]: D5D6160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:54 mail postfix/smtps/smtpd[24194]: 38F9760379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:56 mail postfix/smtps/smtpd[24194]: 8ADBB60379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:50:58 mail postfix/smtps/smtpd[24194]: E030160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:51:01 mail postfix/smtps/smtpd[24194]: 472E160379: client=unknown[191.53.206.223], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:06 mail postfix/smtps/smtpd[24194]: DD04D6037B: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:09 mail postfix/smtps/smtpd[24194]: CFFF460379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:12 mail postfix/smtps/smtpd[24194]: 29B9860379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:14 mail postfix/smtps/smtpd[24194]: 5E9AF60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:16 mail postfix/smtps/smtpd[24194]: BF76B60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:19 mail postfix/smtps/smtpd[24194]: 1D2C360379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:21 mail postfix/smtps/smtpd[24194]: 4EF9A60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:23 mail postfix/smtps/smtpd[24194]: 9B5A360379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:26 mail postfix/smtps/smtpd[24194]: 07AAB60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:52:28 mail postfix/smtps/smtpd[24194]: 3A7FB60379: client=unknown[191.53.18.225], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:41 mail postfix/smtps/smtpd[26569]: 78D7960379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:43 mail postfix/smtps/smtpd[26569]: 8D8DA60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:45 mail postfix/smtps/smtpd[26569]: A6B7260379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:47 mail postfix/smtps/smtpd[26569]: C02EC60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:49 mail postfix/smtps/smtpd[26569]: DB7A460379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:52 mail postfix/smtps/smtpd[26569]: 02A6B60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:54 mail postfix/smtps/smtpd[26569]: 1A82560379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:56 mail postfix/smtps/smtpd[26569]: 3215E60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:55:58 mail postfix/smtps/smtpd[26569]: 0D45E60379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:56:00 mail postfix/smtps/smtpd[26569]: 2571460379: client=unknown[187.85.207.247], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:07 mail postfix/smtps/smtpd[26569]: 2D84960379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:09 mail postfix/smtps/smtpd[26569]: CB25460379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:11 mail postfix/smtps/smtpd[26569]: F2FB160379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:14 mail postfix/smtps/smtpd[26569]: 27D7660379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:16 mail postfix/smtps/smtpd[26569]: 4ED6160379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:18 mail postfix/smtps/smtpd[26569]: 75DAA60379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:20 mail postfix/smtps/smtpd[26569]: 9DD8260379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:22 mail postfix/smtps/smtpd[26569]: C843260379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:24 mail postfix/smtps/smtpd[26569]: EFF8C60379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco
Sep 19 09:57:27 mail postfix/smtps/smtpd[26569]: 26AC060379: client=unknown[177.10.241.78], sasl_method=LOGIN, sasl_username=francesco

Those are obviously a fraud.
How is it possibile? On the ubuntu box i have already launched rkhunter without any evidence. Admin port (7071) is firewalled.

Can you help me guys?

cesko446 wrote:... i've setup a new password (64 chars) from ssh and restart ...

what exactly you restarted?

Hi and tnx for the reply:

My tests:
Change password, zmcontrol restart, set active -> spam
Changed password, set active, zmcontrol restar -> spam
Changed password, zmcontrol stop, shutdown vm, set active -> spam

Have you checked that your server is not an open relay?

Hello there and tnx for replay.
It's not an open relay
My mail server is: mail.veloce.ovh and my gateway is gateway.veloce.ovh.

I have a virtual configuration so mail.veloce.ovh is 192.168.5.2 and gateway.veloce.ovh is 192.168.5.2

192.168.5.2 has opened 993, 995, 465, 587 (send everything to 192.168.5.4 port 26 intranet)
192.168.5.4 has opened 25

all ports all port-forwarded

Attached test from mxtoolbox

cesko446 wrote:Hi and tnx for the reply:

My tests:
Change password, zmcontrol restart, set active -> spam
Changed password, set active, zmcontrol restar -> spam
Changed password, zmcontrol stop, shutdown vm, set active -> spam

Sounds like it could be the Mailsploit bug....
https://bugzilla.zimbra.com/show_bug.cgi?id=108709

If fixed, you should see for example: If set to TRUE, then you are exposed and for all of your mailboxes change it to FALSE.

Other things to check:
Are you the only Admin account on your Zimbra server?

Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?

Are you enforcing a match between the SASL Authenticated user and the From address when sending emails? https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 . <<== For older versions

For later versions of Zimbra this is fixed, when fixed you should see for example on 8.8.8:
Hope that helps,
Mark

L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?

or a malicious wordpress plugin installed on your 446.it website?
Have you explicitly set the website ip address into zimbraMtaMynetworks?

L. Mark Stone wrote:
Sounds like it could be the Mailsploit bug....
https://bugzilla.zimbra.com/show_bug.cgi?id=108709

If fixed, you should see for example:

Code: Select all

zimbra@zimbra:~$ zmprov ga john.doe@missioncriticalemail.com zimbraPrefShortEmailAddress
# name john.doe@missioncriticalemail.com
zimbraPrefShortEmailAddress: FALSE

If set to TRUE, then you are exposed and for all of your mailboxes change it to FALSE.

It was TRUE and now it's FALSE. No spam just for a while then it started again.

L. Mark Stone wrote: Other things to check:
Are you the only Admin account on your Zimbra server?

Yes I am the only one but francesco@446.it is not an administrator.

L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?

It's quite strange but i deleted that account from all my devices and I hace changed password also from this laptop (brand new)

L. Mark Stone wrote: Are you enforcing a match between the SASL Authenticated user and the From address when sending emails? https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 . <<== For older versions

For later versions of Zimbra this is fixed, when fixed you should see for example on 8.8.8:

Code: Select all

zimbra@zimbra:~$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | grep mismatch
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
zimbra@zimbra:~$ 

This is my file smtpd_sender_restrictions.cf
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%

Is it right?
So many tnx for help!

Hope that helps,
Mark

gabrieles wrote:

L. Mark Stone wrote: Any chance that your workstation/laptop from which you ssh'd in to Zimbra to make your password change has a keystroke logger compromise installed?

or a malicious wordpress plugin installed on your 446.it website?
Have you explicitly set the website ip address into zimbraMtaMynetworks?

Many tnx for your contribute:
I have just deleted 446.it and veloce.ovh wordpress.
# name mail.veloce.ovh
zimbraMtaMyNetworks: 127.0.0.0/8 [::1]/128 192.168.5.0/24

192.168.5.1 mail
192.168.5.2 web
192.168.5.3 gateway

I think you should not allow whole subnet, change to, for example: Use firewall to block smtp port on Web server. In my experience, do not allow web server having email server function.
Regards.