Recently I found a couple of accounts with really easy passwords that were compromised and sending out SPAM. I looked through the firewall rules for my Zimbra server and found that the following ports are open: 25, 80, 443, 465, 587, 993. I'm pretty sure 465, 587, and 993 are open so that people can use email clients on their phones, because if I turn that rule off I can't setup email on a smartphone anymore. I found the wiki page that lists out ports (https://wiki.zimbra.com/wiki/Ports) and noticed that 465 shouldn't even be used. 993 is what gets used for incoming mail, so took out 465.
Also, I just performed the Outgoing spamming solution documented here: https://wiki.zimbra.com/wiki/Spamming_troubleshooting
Is there anything else I can do that will stop the hacks?
compromised account sending SPAM
compromised account sending SPAM
Last edited by dparker on Wed Mar 20, 2019 3:09 pm, edited 1 time in total.
- akcurate-pbl
- Posts: 12
- Joined: Fri Nov 09, 2018 10:23 am
Re: compromised account sending SPAM
Hi dparker,
- Minimum password length: 8
- Minimum upper case characters: 1
- Minimum lower case characters: 1
- Minimum punctuation characters: 1
- Minimum numeric characters: 1
Second, in order to avoid brute force attacks, AFAIK zimbra bans login attempts by default for a few minutes after a number of failed attempts. My experience is that it does not monitor all attempts. For that you can try Fail2Ban, which will ban specific IP addresses after a number of failed login attempts. The bad news is that it's not so easy to set up.
HTH,
Pedro.
First, I'd recommen you to set up password policies to avoid this: Configure > Class of Service > default > Advanced > Password:a couple of accounts with really easy passwords that were compromised
- Minimum password length: 8
- Minimum upper case characters: 1
- Minimum lower case characters: 1
- Minimum punctuation characters: 1
- Minimum numeric characters: 1
Second, in order to avoid brute force attacks, AFAIK zimbra bans login attempts by default for a few minutes after a number of failed attempts. My experience is that it does not monitor all attempts. For that you can try Fail2Ban, which will ban specific IP addresses after a number of failed login attempts. The bad news is that it's not so easy to set up.
HTH,
Pedro.
Re: compromised account sending SPAM
Hello, there is some way to limit the number of shipments per user per day and thus mitigate this type of problems. I have tried to use Cbpolicyd but without good results.
Thank you
Thank you