Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

bvillers · Post by **bvillers** » Tue Jun 08, 2021 1:42 pm

Newbie, here.

Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Successfully performed in-place upgrade from community (v.8.8) to Enterprise ZCS (v.9.0) two months ago.

I have had constant DDOS and SPAM attacks on the ZCS server.

Gotten blacklisted by several organizations, several times.

Help! Please.

phoenix · Post by **phoenix** » Tue Jun 08, 2021 1:50 pm

Two things to start with: have you checked if your server is an open relay; have you checked if your server (or LAN) has been hacked? Have you also checked the log files to see any suspicious activity on your server? What research have you done to find the 'culprit' on your server or internal network?

bvillers · Post by **bvillers** » Tue Jun 08, 2021 1:58 pm

Via https://mxtoolbox.com, I checked whether server is open relay:

Test results state "Not an open relay"

Test Result
SMTP Banner Check Reverse DNS does not match SMTP Banner More Info
SMTP Reverse DNS Mismatch OK - 123.123.123.125 resolves to myemaildomain.net
SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
SMTP TLS OK - Supports TLS.
SMTP Connection Time 0.281 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 0.826 seconds - Good on Transaction Time

Server does not appear to be hacked.

I will check logs now.

bvillers · Post by **bvillers** » Tue Jun 08, 2021 2:04 pm

As newbie....

What are some telltale signs in logs?

bvillers · Post by **bvillers** » Tue Jun 08, 2021 5:42 pm

Located culprit in /var/log/zimbra.log file:

There are 100k entries like these.

I'm not yet sure what to do besides changing the password for our user, email-user@myemaildomain.net.

I changed pwd. Need to protect against recurrence.

Let me know if you have additional suggestions.

Thanks for your help.

Jun 7 03:41:04 emailserver amavis[23502]: (23502-10) Checking: BzMdnRnP-50a ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <romania@ksp.com>

Jun 7 03:41:04 emailserver postfix/smtps/smtpd[37439]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<dolgov@pinro.ru> proto=ESMTP helo=<us75.seed4.me>

Jun 7 03:41:04 emailserver postfix/smtps/smtpd[37439]: C64B720D798CB: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net

Jun 7 03:41:04 emailserver amavis[23502]: (23502-10) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:55000 [92.38.149.172] <support@myemaildomain.net> -> <romania@ksp.com>, Queue-ID: 4A36B20DB1DF3, Message-ID: <20210607070838.D201D693D8D5AB78@myemaildomain.net>, mail_id: BzMdnRnP-50a, Hits: -, size: 9111, queued_as: C195720A76C13, 453 ms

Jun 7 03:41:04 emailserver amavis[23502]: (23502-11) Checking: 9kuxxXeLCKYW ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <saudiarabia@ksp.com>

Jun 7 03:41:05 emailserver amavis[23502]: (23502-11) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:54958 [92.38.149.172] <support@myemaildomain.net> -> <saudiarabia@ksp.com>, Queue-ID: 4CF1820C387E8, Message-ID: <20210607070847.D0536A4932DED9B1@myemaildomain.net>, mail_id: 9kuxxXeLCKYW, Hits: -, size: 9139, queued_as: 0958E20A15580, 244 ms

Jun 7 03:41:05 emailserver amavis[23502]: (23502-11-2) Checking: sZhI6cdYJdrt ORIGINATING [92.38.149.172] <support@myemaildomain.net> -> <southkorea@ksp.com>

Jun 7 03:41:05 emailserver amavis[23502]: (23502-11-2) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [92.38.149.172]:55075 [92.38.149.172] <support@myemaildomain.net> -> <southkorea@ksp.com>, Queue-ID: 4D69A20DB1DF7, Message-ID: <20210607070847.D13C8494EA7ED524@myemaildomain.net>, mail_id: sZhI6cdYJdrt, Hits: -, size: 9141, queued_as: 4786B20C387E8, 250 ms

Jun 7 03:41:05 emailserver postfix/smtps/smtpd[923]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<kalastyle@kalastyle.com> proto=ESMTP helo=<us75.seed4.me>

Jun 7 03:41:05 emailserver postfix/smtps/smtpd[923]: 66E4220DA8427: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net

Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2622]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<jessica@titouhospitality.com> proto=ESMTP helo=<us75.seed4.me>

Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2622]: CB07120DB1DC0: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net

Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2654]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<hbo@niva.no> proto=ESMTP helo=<us75.seed4.me>

Jun 7 03:41:05 emailserver postfix/smtps/smtpd[2654]: EE17E20DB1DC4: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net

Jun 7 03:41:06 emailserver amavis[24204]: (24204-04) Passed CLEAN {RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:38798 [92.38.149.172] <support@myemaildomain.net> -> <pharmameet@memeetings.com>, Queue-ID: F404A20DB1DEF, Message-ID: <20210607053826.6E13D708CC8FD469@myemaildomain.net>, mail_id: I5vWQPHYz7Em, Hits: -97.74, size: 9772, queued_as: 0524120DB1DC5, 3978 ms

Jun 7 03:41:06 emailserver postfix/smtps/smtpd[37439]: NOQUEUE: filter: RCPT from us75.seed4.me[92.38.149.172]: <support@myemaildomain.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<support@myemaildomain.net> to=<dmagas@deloitte.com> proto=ESMTP helo=<us75.seed4.me>

Jun 7 03:41:06 emailserver postfix/smtps/smtpd[37439]: 7F44A20DB1DCC: client=us75.seed4.me[92.38.149.172], sasl_method=LOGIN, sasl_username=email-user@myemaildomain.net

axslingr · Post by **axslingr** » Thu Jun 10, 2021 1:38 am

Definitely change the account password, then implement Zimbra's DoSFilter, Fail2ban, and cbpolicyd for rate limiting.

https://www.missioncriticalemail.com/20 ... -together/

https://www.missioncriticalemail.com/20 ... sion-only/

https://wiki.zimbra.com/wiki/Cluebringer_Policy_Daemon

bvillers · Post by **bvillers** » Thu Jun 10, 2021 5:55 pm

After reviewing zimbra.log, I provided some log excerpts to tech support.

They provided following wiki articles:

https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

[the next one essentially repeats above article]
http://wiki.zimbra.com/wiki/Rejecting_f ... _addresses

These steps resolved our issue.

Thanks for suggestions. They were essential to tracking down and resolving problem.

bvillers · Post by **bvillers** » Thu Jun 10, 2021 6:02 pm

Resolved.

Thanks.

Zimbra Forums

Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails

Re: Can you help determine how an account, support@mymaildomain.net, is SPAMMING 300,000 emails