SPAM relay help, SASL auth'ing

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
wdingus
Posts: 13
Joined: Fri Sep 12, 2014 11:22 pm

SPAM relay help, SASL auth'ing

Postby wdingus » Wed Sep 26, 2012 6:36 pm

It's happening right now, to my account, and so far we've not been able to stop it. We've restarted Zimbra, changed passwords, etc...
/var/log/zimbra.log

Sep 26 18:53:20 mail postfix/smtpd[20893]: connect from unknown[116.193.158.138]

Sep 26 18:53:21 mail postfix/smtpd[11197]: 18E3E40BE420: client=60-249-165-131.HINET-IP.hinet.net[60.249.165.131], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 18:53:21 mail postfix/cleanup[11201]: 18E3E40BE420: message-id=
Active Directory authentication, Zimbra zcs-NETWORK-7.1.1_GA_3196.RHEL5_64.20110527001604, CentOS 5.8 x86_64.
Suggestions? What should we look for? They're connecting in and apparently auth'ing as me and then sending out tons of SPAM. I'm getting tons of bounce messages back. We've not been blacklisted anywhere yet but I figure that's next. We've confirmed from some of the headers in the bounced emails that the spam is originating here, not some other open relay with my address as the from:
Thanks.
PS. OS was not fully updated, "yum update" is upgrading cyrus-sasl from 2.1.22-5 to 2.1.22-7 now. Not sure if related or not...


wdingus
Posts: 13
Joined: Fri Sep 12, 2014 11:22 pm

SPAM relay help, SASL auth'ing

Postby wdingus » Thu Sep 27, 2012 6:27 am

CentOS is fully updated now and the server rebooted for good measure. My password has been changed to a complex one I've never used a variant of anywhere. I don't login from any windows PCs so I'm moderately confident I'm not being keylogged or anything of that sort... When I do login to the Zimbra webmail interface this type of sasl_username message does not appear in the logs. Neither when I send an email. So I'm not sure what is even causing these log entries, what type of access to the server. Other than something to relay SPAMs that is...
Overnight last night:
Sep 26 19:59:36 mail postfix/smtpd[18505]: B64B040BE420: client=host162-160-static.89-94-b.business.telecomitalia.it[94.89.160.162], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 20:04:26 mail postfix/smtpd[21688]: 05BEC40BE420: client=host162-160-static.89-94-b.business.telecomitalia.it[94.89.160.162], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 20:23:05 mail postfix/smtpd[755]: 1838940BE422: client=unknown[94.74.143.151], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 20:27:57 mail postfix/smtpd[3667]: 1293540BE422: client=unknown[94.74.143.151], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 20:41:23 mail postfix/smtpd[12386]: 36CD940BE423: client=net-93-67-62-69.cust.dsl.vodafone.it[93.67.62.69], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 21:05:50 mail postfix/smtpd[27459]: 7D77840BE422: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 21:41:01 mail postfix/smtpd[17331]: 1FBEE40BE422: client=196.Red-79-148-114.staticIP.rima-tde.net[79.148.114.196], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 21:46:55 mail postfix/smtpd[20821]: 947F740BE424: client=196.Red-79-148-114.staticIP.rima-tde.net[79.148.114.196], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 22:31:22 mail postfix/smtpd[16253]: 09B9040BE422: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 26 22:34:02 mail postfix/smtpd[17857]: CCE4340BE424: client=unknown[188.20.125.194], sasl_method=LOGIN, sasl_username=myusername@mydomain.com

Sep 27 03:30:11 mail postfix/smtpd[10492]: F0F6340BE422: client=203-59-129-176.perm.iinet.net.au[203.59.129.176], sasl_method=LOGIN, sasl_username=myusername@mydomain.com
Firewall is configured to allow only the following access to the mail server:


PORT STATE SERVICE

25/tcp open smtp

80/tcp open http

443/tcp open https

465/tcp open smtps

993/tcp open imaps
wdingus
Posts: 13
Joined: Fri Sep 12, 2014 11:22 pm

SPAM relay help, SASL auth'ing

Postby wdingus » Thu Sep 27, 2012 8:05 am

Well after some checking we at least now know that log entries like this result from "auth before smtp". Employees using Apple mail.app and/or Thunderbird are producing the same types of entries. Outlook/ZCO and/or webmail users do not.
With a fair amount of confidence, these connections are not supplying my current active directory password. So what is happening? It would seem that they've discovered a way to bypass and/or spoof that authentication. Thoughts? Has nobody dealt with anything like this before?
n.bochev
Posts: 25
Joined: Sat Sep 13, 2014 12:39 am

SPAM relay help, SASL auth'ing

Postby n.bochev » Fri Sep 28, 2012 2:17 am

[quote user="wdingus"]Well after some checking we at least now know that log entries like this result from "auth before smtp". Employees using Apple mail.app and/or Thunderbird are producing the same types of entries. Outlook/ZCO and/or webmail users do not.
With a fair amount of confidence, these connections are not supplying my current active directory password. So what is happening? It would seem that they've discovered a way to bypass and/or spoof that authentication. Thoughts? Has nobody dealt with anything like this before?[/QUOTE]
I am having 3 cases in 1 week, where people got their accounts compromised, all on zimbra servers ( 3 different ones ), thus producing a lot of spam. Clients seemed to authenticate also.
gbos
Posts: 6
Joined: Fri Sep 12, 2014 11:15 pm

SPAM relay help, SASL auth'ing

Postby gbos » Wed Oct 17, 2012 11:33 am

We're seeing something which MAY be the same symptoms. Was there ever a resolution or a fix/workaround? Thanks!
edelvall
Posts: 22
Joined: Sat Sep 13, 2014 12:25 am

SPAM relay help, SASL auth'ing

Postby edelvall » Thu Oct 18, 2012 10:31 am

Hi,

We had this issue too with our NETWORK-7.1.4_GA_2555.UBUNTU10_64 (cs-patch-7.1.4_GA_2568) installation.

Before calling support we decided to update to NETWORK-7.2.1_GA_2790.UBUNTU10_64 because the security updates, updated java/tomcat etc...

Spammers were still able to INJECT email and sent it through our system (200,000 messages). This pushed us to make an UPGRADE to NETWORK-8.0.0_GA_5434.UBUNTU10_64 because it was a recommended update due to security updates (BTW, I was not able to find a list of those updates anywhere). We also decide to close (temporarily) any kind of access to our server other than the web mail interface.
After this, the problem stop. we had no need to put a ticket to support and we have being monitoring our system closely to see if the issue appears again.
About the v8, we got lot of complains about the new interface and some missing features but that's something else. I expected that version NETWORK-7.2.1_GA_2790.UBUNTU10_64 solved this issues but it seems that it did not.
I only found two issues that may have cause this, one is a XSS and the other is a Java security issue.
We are expecting 8.1 or something to fix other issues.
Hope this helps.
Eduardo
wdingus
Posts: 13
Joined: Fri Sep 12, 2014 11:22 pm

SPAM relay help, SASL auth'ing

Postby wdingus » Fri May 03, 2013 4:23 pm

[root@mail log]# grep -i MYNAME mailbox.log | grep ip= | grep -v '204.My.Net|127.0.0.1' | grep authenticated

2013-05-03 17:00:44,848 INFO [ImapSSLServer-1223] [name=MYNAME@MYDOMAIN.com;ip=206.74.82.86;] imap - user MYNAME@MYDOMAIN.com authenticated, mechanism=LOGIN [TLS]
That IP is somewhere in South Carolina. It's not me, I have no connection with anything or anyone and that network.
Three minutes later I received the first of a dozen or so bounced emails. Which were to addresses in my address book which are no longer valid but I just hadn't removed yet. This is on Zimbra NE 7.2.3 with AD integration. They don't have my password, it's not used anywhere else. My computer doesn't run a Windows OS, nobody keylogged it. This looks very much like some form of security flaw in Zimbra IMO. Suggestions? :(
edelvall
Posts: 22
Joined: Sat Sep 13, 2014 12:25 am

SPAM relay help, SASL auth'ing

Postby edelvall » Tue Jun 04, 2013 1:08 pm

[quote user="wdingus"][root@mail log]# grep -i MYNAME mailbox.log | grep ip= | grep -v '204.My.Net|127.0.0.1' | grep authenticated

2013-05-03 17:00:44,848 INFO [ImapSSLServer-1223] [name=MYNAME@MYDOMAIN.com;ip=206.74.82.86;] imap - user MYNAME@MYDOMAIN.com authenticated, mechanism=LOGIN [TLS]
That IP is somewhere in South Carolina. It's not me, I have no connection with anything or anyone and that network.
Three minutes later I received the first of a dozen or so bounced emails. Which were to addresses in my address book which are no longer valid but I just hadn't removed yet. This is on Zimbra NE 7.2.3 with AD integration. They don't have my password, it's not used anywhere else. My computer doesn't run a Windows OS, nobody keylogged it. This looks very much like some form of security flaw in Zimbra IMO. Suggestions? :([/QUOTE]
We have the same scenario here, Zimbra + AD. The only solution we found to stop this was to close external IMAP access. I opened a ticket but got absurd responses from the person assigned to the case. I believe it is wrong. everything point to the IMAP proxy, probable related to NGINX issues that have been active lately. e have no problems using the exchange connections.
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

SPAM relay help, SASL auth'ing

Postby quanah » Tue Jun 04, 2013 6:02 pm

Your comment makes no sense. IMAP is used to check mail. There is no way to send mail via IMAP.
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
wdingus
Posts: 13
Joined: Fri Sep 12, 2014 11:22 pm

SPAM relay help, SASL auth'ing

Postby wdingus » Thu Jun 06, 2013 10:22 am

[quote user="quanah"]Your comment makes no sense. IMAP is used to check mail. There is no way to send mail via IMAP.[/QUOTE]
My initial complaint was about someone logging into my account and reading my email. They harvested addresses they could spam, pretending to be me. I can't do much about people sending fake mail as me... What is most concerning is their apparent ability to login to our mail accounts, bypassing passwords and security mechanisms.
If they got in via IMAP, via some security hole specifically in it, and other connection methods are safe, we'll block that externally as well. Thanks.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 17 guests