many spam email from same account

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
fferraro87
Advanced member
Advanced member
Posts: 99
Joined: Thu Apr 28, 2016 8:58 am

many spam email from same account

Post by fferraro87 »

Hi,

that's a week that many accounts on my zimbra servers (all 8.8.9 patch4) receive spam email from his address.

for example test@example.org receive a spam email from test.example.org (but from a different ip address):
that's source of email :

Code: Select all

Return-Path: <test@example.org>
Received: from mail.example.org (LHLO mail.example.org)
 (192.168.3.190) by mail.example.org with LMTP; Tue, 25 Sep 2018
 14:35:28 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail.example.org (Postfix) with ESMTP id 1D6196C6DC7
	for <test@example.org>; Tue, 25 Sep 2018 14:35:28 +0200 (CEST)
X-Virus-Scanned: amavisd-new at example.org
X-Spam-Flag: NO
X-Spam-Score: 5.949
X-Spam-Level: *****
X-Spam-Status: No, score=5.949 required=6.6 tests=[BAYES_00=-1.9,
	DATE_IN_FUTURE_06_12=1.947, HTML_MESSAGE=0.001,
	RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_RP_RNBL=1.31,
	RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793, SPF_NEUTRAL=0.779,
	URIBL_BLOCKED=0.001, XPRIO=1.568] autolearn=no autolearn_force=no
Received: from mail.example.org ([127.0.0.1])
	by localhost (mail.example.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id xpXi16HYCyrx for <test@example.org>;
	Tue, 25 Sep 2018 14:35:27 +0200 (CEST)
Received: from [123.21.101.9] (unknown [123.21.101.9])
	by mail.example.org (Postfix) with ESMTP id 214B76C6DC6
	for <test@example.org>; Tue, 25 Sep 2018 14:35:27 +0200 (CEST)

that's mynetworks

Code: Select all

[zimbra@mail ~]$ postconf mynetworks
mynetworks = 127.0.0.0/8 [::1]/128 192.168.3.0/24 185.95.212.73/32
123.21.101.9 isn't my zimbra server but the ip from attacker. How can i block that?

Thanks
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: many spam email from same account

Post by DualBoot »

Hello,

if the from field is always the same you can use iptables to block when pattern match this from address.
Or you can block the original source IP too.

See you
User avatar
fferraro87
Advanced member
Advanced member
Posts: 99
Joined: Thu Apr 28, 2016 8:58 am

Re: many spam email from same account

Post by fferraro87 »

DualBoot wrote:Hello,

if the from field is always the same you can use iptables to block when pattern match this from address.
Or you can block the original source IP too.

See you
thanks for your answer, but if i block this from address, i block all mail from that address, but this address is good, it's a normal user of my zimbra server.
Also block ip not solved my problem because it change for every mail.


Thanks
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: many spam email from same account

Post by DualBoot »

Hello,

the sender is from the domain you own ?

Regards,
User avatar
fferraro87
Advanced member
Advanced member
Posts: 99
Joined: Thu Apr 28, 2016 8:58 am

Re: many spam email from same account

Post by fferraro87 »

DualBoot wrote:Hello,

the sender is from the domain you own ?

Regards,
yes, the sender and recipient are the same, but sender is sending by another IP
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: many spam email from same account

Post by DualBoot »

well it seems the account has been compromised.
You should block it by putting it in lockedout status and change the password.
Then you should restart all Zimbra MTA to disconnect the the user who is spamming.
Last but not least : get the owner of the account to teach him not to use his old password no more.
User avatar
fferraro87
Advanced member
Advanced member
Posts: 99
Joined: Thu Apr 28, 2016 8:58 am

Re: many spam email from same account

Post by fferraro87 »

DualBoot wrote:well it seems the account has been compromised.
You should block it by putting it in lockedout status and change the password.
Then you should restart all Zimbra MTA to disconnect the the user who is spamming.
Last but not least : get the owner of the account to teach him not to use his old password no more.

it's strange because many accounts has same problem, isn't possible that all account are hacked.
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: many spam email from same account

Post by DualBoot »

evrything is possible ;p
Well just grep sasl_username on you MTA log to check this.
User avatar
fferraro87
Advanced member
Advanced member
Posts: 99
Joined: Thu Apr 28, 2016 8:58 am

Re: many spam email from same account

Post by fferraro87 »

DualBoot wrote:evrything is possible ;p
Well just grep sasl_username on you MTA log to check this.
ok i've done and i've see that many email are sent and i've no trace of authentication by the user. How can i force every user to authenticate before sending an email?

Also that it's grep of the attacker IP on zimbra.log

Code: Select all

Sep 25 14:35:20 mail postfix/postscreen[8815]: CONNECT from [123.21.101.9]:12484 to [192.168.3.190]:25
Sep 25 14:35:26 mail postfix/postscreen[8815]: PASS NEW [123.21.101.9]:12484
Sep 25 14:35:26 mail postfix/smtpd[10341]: connect from unknown[123.21.101.9]
Sep 25 14:35:27 mail postfix/smtpd[10341]: NOQUEUE: filter: RCPT from unknown[123.21.101.9]: <test@example.org>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<test@example.org> to=<test@example.org> proto=ESMTP helo=<[123.21.101.9]>
Sep 25 14:35:27 mail postfix/smtpd[10341]: NOQUEUE: filter: RCPT from unknown[123.21.101.9]: <test@example.org>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<test@example.org> to=<test@example.org> proto=ESMTP helo=<[123.21.101.9]>
Sep 25 14:35:27 mail postfix/smtpd[10341]: 214B76C6DC6: client=unknown[123.21.101.9]
Sep 25 14:35:27 mail amavis[500]: (00500-16) Checking: xpXi16HYCyrx [123.21.101.9] <test@example.org> -> <test@example.org>
Sep 25 14:35:27 mail postfix/smtpd[10341]: disconnect from unknown[123.21.101.9] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 25 14:35:28 mail amavis[500]: (00500-16) Passed CLEAN {RelayedInbound}, [123.21.101.9]:12484 [123.21.101.9] <test@example.org> -> <test@example.org>, Queue-ID: 214B76C6DC6, Message-ID: <039657231.201809252535@example.org>, mail_id: xpXi16HYCyrx, Hits: 5.949, size: 4908, queued_as: 1D6196C6DC7, 380 ms
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: many spam email from same account

Post by DualBoot »

just grep user_saslname , not with the account name.
Then sort and count. Maybe the user_saslname is different from the sender.
An other explanation is the use of the webmail by the attacker.
Post Reply