Hacking, spamming

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bond1211
Posts: 6
Joined: Wed Aug 23, 2017 4:41 pm

Hacking, spamming

Postby bond1211 » Wed Aug 22, 2018 6:55 am

Hello!
zimbra 8.8.9
Through the server send spam, a lot of spam.

Code: Select all

Aug 22 09:49:58 mail saslauthd[11355]: zmauth: authenticating against elected url 'https://mail.strexp.com:7073/service/admin/soap/' ...
Aug 22 09:49:58 mail saslauthd[11355]: zmpost: url='https://mail.strexp.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/><$
Aug 22 09:49:58 mail saslauthd[11355]: auth_zimbra: nikolaeva.y.v auth failed: authentication failed for [nikolaeva.y.v]
Aug 22 09:49:58 mail saslauthd[11355]: do_auth         : auth failure: [user=nikolaeva.y.v] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]
Aug 22 09:49:58 mail postfix/submission/smtpd[22676]: warning: unknown[177.52.76.161]:59885: SASL LOGIN authentication failed: authentication failure
Aug 22 09:49:59 mail postfix/submission/smtpd[14196]: NOQUEUE: filter: RCPT from unknown[177.21.45.58]:35726: <dziuba.i.s@strexp.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<dziuba.i.s@strexp.com> to=<tabrey$
Aug 22 09:49:59 mail postfix/submission/smtpd[14196]: 12AEEE19A9: client=unknown[177.21.45.58]:35726, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 09:49:59 mail postfix/submission/smtpd[22676]: disconnect from unknown[177.52.76.161]:59885 ehlo=2 starttls=1 auth=0/2 quit=1 commands=4/6
Aug 22 09:49:59 mail postfix/smtp[27334]: B8B3DE19AC: to=<coryjbradford@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.222.26]:25, delay=1.6, delays=0.03/0.02/0.02/1.5, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[17$
Aug 22 09:49:59 mail postfix/smtp[27334]: B8B3DE19AC: to=<ladychoad@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.222.26]:25, delay=1.6, delays=0.03/0.02/0.02/1.5, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.19$
Aug 22 09:49:59 mail postfix/smtp[27334]: B8B3DE19AC: to=<outterwayyz@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.222.26]:25, delay=1.6, delays=0.03/0.02/0.02/1.5, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.$
Aug 22 09:49:59 mail postfix/smtp[27334]: B8B3DE19AC: to=<wesjobs0608@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.222.26]:25, delay=1.6, delays=0.03/0.02/0.02/1.5, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.$
Aug 22 09:49:59 mail postfix/cleanup[27399]: 58429E19AD: message-id=<20180822064959.58429E19AD@mail.strexp.com>
Aug 22 09:49:59 mail postfix/bounce[28476]: B8B3DE19AC: sender non-delivery notification: 58429E19AD
Aug 22 09:49:59 mail postfix/qmgr[13097]: B8B3DE19AC: removed
Aug 22 09:49:59 mail postfix/qmgr[13097]: 58429E19AD: from=<>, size=7862, nrcpt=1 (queue active)
Aug 22 09:49:59 mail postfix/lmtp[23497]: connect to mail.strexp.com[192.168.10.7]:7025: Connection refused
Aug 22 09:49:59 mail postfix/lmtp[23497]: 58429E19AD: to=<dziuba.i.s@strexp.com>, relay=mail.strexp.com[127.0.0.1]:7025, delay=0.14, delays=0.02/0.01/0.06/0.05, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Aug 22 09:49:59 mail postfix/qmgr[13097]: 58429E19AD: removed
Aug 22 09:49:59 mail postfix/submission/smtpd[14196]: 12AEEE19A9: filter: RCPT from unknown[177.21.45.58]:35726: <dziuba.i.s@strexp.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<dziuba.i.s@strexp.com> to=<ric$
Aug 22 09:50:00 mail zimbramon[42729]: 42729:crit: Disk warning: mail.strexp.com: /mail3 on device /dev/sdd1 at 98%
Aug 22 09:50:00 mail postfix/submission/smtpd[14196]: 12AEEE19A9: filter: RCPT from unknown[177.21.45.58]:35726: <dziuba.i.s@strexp.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<dziuba.i.s@strexp.com> to=<bro$
Aug 22 09:50:00 mail postfix/postscreen[29295]: CONNECT from [192.168.10.7]:34465 to [192.168.10.7]:25
Aug 22 09:50:00 mail postfix/postscreen[29295]: WHITELISTED [192.168.10.7]:34465
Aug 22 09:50:00 mail postfix/smtpd[29296]: connect from mail.strexp.com[192.168.10.7]:34465
Aug 22 09:50:00 mail postfix/smtpd[29296]: NOQUEUE: filter: RCPT from mail.strexp.com[192.168.10.7]:34465: <admin@strexp.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<admin@strexp.com> to=<admin@strexp.com> p$
Aug 22 09:50:00 mail postfix/smtpd[29296]: 7082CE19AB: client=mail.strexp.com[192.168.10.7]:34465
Aug 22 09:50:00 mail postfix/cleanup[27066]: 7082CE19AB: message-id=<20180822065000.7082CE19AB@mail.strexp.com>
Aug 22 09:50:00 mail postfix/smtpd[29296]: disconnect from mail.strexp.com[192.168.10.7]:34465 ehlo=1 mail=1 rcpt=1 data=1 commands=4
Aug 22 09:50:00 mail postfix/qmgr[13097]: 7082CE19AB: from=<admin@strexp.com>, size=541, nrcpt=1 (queue active)
Aug 22 09:50:00 mail amavis[26988]: (26988-18) ESMTP [127.0.0.1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20180822T094638-26988-Q3gemChX: <admin@strexp.com> -> <admin@strexp.com> Received: from mail.strexp.com ([127.0.0.1]) by localhos$
Aug 22 09:50:00 mail amavis[26988]: (26988-18) Checking: 9l67bN60unDA ORIGINATING/MYNETS [192.168.10.7] <admin@strexp.com> -> <admin@strexp.com>
Aug 22 09:50:00 mail postfix/submission/smtpd[14196]: 12AEEE19A9: filter: RCPT from unknown[177.21.45.58]:35726: <dziuba.i.s@strexp.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<dziuba.i.s@strexp.com> to=<the$
Aug 22 09:50:00 mail amavis[26988]: (26988-18) mangling by altermime (disclaimer) done, new size: 499, orig 507 bytes
Aug 22 09:50:00 mail postfix/dkimmilter/smtpd[20091]: connect from localhost.localdomain[127.0.0.1]:46123
Aug 22 09:50:00 mail postfix/dkimmilter/smtpd[20091]: 9E1DBE19AC: client=localhost.localdomain[127.0.0.1]:46123
Aug 22 09:50:00 mail postfix/cleanup[27399]: 9E1DBE19AC: message-id=<20180822065000.7082CE19AB@mail.strexp.com>


Code: Select all

Aug 22 10:25:39 mail postfix/submission/smtpd[14196]: 04BE1E2031: client=unknown[168.0.168.130]:58269, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:39 mail postfix/submission/smtpd[5754]: 16FFDE1FD0: client=unknown[186.209.134.137]:52084, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:39 mail postfix/submission/smtpd[33584]: A3CE6E2056: client=unknown[191.37.66.90]:49954, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:40 mail postfix/submission/smtpd[41222]: 29E1DE2054: client=unknown[143.0.233.210]:55618, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:40 mail postfix/submission/smtpd[25891]: E2F4EE205B: client=unknown[186.236.74.50]:37769, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:41 mail postfix/submission/smtpd[41213]: 99772E205E: client=unknown[177.101.132.46]:53528, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:41 mail postfix/submission/smtpd[33589]: B1454E2040: client=unknown[186.209.134.252]:59567, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:42 mail postfix/submission/smtpd[40387]: 334BDE2056: client=unknown[177.84.113.182]:51273, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:42 mail postfix/submission/smtpd[33584]: 6D838E2054: client=unknown[191.37.66.90]:49954, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:42 mail postfix/submission/smtpd[5754]: A5424E2031: client=unknown[186.209.134.137]:52084, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:43 mail postfix/submission/smtpd[5898]: 2A5CEE2033: client=unknown[187.120.241.134]:37156, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:43 mail postfix/submission/smtpd[41222]: 68965E2062: client=unknown[143.0.233.210]:55618, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:43 mail postfix/submission/smtpd[14196]: B2A74E2063: client=unknown[168.0.168.130]:58269, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:44 mail postfix/submission/smtpd[9988]: 3E0B1E205E: client=unknown[177.39.32.71]:47150, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:45 mail postfix/submission/smtpd[41213]: 6A273E2069: client=unknown[177.101.132.46]:53528, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:45 mail postfix/submission/smtpd[33589]: E7115E2031: client=unknown[186.209.134.252]:59567, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:46 mail postfix/submission/smtpd[5898]: 72907E205B: client=unknown[187.120.241.134]:37156, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:46 mail postfix/submission/smtpd[40387]: 8300BE2062: client=unknown[177.84.113.182]:51273, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:46 mail postfix/submission/smtpd[5754]: D1E6AE2056: client=unknown[186.209.134.137]:52084, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:46 mail postfix/submission/smtpd[25891]: D6278E2067: client=unknown[186.236.74.50]:37769, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:47 mail postfix/submission/smtpd[9988]: 12832E2068: client=unknown[177.39.32.71]:47150, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:47 mail postfix/submission/smtpd[41222]: A5168E2066: client=unknown[143.0.233.210]:55618, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:48 mail postfix/submission/smtpd[33584]: 50786E2040: client=unknown[191.37.66.90]:49954, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:49 mail postfix/submission/smtpd[33589]: 95C4EE2062: client=unknown[186.209.134.252]:59567, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:49 mail postfix/submission/smtpd[5754]: DBA02E206D: client=unknown[186.209.134.137]:52084, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:50 mail postfix/submission/smtpd[9988]: 6E7DCE2066: client=unknown[177.39.32.71]:47150, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:50 mail postfix/submission/smtpd[14196]: 7F79CE2056: client=unknown[168.0.168.130]:58269, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:50 mail postfix/submission/smtpd[41222]: 847ABE2069: client=unknown[143.0.233.210]:55618, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:50 mail postfix/submission/smtpd[40387]: AFFEAE205B: client=unknown[177.84.113.182]:51273, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:51 mail postfix/submission/smtpd[5898]: 423D9E2067: client=unknown[187.120.241.134]:37156, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:51 mail postfix/submission/smtpd[41213]: 4ECB4E206B: client=unknown[177.101.132.46]:53528, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:52 mail postfix/submission/smtpd[25891]: 9AD08E2040: client=unknown[186.236.74.50]:37769, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:53 mail postfix/submission/smtpd[33584]: AFE30E2069: client=unknown[191.37.66.90]:49954, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:53 mail postfix/submission/smtpd[40387]: D0F63E206C: client=unknown[177.84.113.182]:51273, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:54 mail postfix/submission/smtpd[9988]: 4C8CEE2072: client=unknown[177.39.32.71]:47150, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:54 mail postfix/submission/smtpd[41213]: 9790AE2063: client=unknown[177.101.132.46]:53528, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:54 mail postfix/submission/smtpd[41222]: BCA85E206B: client=unknown[143.0.233.210]:55618, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:55 mail postfix/submission/smtpd[33589]: 653DCE2062: client=unknown[186.209.134.252]:59567, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:56 mail postfix/submission/smtpd[5754]: 40C0AE206C: client=unknown[186.209.134.137]:52084, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:56 mail postfix/submission/smtpd[14196]: 4DCDAE206B: client=unknown[168.0.168.130]:58269, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:56 mail postfix/submission/smtpd[33584]: 7F7D0E206D: client=unknown[191.37.66.90]:49954, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:56 mail postfix/submission/smtpd[5898]: 883C0E2074: client=unknown[187.120.241.134]:37156, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:57 mail postfix/submission/smtpd[40387]: 896DEE2063: client=unknown[177.84.113.182]:51273, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:25:57 mail postfix/submission/smtpd[41222]: 8CF86E2079: client=unknown[143.0.233.210]:55618, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:58 mail postfix/submission/smtpd[9988]: 3658CE2075: client=unknown[177.39.32.71]:47150, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:58 mail postfix/submission/smtpd[41213]: 9A642E207D: client=unknown[177.101.132.46]:53528, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:58 mail postfix/submission/smtpd[25891]: C9899E2062: client=unknown[186.236.74.50]:37769, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:25:59 mail postfix/submission/smtpd[5898]: F2D57E207A: client=unknown[187.120.241.134]:37156, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:00 mail postfix/submission/smtpd[33589]: 0CA02E207B: client=unknown[186.209.134.252]:59567, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:01 mail postfix/submission/smtpd[33584]: 51B61E2084: client=unknown[191.37.66.90]:49954, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:02 mail postfix/submission/smtpd[14196]: A6981E2086: client=unknown[168.0.168.130]:58269, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:26:02 mail postfix/submission/smtpd[41222]: D3509E207D: client=unknown[143.0.233.210]:55618, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:02 mail postfix/submission/smtpd[5754]: E6D5DE2085: client=unknown[186.209.134.137]:52084, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:03 mail postfix/submission/smtpd[9988]: 23206E207B: client=unknown[177.39.32.71]:47150, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:03 mail postfix/submission/smtpd[41213]: EB1D6E2084: client=unknown[177.101.132.46]:53528, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:03 mail postfix/submission/smtpd[25891]: EB168E207A: client=unknown[186.236.74.50]:37769, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:04 mail postfix/submission/smtpd[33589]: 226A0E208F: client=unknown[186.209.134.252]:59567, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:04 mail postfix/submission/smtpd[33584]: 2461BE2090: client=unknown[191.37.66.90]:49954, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:04 mail postfix/submission/smtpd[5898]: 31C30E2091: client=unknown[187.120.241.134]:37156, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:04 mail postfix/submission/smtpd[40387]: A3CCAE2063: client=unknown[177.84.113.182]:51273, sasl_method=PLAIN, sasl_username=buhanova.i.s
Aug 22 10:26:06 mail postfix/submission/smtpd[41222]: 2FCD9E2072: client=unknown[143.0.233.210]:55618, sasl_method=PLAIN, sasl_username=dziuba.i.s
Aug 22 10:26:06 mail postfix/submission/smtpd[14196]: 33EBAE207D: client=unknown[168.0.168.130]:58269, sasl_method=PLAIN, sasl_username=buhanova.i.s

So on many boxes, changing passwords does not work.
Only the lock of the box helps.


phoenix
Ambassador
Ambassador
Posts: 25772
Joined: Fri Sep 12, 2014 9:56 pm

Re: Hacking, spamming

Postby phoenix » Wed Aug 22, 2018 8:00 am

First of all you need to provide the version of ZCS (every time you post) that your using. Post the full output of the following command:

Code: Select all

zmcontrol -v
Have you actually searched the forums or looked at the wiki articles for topics & solutions to this problem, if you have what have you tried to resolve this issue?
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
bond1211
Posts: 6
Joined: Wed Aug 23, 2017 4:41 pm

Re: Hacking, spamming

Postby bond1211 » Wed Aug 22, 2018 8:03 am

Code: Select all

[zimbra@mail conf]$ zmcontrol -v
Release 8.8.9_GA_3019.RHEL6_64_20180809160254 RHEL6_64 FOSS edition, Patch 8.8.9_P3.

Yes, I've been looking for information for a month and apply solutions to my server, nothing helps.

What server settings do I need to show?
User avatar
gabrieles
Advanced member
Advanced member
Posts: 51
Joined: Tue Feb 14, 2017 9:40 am

Re: Hacking, spamming

Postby gabrieles » Wed Aug 22, 2018 9:47 am

to see what account are compromised

Code: Select all

cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n

to change compromised account password

Code: Select all

zmprov sp user@domain.tld newpassword

on EVERY mta kill postfix sessions, or spammers authenticated with old passwords will keep sending

Code: Select all

zmmtactl restart

if you are lucky and your spammer is sending always with the same From (check it with postqueue -p) you can empty your queues with

Code: Select all

/opt/zimbra/common/sbin/postqueue -p | grep fakesender@fakedomain.tld | cut -c 1-11 | /opt/zimbra/common/sbin/postsuper -d -
bond1211
Posts: 6
Joined: Wed Aug 23, 2017 4:41 pm

Re: Hacking, spamming

Postby bond1211 » Wed Aug 22, 2018 9:53 am

gabrieles wrote:to see what account are compromised

Code: Select all

cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n

to change compromised account password

Code: Select all

zmprov sp user@domain.tld newpassword

on EVERY mta kill postfix sessions, or spammers authenticated with old passwords will keep sending

Code: Select all

zmmtactl restart

if you are lucky and your spammer is sending always with the same From (check it with postqueue -p) you can empty your queues with

Code: Select all

/opt/zimbra/common/sbin/postqueue -p | grep fakesender@fakedomain.tld | cut -c 1-11 | /opt/zimbra/common/sbin/postsuper -d -

Thanks for the answer, but it does not help.
This was done, immediately after changing the account password and restarting the postfix spam continues to go
cesko446
Posts: 10
Joined: Wed Sep 19, 2018 7:48 am

Re: Hacking, spamming

Postby cesko446 » Thu Sep 20, 2018 10:20 pm

What kind of spam ?? Always from the same address and always from 10 to 20 each time ??
bond1211
Posts: 6
Joined: Wed Aug 23, 2017 4:41 pm

Re: Hacking, spamming

Postby bond1211 » Fri Sep 21, 2018 5:11 am

Problem already solved. Spam was from different ip every 10-20 letters without stopping with different local mail addresses.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 40 guests