Mail from 127.0.0.1

[kolson3208]

I have a lot of "Spam" that is bing able to be delivered to local users on my Zimbra machine. The mail source in the headers are from either 127.0.0.1 or from mailer-deamon.

I have 'require authentication' enabled for users sending mail and it seems to work. It is almost like the system is sending mail itself but I haven't been able to determine where or how...

Kelly

[phoenix]

Welcome to the forums.

You'd need to post some headers for anyone to make a comment on where it's come from. Is there anything in the logs to indicate a problem?

[mmorse]

See here for a list of logfiles: /docs/ne/latest/administration_guide/9_Monitoring.12.1.html#1075561
We're specifically interested in /var/log/zimbra.log & /opt/zimbra/log/mailbox.log
They will be big, post relevant sections-or attach them in a txt or zip.

[kolson3208]

Received: from localhost (localhost.localdomain [127.0.0.1])
by webmail.asiserve.net (Postfix) with ESMTP id 773CAC28BAA
for <kolson@mtsweb.net>; Wed, 19 Sep 2007 12:50:37 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Score: 3.993
X-Spam-Level: ***
X-Spam-Status: No, score=3.993 tagged_above=-10 required=4
tests=[BAYES_50=0.001, RCVD_IN_NJABL_DUL=1.946,
RCVD_IN_SORBS_DUL=2.046]
Received: from webmail.asiserve.net ([127.0.0.1])
by localhost (webmail.asiserve.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id uQV35R9JCwPv for <kolson@mtsweb.net>;
Wed, 19 Sep 2007 12:50:35 -0400 (EDT)
Received: from aus208.neoplus.adsl.tpnet.pl (aus208.neoplus.adsl.tpnet.pl [83.27.26.208])
by webmail.asiserve.net (Postfix) with ESMTP id 967C9C28B8F
for <sales@mtsweb.net>; Wed, 19 Sep 2007 12:50:27 -0400 (EDT)
Received: from [83.27.26.208] by bluebadgelabel.com; Wed, 19 Sep 2007 17:50:50 +0100
Date: Wed, 19 Sep 2007 17:50:50 +0100
From: "Tammi Jeffries" <yeux@bluebadgelabel.com>
X-Mailer: The Bat! (v2.00.0) Business
Reply-To: yeux@bluebadgelabel.com
X-Priority: 3 (Normal)
Message-ID: <854233889.40052149537585@bluebadgelabel.com>
To: sales@mtsweb.net
Subject: Re:MAIL MERGE
MIME-Version: 1.0
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit



I guess the part that confuses me is that all of our mail first goes through a Barracuda Filter and has headers stating such. This one appears to have been accepted directly by the mail server without needing authentication.

Kelly

[phoenix]

I guess the part that confuses me is that all of our mail first goes through a Barracuda Filter and has headers stating such. This one appears to have been accepted directly by the mail server without needing authentication.

I guess the Barracuda is on the same subnet as the ZImbra server? If that's the case, it won't need authentication as it's in the same Trusted Network.

[phoenix]

BTW, that message you've posted isn't spam according to this:

Code:

X-Spam-Score: 3.993
X-Spam-Level: ***
X-Spam-Status: No, score=3.993 tagged_above=-10 required=4

as it doesn't meet the 'Required' score.

[mmorse]

Start with the usual collection of anti-spam stuff listed here: /forums/administrators/11142-i-dont-think-rbls-bayes-working-me.html#post58026

Then see some more ideas here: Improving Anti-spam system - ZimbraWiki

[kolson3208]

This may have been covered and I still haven't dug through the logs to fine the specific emails. But this would be great if it could be calrified.

In the Zimbra Message queue, I am seeing mail messages queued with a "Sender Address: of mailer-deamon. "Receiver address" aue usually not on our domain, "Sender Domain" is blank and "Origin IP" is blank.

I am wondering if this is "Normal" or a if many more messages may have been going out...

Kelly