Receiving spam email from myself

[dougz]

I've been reported by users while a long time, and i see with my own eyes:
i'm getting spam from myself. Other users have this issue too.
Isn't a worm/spyware/virus or threads like that.

Checking the logs i found:

Quote:

Jul 13 02:20:21 myserver postfix/smtpd[19853]: connect from unknown[219.64.128.217]
Jul 13 02:20:22 myserver postfix/smtpd[20836]: warning: 122.172.11.67: hostname ABTS-KK-dynamic-067.11.172.122.airtelbroadband.in verification failed: Name or service not known
Jul 13 02:20:22 myserver postfix/smtpd[20836]: connect from unknown[122.172.11.67]
Jul 13 02:20:22 myserver postfix/smtpd[19853]: NOQUEUE: reject: RCPT from unknown[219.64.128.217]: 550 5.1.1 <me@mydomain.com>: Recipient address rejected: mydomain.com; from=<me@mydomain.com> to=<me@mydomain.com> proto=SMTP helo=<219.64.128.217.hyd.dialup.vsnl.net.in>
Jul 13 02:20:23 myserver postfix/smtpd[19853]: lost connection after RCPT from unknown[219.64.128.217]
Jul 13 02:20:23 myserver postfix/smtpd[19853]: disconnect from unknown[219.64.128.217]

It looks like droped email, but i GOT IT on my mail box. The other users too.
The "219.64.128.217" isn't alone, i found a lot of conections from others addresses.

I check the forums, looking for open relay instructions, and is not the case here.

It looks like a bug or vulnerability from spamassassing, something like that.
it proceed?

anyone having the same problem?
how could i solve this case??


thanks for all,
and sorry for my poor english.

[dougz]

UPDATE:
telnet myserver 25
from an external network:

Quote:

helo anydomain.com
250 myserver.mydomain.com
mail from:myself@mydomain.com
250 2.1.0 Ok
rcpt to:myself@mydomain.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
lalalala
.
250 2.0.0 Ok: queued as C2E74616001

delivered.


again from internet:

Quote:

Connected to mail.mydomain.com (xx.xx.xx.xx).
Escape character is '^]'.
220 myserver.mydomain.com ESMTP Postfix
helo hotmail.com
250 myserver.mydomain.com
mail from:myself@mydomain.com
250 2.1.0 Ok
rcpt to:myself@mydomain.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject:nasty
dam dam dam dam
.
250 2.0.0 Ok: queued as 52287616001

spamassassin shoudn't block things like that?

[bdial]

this is why SPF records were invented. I"m not sure if zimbra antispam uses them or not i don't use zimbra's antispam. Basically in your dns you setup records that say "email from domain.com only comes from these ip addresses"

the test you did is the expected behavior. until recently it wasn't uncommon for some of my users to be using their home isp's smtp server to send e-mail but with our domain. so if they were e-mailing someone here, it would appear that email from someone@domain.com was coming from external soruces.

[dougz]

Quote:

Originally Posted by bdial

this is why SPF records were invented. I"m not sure if zimbra antispam uses them or not i don't use zimbra's antispam. Basically in your dns you setup records that say "email from domain.com only comes from these ip addresses"

the test you did is the expected behavior. until recently it wasn't uncommon for some of my users to be using their home isp's smtp server to send e-mail but with our domain. so if they were e-mailing someone here, it would appear that email from someone@domain.com was coming from external soruces.

thanks for quick reply

then, if i enable SPF to filter that behavior, all users cannot send email from any remote location? Authentication isn't relevant to bypass spf filter?

i'll read about SPF, thanks again.

IF anyone have more KB about this issue, please comment.
Thanks.

[bdial]

users can send emails from remote locations provided they're using one of your servers either

1. sending from the web client
2. sending via outlook connector
3. sending using your zimbra server as smtp server using smtp-auth

or really any servers as long as they're listed in spf servers. if you have multiple smtp servers for users at other offices you can add their ips to the spf records

[mek1]

Correct. If you add a SPF record specifying your IP then mail servers that check SPF will only accept connections from your mail server's IP.

Here's a handy wizard for generating SPF DNS records; The SPF Setup Wizard

You could also look at adding SPF filter to your Zimbra install to check incoming connections;
Improving Anti-spam system - Zimbra :: Wiki

[tharange]

I know SPF is correct and working. In my case I found it is timed out when checking spf records, and lots of my clients mails was rejected. It was a problem with my slow leased line (I guess). So I disabled SPF and searched for any other solution.

My Situation:
I got around 100 email users in side the office. No one out side. We receives emails from out side, displaying it from my self. One day I found a spam message about *** has mailed to all my staff members showing it is from system admin(me).

My solution:

In postfix -(/etc/postfix/main.cf) -

mynetworks = 127.0.0.0/8,192.168.1.0/24
smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/maps/reject

I created a reject map and included my own domain to be rejected.
I permitted the LAN side (mynetworks) before reject map.

Now no one can send mail to us using my domain name from out side.

Reject map :
a file with any name. one record for one line. syntax should be as ,

abc.com REJECT error_message
ubsdsoc.com REJECT Service unavailable
socsadomer.com REJECT Service unavailable


When my staff member going out side, They uses the webmail system which is hosted in my LAN. so no probs

good luck