SPAM sourced from virtual domain user to same user

[Jsper]

I'm running 6.0.4 OSE and I'm seeing SPAM from the world where the MAIL TO is a user on the system and the RCPT TO is the same user. Shouldn't Postfix block this before it gets to Spamassassin/SPAM checking? The SMTP client is not in my trusted networks and has not authenticated as a user of the system. What can be done to stop this commonly used SPAM loophole?

Below is what is happening.

Feb 4 16:14:48 zimbrahost postfix/smtpd[18837]: D33BC2F6049: client=unknown[204.14.36.5]
Feb 4 16:14:56 zimbrahost postfix/cleanup[19205]: D33BC2F6049: message-id=<>
Feb 4 16:14:56 zimbrahost postfix/qmgr[9572]: D33BC2F6049: from=<user@domain.com>, size=192, nrcpt=1 (queue active)
Feb 4 16:14:57 zimbrahost postfix/smtpd[19209]: connect from localhost[127.0.0.1]
Feb 4 16:14:57 zimbrahost postfix/smtpd[19209]: 301A52F6055: client=localhost[127.0.0.1]
Feb 4 16:14:57 zimbrahost postfix/cleanup[19205]: 301A52F6055: message-id=<20100205001457.301A52F6055@zimbrahost.domain.c om>
Feb 4 16:14:57 zimbrahost postfix/qmgr[9572]: 301A52F6055: from=<user@domain.com>, size=1136, nrcpt=1 (queue active)
Feb 4 16:14:57 zimbrahost postfix/smtpd[19209]: disconnect from localhost[127.0.0.1]
Feb 4 16:14:57 zimbrahost postfix/smtp[19206]: D33BC2F6049: to=<user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=16, delays=15/0.02/0.01/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=07174-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 301A52F6055)
Feb 4 16:14:57 zimbrahost postfix/qmgr[9572]: D33BC2F6049: removed
Feb 4 16:14:57 zimbrahost postfix/lmtp[19210]: 301A52F6055: to=<user@domain.com>, relay=zimbrahost.domain.com[192.168.200.100]:7025, delay=0.15, delays=0/0.04/0.01/0.1, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Feb 4 16:14:57 zimbrahost postfix/qmgr[9572]: 301A52F6055: removed
Feb 4 16:14:59 zimbrahost postfix/smtpd[18837]: disconnect from unknown[204.14.36.5]

[bdial]

setup some sort of sender verification for your domain like spf records.

Basically you add a dns record for your domain that says "mail from this domain is only going to come from the following ips/networks:"

then when your server, or any other server recdeives mail from your domain, it queries for hte spf record and if the originating ip is not listed in the spf then it will score it high or just plain drop the mail

[raj]

this very common kind of spam
you can do tons of things on top of default zimbra install to improve anti-spam
list is in the link..
Improving Anti-spam system - Zimbra :: Wiki

Raj

[Jsper]

I've setup SPF as recommended and sometimes see the SPF check in the headers, however this same SPAM still gets through. The headers are as follows (no SPF check):

X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
X-Spam-Flag: NO
X-Spam-Score: 4.265
X-Spam-Level: ****
X-Spam-Status: No, score=4.265 tagged_above=-10 required=5
tests=[BAYES_05=-1.11, MISSING_DATE=0.001, MISSING_HEADERS=1.292,
MISSING_MID=0.001, MISSING_SUBJECT=1.762, RDNS_NONE=0.1,
TVD_SPACE_RATIO=2.219] autolearn=no

My zimbra installation does not seem to be logging spamassassin activities. How do I enable spamassassin logging so I can see what is going on and why SPF checking is not happening for these particular spams.

[Jsper]

I found how to increase the SA log level and now see the SA headers within the zimbra.log. Still having issues with SA and SPF however.

I followed the wiki instructions for SPF and installed the SPF library and set the scores but I'm seeing this when starting zimbra:

Feb 10 16:36:53 postal amavis[19703]: INFO: SA version: 3.2.5, 3.002005, no optional modules: Encode:etect Razor2::Client::Agent IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d auto::NetAddr::IP::Util::ipv6_n2x

Are there additional steps needed to enable these optional modules?

# apt-get -s install libmail-spf-query-perl
Reading package lists... Done
Building dependency tree
Reading state information... Done
libmail-spf-query-perl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Excerpt from /opt/zimbra/conf/salocal.cf:

ok_languages en es
ok_locales en es
trusted_networks 127. 192.168.
use_bayes 1
dns_available yes
score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
score FH_DATE_PAST_20XX 0.0

[Jsper]

It appears the SPF module and others are loading despite the last post. I am seeing this upon startup so it appears SPF is loading just fine:

Code:

Feb 10 16:36:55 postal amavis[19708]: SpamAssassin loaded plugins: AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DNSEval, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
Feb 10 16:36:55 postal amavis[19708]: SpamControl: init_pre_fork on SpamAssassin done
Feb 10 16:36:55 postal amavis[19708]: extra modules loaded after daemonizing/chrooting: Mail/SPF/Query.pm

That said, the initial issue with SPAM (same valid user used as MAIL TO and RCPT TO) getting through continues and it does not appear SPF is checked by SA:

Code:

Feb 10 17:40:41 host postfix/smtpd[17972]: warning: 204.14.36.5: hostname las-204-14-36-5.commpartners.us verification failed: Name or service not known
Feb 10 17:40:41 host postfix/smtpd[17972]: connect from unknown[204.14.36.5]
Feb 10 17:40:44 host zmmailboxdmgr[18047]: status requested
Feb 10 17:40:44 host zmmailboxdmgr[18047]: status OK
Feb 10 17:40:45 host zmmailboxdmgr[18108]: status requested
Feb 10 17:40:45 host zmmailboxdmgr[18108]: status OK
Feb 10 17:40:59 host postfix/smtpd[17972]: D5D142F602F: client=unknown[204.14.36.5]
Feb 10 17:41:05 host postfix/cleanup[18143]: D5D142F602F: message-id=<>
Feb 10 17:41:05 host postfix/qmgr[6280]: D5D142F602F: from=<email@xyz.com>, size=181, nrcpt=1 (queue active)
Feb 10 17:41:05 host amavis[4137]: (04137-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20100210T174105-04137: <email@xyz.com> -> <email@xyz.com> SIZE=181 Received: from zimbra.server.com ([127.0.0.1]) by localhost (zimbra.server.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <email@xyz.com>; Wed, 10 Feb 2010 17:41:05 -0800 (PST)
Feb 10 17:41:05 host amavis[4137]: (04137-01) Checking: mDZetvP+aMsx [204.14.36.5] <email@xyz.com> -> <email@xyz.com>
Feb 10 17:41:05 host amavis[4137]: (04137-01) p001 1 Content-Type: text/plain, size: 9 B, name: 
Feb 10 17:41:05 host amavis[4137]: (04137-01) check_header: 7, Missing required header field: "Date"
Feb 10 17:41:05 host amavis[4137]: (04137-01) check_header: 7, Missing required header field: "From"
Feb 10 17:41:05 host clamd[4146]: No stats for Database check - forcing reload 
Feb 10 17:41:07 host clamd[4146]: Reading databases from /opt/zimbra/data/clamav/db 
Feb 10 17:41:08 host postfix/smtpd[17972]: disconnect from unknown[204.14.36.5]
Feb 10 17:41:11 host clamd[4146]: Database correctly reloaded (1257414 signatures) 
Feb 10 17:41:11 host amavis[4137]: (04137-01) local delivery: <> -> bad-header-quarantine, mbx=/opt/zimbra/data/amavisd/quarantine/badh-mDZetvP+aMsx
Feb 10 17:41:11 host amavis[4137]: (04137-01) SPAM-TAG, <email@xyz.com> -> <email@xyz.com>, No, score=4.265 tagged_above=-10 required=5 tests=[BAYES_05=-1.11, MISSING_DATE=0.001, MISSING_HEADERS=1.292, MISSING_MID=0.001, MISSING_SUBJECT=1.762, RDNS_NONE=0.1, TVD_SPACE_RATIO=2.219] autolearn=no
Feb 10 17:41:11 host postfix/smtpd[18155]: connect from localhost[127.0.0.1]
Feb 10 17:41:11 host postfix/smtpd[18155]: ABD722F605D: client=localhost[127.0.0.1]
Feb 10 17:41:11 host postfix/cleanup[18143]: ABD722F605D: message-id=<20100211014111.ABD722F605D@zimbra.server.com>
Feb 10 17:41:11 host postfix/qmgr[6280]: ABD722F605D: from=<email@xyz.com>, size=1152, nrcpt=1 (queue active)
Feb 10 17:41:11 host amavis[4137]: (04137-01) FWD via SMTP: <email@xyz.com> -> <email@xyz.com>,BODY=7BIT 250 2.0.0 Ok, id=04137-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as ABD722F605D
Feb 10 17:41:11 host amavis[4137]: (04137-01) Passed BAD-HEADER, [204.14.36.5] [204.14.36.5] <email@xyz.com> -> <email@xyz.com>, quarantine: badh-mDZetvP+aMsx, mail_id: mDZetvP+aMsx, Hits: 4.265, size: 181, queued_as: ABD722F605D, 6127 ms
Feb 10 17:41:11 host postfix/smtp[18151]: D5D142F602F: to=<email@xyz.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=19, delays=12/0.02/0.06/6.1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04137-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as ABD722F605D)
Feb 10 17:41:11 host amavis[4137]: (04137-01) TIMING [total 6132 ms] - ldap-prepare: 21 (0%)0, SMTP greeting: 15 (0%)1, SMTP EHLO: 3 (0%)1, SMTP pre-MAIL: 1 (0%)1, mkdir tempdir: 2 (0%)1, create email.txt: 2 (0%)1, ldap-connect: 79 (1%)2, lookup_ldap: 8 (0%)2, SMTP pre-DATA-flush: 6 (0%)2, SMTP DATA: 1 (0%)2, check_init: 2 (0%)2, digest_hdr: 3 (0%)2, digest_body_dkim: 1 (0%)2, gen_mail_id: 2 (0%)2, mkdir parts: 2 (0%)2, mime_decode: 23 (0%)3, get-file-type1: 36 (1%)3, decompose_part: 5 (0%)3, parts_decode: 0 (0%)3, check_header: 5 (0%)4, AV-scan-1: 5554 (91%)94, spam-wb-list: 4 (0%)94, SA parse: 13 (0%)94, SA check: 210 (3%)98, update_cache: 9 (0%)98, decide_mail_destiny: 3 (0%)98, notif-quar: 6 (0%)98, stat-mbx: 5 (0%)98, open-mbx: 1 (0%)98, write-header: 1 (0%)98, save-to-local-mailbox: 0 (0%)98, fwd-connect: 39 (1%)99, fwd-mail-pip: 47 (1%)100, fwd-rcpt-pip: 0 (0%)100, fwd-data-chkpnt: 0 (0%)100, write-header: 0 (0%)100, fwd-data-contents: 0 (0%)100, fwd-end-chkpnt: 4 (0%)100, prepare-dsn: 2 (0...
Feb 10 17:41:11 host postfix/qmgr[6280]: D5D142F602F: removed
Feb 10 17:41:11 host amavis[4137]: (04137-01) ...%)100, main_log_entry: 13 (0%)100, SMTP pre-response: 1 (0%)100, SMTP response: 2 (0%)100, unlink-1-files: 1 (0%)100, rundown: 2 (0%)100
Feb 10 17:41:11 host amavis[4137]: (04137-01) extra modules loaded: /opt/zimbra/zimbramon/lib/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/zimbramon/lib/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/randomize.al, IO/Socket/SSL.pm, Net/LDAP/Extension.pm, Net/SSLeay.pm
Feb 10 17:41:11 host postfix/lmtp[18158]: ABD722F605D: to=<email@xyz.com>, relay=zimbra.server.com[192.168.200.100]:7025, delay=0.16, delays=0.01/0.05/0/0.1, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Feb 10 17:41:11 host postfix/qmgr[6280]: ABD722F605D: removed

[uxbod]

Okay, here is a idea. I do it on my front-end MTA so not sure what will happen when configured directly on the ZCS server.

Code:

su - zimbra

Create a file under /opt/zimbra/conf called spoofprotection with the following content

Code:

yourdomain		REJECT we never email ourself from outside so go away!

We then need to convert it to a database

Code:

postmap spoofprotection

then Zimbra needs to know to look at it so we need to change /opt/zimbra/conf/postfix_recipient_restrictions.cf and add

Code:

check_sender_access hash:/etc/postfix/spoofprotection

this need to go after the permit_mynetworks so the file looks like

Code:

reject_non_fqdn_recipient
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unlisted_recipient
check_sender_access hash:/opt/zimbra/conf/spoofprotection
%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%contains VAR:zimbraMtaRestriction reject_unknown_client%%
%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
permit

Then restart Postfix

Code:

postfix reload

The result should be that people mailing each other internally will work fine as they will hit permit_mynetworks and match. If somebody from the outside attempts to spoof your domain in the from field they will be rejected.

Again this has been un-tested directly on the ZCS server.

[Jsper]

Thanks Uxbod. I appreciate the response.

I ended up getting SPF working to block this spam. I think my issue with SPF was with running a internal DNS server. Since SA queries DNS I had to also add SPF records to my internal zone files for it to work. I'm not sure this is mentioned within the spam wiki or SPF configuration and could be a big gotcha for anyone running their own DNS.

That said, I still would prefer that postfix stop this sort of spam loophole before ever getting to AV/SA. I thought this was the intent of trusted networks and SMTP Auth but obviously not. I'm surprised this is not a bigger issue since this affects every Zimbra installation out there (and possibly postfix). So I'll likely try your possibly better solution to this issue.

[pmona]

I too have implemented SPF, though I see in the logs that it is working much of the time, I still receive some email for which there appears to be no SPF check done. Can anyone tell me what this happens?

Here is an example of the headder of one of these spam emails


Return-Path: harmfulh9@beautifuldom.ru
Received: from zimbra.MyDomain.com (LHLO zimbra.MyDomain.com)
(172.20.1.4) by zimbra.MyDomain.com with LMTP; Tue, 23 Feb 2010 07:34:20
-0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zimbra.MyDomain.com (Postfix) with ESMTP id 0F1DA8D8004
for <goodtogo@MyDomain.com>; Tue, 23 Feb 2010 07:34:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at zimbra.MyDomain.com
X-Spam-Flag: YES
X-Spam-Score: 11.613
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.613 tagged_above=-10 required=6.6
tests=[BAYES_99=3.5, PYZOR_CHECK=2.5, RCVD_IN_BL_SPAMCOP_NET=1.96,
RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, STOX_REPLY_TYPE=0.001]
autolearn=no
Received: from zimbra.MyDomain.com ([127.0.0.1])
by localhost (zimbra.MyDomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id PyZ1a5tD9kBB for <goodtogo@MyDomain.com>;
Tue, 23 Feb 2010 07:34:16 -0800 (PST)
Received: from 69.209.broadband13.iol.cz (69.209.broadband13.iol.cz [90.180.209.69])
by zimbra.MyDomain.com (Postfix) with ESMTP id 4CA778D8003
for <goodtogo@MyDomain.com>; Tue, 23 Feb 2010 07:34:15 -0800 (PST)
Received: from 90.180.209.69 by aspmx5.googlemail.com; Tue, 23 Feb 2010 16:34:52 +0100
Date: Tue, 23 Feb 2010 16:34:52 +0100
From: goodtogo@MyDomain.com
Subject: Complete your wardrobe today with a brand new Vertu, the ultimate fashion accessory for the high powered personality that you are
To: <goodtogo@MyDomain.com>
Message-ID: <000d01cab49d$be0a1f40$6400a8c0@harmfulh9>
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
Content-type: text/plain; format=flowed; charset="UTF-8"; reply-type=original
Content-transfer-encoding: 7bit
X-Priority: 3
X-MSMail-priority: Normal

Feel the luxurious gem in your hand. Be the envy with just a click of your mobile. http://inroad87.spaces.live.com

[pmona]

uxbod, does the spoofprotection file support multiple lines. Say for instance I host multiple domains.