Results 1 to 5 of 5

Thread: Local Mail Marked as spam, SPOOF_COM2COM

  1. #1
    jlearmonth is offline Junior Member
    Join Date
    Mar 2009
    Posts
    6
    Rep Power
    6

    Default Local Mail Marked as spam, SPOOF_COM2COM

    ## EDIT ##
    Running Release 5.0.20_GA_3127.UBUNTU8 UBUNTU8 NETWORK edition
    ## EDIT ##

    For the last few weeks a large number of normal mail, from local and remote sources are being marked as spam, even though these same sources have been working fine for years.

    I have not changed any settings, or upgraded, etc...
    I notice that it shows both SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044, which is strange because there is no COM anywhere in our domain name.

    Here is an example email header from the Zimbra server itself that is now marked as spam:

    Return-Path: zimbra@zimbra.mydomain.cc
    Received: from zimbra.mydomain.cc (LHLO zimbra.mydomain.cc) (10.1.1.13) by
    zimbra.mydomain.cc with LMTP; Tue, 13 Apr 2010 01:10:42 -0600 (MDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by zimbra.mydomain.cc (Postfix) with ESMTP id CEBB1ACA453;
    Tue, 13 Apr 2010 01:10:42 -0600 (MDT)
    X-Virus-Scanned: amavisd-new at zimbra.mydomain.cc
    X-Spam-Flag: YES
    X-Spam-Score: 2.789
    X-Spam-Level: **
    X-Spam-Status: Yes, score=2.789 tagged_above=-10 required=1
    tests=[ALL_TRUSTED=-1.8, AWL=-4.357, BAYES_99=3.5,
    DNS_FROM_OPENWHOIS=1.13, SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044]
    Received: from zimbra.mydomain.cc ([127.0.0.1])
    by localhost (zimbra.mydomain.cc [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id t7m6z52jeSih; Tue, 13 Apr 2010 01:10:40 -0600 (MDT)
    Received: from localhost.localdomain (zimbra.mydomain.cc [10.1.1.13])
    by zimbra.mydomain.cc (Postfix) with ESMTP id 25EEEACA2EB
    for <admin@zimbra.mydomain.cc>; Tue, 13 Apr 2010 01:10:40 -0600 (MDT)
    Subject: *** SPAM ***Daily mail report from 2010-04-12 00:00:00 to 2010-04-13
    00:00:00
    X-Mailer: Mail::Mailer[v2.04] Net::SMTP[v2.31]
    To: admin@zimbra.mydomain.cc
    From: admin@zimbra.mydomain.cc
    Message-Id: <20100413071040.25EEEACA2EB@zimbra.mydomain.cc>
    Date: Tue, 13 Apr 2010 01:10:40 -0600 (MDT)

    zmdailyreport from 2010-04-12 00:00:00 to 2010-04-13 00:00:00

    ...


    The same daily report from a few days ago does not show SPOOF_COM2COM or SPOOF_COM2OTH

    Any ideas?

    Thanks in advance.

    Jordan

    ## EDIT ##
    Happened again today with the Zimbra Daily Log:
    Return-Path: zimbra@zimbra.mydomain.cc
    Received: from zimbra.mydomain.cc (LHLO zimbra.mydomain.cc) (10.1.1.13) by
    zimbra.mydomain.cc with LMTP; Wed, 14 Apr 2010 01:10:53 -0600 (MDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by zimbra.mydomain.cc (Postfix) with ESMTP id E29BAACA37F;
    Wed, 14 Apr 2010 01:10:52 -0600 (MDT)
    X-Virus-Scanned: amavisd-new at zimbra.mydomain.cc
    X-Spam-Flag: YES
    X-Spam-Score: 1.056
    X-Spam-Level: *
    X-Spam-Status: Yes, score=1.056 tagged_above=-10 required=1
    tests=[ALL_TRUSTED=-1.8, AWL=-2.599, BAYES_99=3.5, URIBL_BLACK=1.955]
    Received: from zimbra.mydomain.cc ([127.0.0.1])
    by localhost (zimbra.mydomain.cc [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id WnTzSPU8u3AN; Wed, 14 Apr 2010 01:10:51 -0600 (MDT)
    Received: from localhost.localdomain (zimbra.mydomain.cc [10.1.1.13])
    by zimbra.mydomain.cc (Postfix) with ESMTP id B90F4ACA35C
    for <admin@zimbra.mydomain.cc>; Wed, 14 Apr 2010 01:10:51 -0600 (MDT)
    Subject: *** SPAM ***Daily mail report from 2010-04-13 00:00:00 to 2010-04-14
    00:00:00
    X-Mailer: Mail::Mailer[v2.04] Net::SMTP[v2.31]
    To: admin@zimbra.mydomain.cc
    From: admin@zimbra.mydomain.cc
    Message-Id: <20100414071051.B90F4ACA35C@zimbra.mydomain.cc>
    Date: Wed, 14 Apr 2010 01:10:51 -0600 (MDT)

    zmdailyreport from 2010-04-13 00:00:00 to 2010-04-14 00:00:00
    Last edited by jlearmonth; 04-14-2010 at 12:36 PM. Reason: New Example

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Well I can answer one of those straight away :- [SOLVED] spamassassin: false positives from openwhois

    Which version of ZCS are you running as the current ones, 5.0.23 and 6.0.6, address a couple of SA issues; and Zimbra now bundle the SA update tools.

    Would be grateful if you were to post
    Code:
    su - zimbra
    zmcontrol -v

  3. #3
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Just looked at the rule on 6.0.6 and it contains
    Code:
    # a.com.b.com
    uri SPOOF_COM2COM       m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
    describe SPOOF_COM2COM  URI contains ".com" in middle and end
    Did the recipient receive some some of strange URI link ?

  4. #4
    jlearmonth is offline Junior Member
    Join Date
    Mar 2009
    Posts
    6
    Rep Power
    6

    Default

    Not sure what you mean by URI link, messages coming from sources that don't even have COM in their name are being marked with that COM2COM rule.
    I am also seeing DNS_FROM_OPENWHOIS=1.13 in almost all incoming mail now.

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    The OPENWHOIS one is referenced in my previous post. The COM2COM is a http link embedded within the body of the email.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 7
    Last Post: 02-03-2011, 07:01 AM
  2. local mail getting marked as spam?
    By bjquinn in forum Administrators
    Replies: 61
    Last Post: 09-07-2010, 09:23 PM
  3. [SOLVED] Cannot receive incoming mail but can send.
    By windependence in forum Administrators
    Replies: 2
    Last Post: 03-23-2010, 02:43 AM
  4. Replies: 30
    Last Post: 01-13-2009, 08:00 AM
  5. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •