Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Local Mail Marked as spam, SPOOF_COM2COM

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 04-13-2010, 08:59 AM
Junior Member
  
Posts: 6
Default Local Mail Marked as spam, SPOOF_COM2COM
## EDIT ##
Running Release 5.0.20_GA_3127.UBUNTU8 UBUNTU8 NETWORK edition
## EDIT ##

For the last few weeks a large number of normal mail, from local and remote sources are being marked as spam, even though these same sources have been working fine for years.

I have not changed any settings, or upgraded, etc...
I notice that it shows both SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044, which is strange because there is no COM anywhere in our domain name.

Here is an example email header from the Zimbra server itself that is now marked as spam:

Return-Path: zimbra@zimbra.mydomain.cc
Received: from zimbra.mydomain.cc (LHLO zimbra.mydomain.cc) (10.1.1.13) by
zimbra.mydomain.cc with LMTP; Tue, 13 Apr 2010 01:10:42 -0600 (MDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zimbra.mydomain.cc (Postfix) with ESMTP id CEBB1ACA453;
Tue, 13 Apr 2010 01:10:42 -0600 (MDT)
X-Virus-Scanned: amavisd-new at zimbra.mydomain.cc
X-Spam-Flag: YES
X-Spam-Score: 2.789
X-Spam-Level: **
X-Spam-Status: Yes, score=2.789 tagged_above=-10 required=1
tests=[ALL_TRUSTED=-1.8, AWL=-4.357, BAYES_99=3.5,
DNS_FROM_OPENWHOIS=1.13, SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044]
Received: from zimbra.mydomain.cc ([127.0.0.1])
by localhost (zimbra.mydomain.cc [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id t7m6z52jeSih; Tue, 13 Apr 2010 01:10:40 -0600 (MDT)
Received: from localhost.localdomain (zimbra.mydomain.cc [10.1.1.13])
by zimbra.mydomain.cc (Postfix) with ESMTP id 25EEEACA2EB
for <admin@zimbra.mydomain.cc>; Tue, 13 Apr 2010 01:10:40 -0600 (MDT)
Subject: *** SPAM ***Daily mail report from 2010-04-12 00:00:00 to 2010-04-13
00:00:00
X-Mailer: Mail::Mailer[v2.04] Net::SMTP[v2.31]
To: admin@zimbra.mydomain.cc
From: admin@zimbra.mydomain.cc
Message-Id: <20100413071040.25EEEACA2EB@zimbra.mydomain.cc>
Date: Tue, 13 Apr 2010 01:10:40 -0600 (MDT)

zmdailyreport from 2010-04-12 00:00:00 to 2010-04-13 00:00:00

...


The same daily report from a few days ago does not show SPOOF_COM2COM or SPOOF_COM2OTH

Any ideas?

Thanks in advance.

Jordan

## EDIT ##
Happened again today with the Zimbra Daily Log:
Return-Path: zimbra@zimbra.mydomain.cc
Received: from zimbra.mydomain.cc (LHLO zimbra.mydomain.cc) (10.1.1.13) by
zimbra.mydomain.cc with LMTP; Wed, 14 Apr 2010 01:10:53 -0600 (MDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zimbra.mydomain.cc (Postfix) with ESMTP id E29BAACA37F;
Wed, 14 Apr 2010 01:10:52 -0600 (MDT)
X-Virus-Scanned: amavisd-new at zimbra.mydomain.cc
X-Spam-Flag: YES
X-Spam-Score: 1.056
X-Spam-Level: *
X-Spam-Status: Yes, score=1.056 tagged_above=-10 required=1
tests=[ALL_TRUSTED=-1.8, AWL=-2.599, BAYES_99=3.5, URIBL_BLACK=1.955]
Received: from zimbra.mydomain.cc ([127.0.0.1])
by localhost (zimbra.mydomain.cc [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id WnTzSPU8u3AN; Wed, 14 Apr 2010 01:10:51 -0600 (MDT)
Received: from localhost.localdomain (zimbra.mydomain.cc [10.1.1.13])
by zimbra.mydomain.cc (Postfix) with ESMTP id B90F4ACA35C
for <admin@zimbra.mydomain.cc>; Wed, 14 Apr 2010 01:10:51 -0600 (MDT)
Subject: *** SPAM ***Daily mail report from 2010-04-13 00:00:00 to 2010-04-14
00:00:00
X-Mailer: Mail::Mailer[v2.04] Net::SMTP[v2.31]
To: admin@zimbra.mydomain.cc
From: admin@zimbra.mydomain.cc
Message-Id: <20100414071051.B90F4ACA35C@zimbra.mydomain.cc>
Date: Wed, 14 Apr 2010 01:10:51 -0600 (MDT)

zmdailyreport from 2010-04-13 00:00:00 to 2010-04-14 00:00:00
Last edited by jlearmonth; 04-14-2010 at 12:36 PM.. Reason: New Example
Reply With Quote
  #2 (permalink)  
Old 04-13-2010, 10:04 AM
Moderator
  
Posts: 7,928
Default
Well I can answer one of those straight away :- [SOLVED] spamassassin: false positives from openwhois

Which version of ZCS are you running as the current ones, 5.0.23 and 6.0.6, address a couple of SA issues; and Zimbra now bundle the SA update tools.

Would be grateful if you were to post
Code:
su - zimbra
zmcontrol -v
__________________
Reply With Quote
  #3 (permalink)  
Old 04-13-2010, 10:08 AM
Moderator
  
Posts: 7,928
Default
Just looked at the rule on 6.0.6 and it contains
Code:
# a.com.b.com
uri SPOOF_COM2COM       m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
describe SPOOF_COM2COM  URI contains ".com" in middle and end
Did the recipient receive some some of strange URI link ?
__________________
Reply With Quote
  #4 (permalink)  
Old 04-13-2010, 10:17 AM
Junior Member
  
Posts: 6
Default
Not sure what you mean by URI link, messages coming from sources that don't even have COM in their name are being marked with that COM2COM rule.
I am also seeing DNS_FROM_OPENWHOIS=1.13 in almost all incoming mail now.
Reply With Quote
  #5 (permalink)  
Old 04-13-2010, 10:32 AM
Moderator
  
Posts: 7,928
Default
The OPENWHOIS one is referenced in my previous post. The COM2COM is a http link embedded within the body of the email.
__________________
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.