[SOLVED] We are geting spam for our distribution list

[Plurnay]

We are having this issue for a while now...
I have look other post.. but a lot of them seem to be getting email from invalide account but for me all emails address are valid

I thinks because its coming in as our domain its not pick up by the antispam

here to exemple of email the went straight in the inbox

Return-Path: support@redballinternet.com
Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
(142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 3 May 2010
17:37:41 -0300 (ADT)
Received: from localhost (localhost [127.0.0.1])
by mail.redballinternet.com (Postfix) with ESMTP id 953A02DC005
for <tpoirier@redballinternet.com>; Mon, 3 May 2010 17:37:41 -0300 (ADT)
X-Virus-Scanned: amavisd-new at mail.redballinternet.com
Received: from mail.redballinternet.com ([127.0.0.1])
by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id WfzQAiBn7V3w for <tpoirier@redballinternet.com>;
Mon, 3 May 2010 17:37:32 -0300 (ADT)
Received: from [89.45.37.144] (unknown [89.45.37.144])
by mail.redballinternet.com (Postfix) with ESMTP id 3F8752DC004
for <support@redballinternet.com>; Mon, 3 May 2010 17:37:32 -0300 (ADT)
From: "Real ****** extremely cheap" <support@redballinternet.com>
To: support@redballinternet.com
Subject: Discounts for you, support! Save at least 70% Kingdom standard between philosophy
Date: Mon, 3 May 2010 23:37:49 +0300
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <20100503203741.953A02DC005@mail.redballinternet.c om>





here is another one

Return-Path: leaflettednduw@r-u-on.com
Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
(142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 3 May 2010
18:24:13 -0300 (ADT)
Received: from localhost (localhost [127.0.0.1])
by mail.redballinternet.com (Postfix) with ESMTP id CD2C12DC005
for <tpoirier@redballinternet.com>; Mon, 3 May 2010 18:24:13 -0300 (ADT)
X-Virus-Scanned: amavisd-new at mail.redballinternet.com
Received: from mail.redballinternet.com ([127.0.0.1])
by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id g8pFNnwhSIAL for <tpoirier@redballinternet.com>;
Mon, 3 May 2010 18:24:13 -0300 (ADT)
Received: from 18714178078.user.veloxzone.com.br (unknown [187.14.178.78])
by mail.redballinternet.com (Postfix) with ESMTP id B7FDA2DC004
for <support@redballinternet.com>; Mon, 3 May 2010 18:24:12 -0300 (ADT)
Received: from 187.14.178.78 by mx01.1and1.com; Mon, 3 May 2010 18:24:15 -0300
Date: Mon, 3 May 2010 18:24:15 -0300
From: "123greetings.com" <support@redballinternet.com>
X-Mailer: The Bat! (v2.10.01) Personal
Reply-To: leaflettednduw@r-u-on.com
X-Priority: 3 (Normal)
Message-ID: <105055609.47828718095637@r-u-on.com>
To: support@redballinternet.com
Subject: You Received Online Greeting Card
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1252
Content-Transfer-Encoding: 7bit

[Plurnay]

I usualy get help pretty quickly but I got no reply yet on this issues...
PLease ask me if you guys need extra information

[bdial]

you should be setting up SPF records for your domain so that people can't spoof it, and setting up zimbra to check spf

[LMStone]

I see the headers OK, yes, but I'm not sure what is your question exactly?

Are you looking to block emails just from this sender? Are you wanting to improve your system's anti-spam accuracy?

All the best,
Mark

[Plurnay]

well i thinks those email are not been pickup by the anti spam because I have white listed our domain name with is @redballinternet.com because when we send email from employe to employe sometime they get pickup as spam

but now the majority of our spam that get into the inbox all almost all coming from with a distribution list email as the sender

Basicly what i want know how are those email being send in the first place...
is it a virus or someone using our mail server to send spam???

I am reading the SPF stuff that could be one a the problem thanks

I dont know if i explain myself correctly
I am very new at this

Let me know if you need more info...

[dalmate]

Can you post some information in zimbra.log (/var/log/zimbra.log) about that mail when it is sent to your server?

[uxbod]

Quote:

Originally Posted by Plurnay

well i thinks those email are not been pickup by the anti spam because I have white listed our domain name with is @redballinternet.com because when we send email from employe to employe sometime they get pickup as spam

There should be no need to white list your domain and you would be better attempting to resolve that issue first.

[uxbod]

You could also check that the return address matches the from address by dropping the attached SpamAssassin script into /opt/zimbra/conf/spamassassin (please rename it from .txt to .pm as that is the only way I could upload it) and then adding the following rule into salocal.cf.in

Code:

################################################################################
# Check for Spoofed From
################################################################################
header      __FROM_REDBALL  From =~ /\@redballinternet\.com/i
meta        FAKE_REDBALL    (__FROM_REDBALL && FROM_NOT_RETURN_PATH)
describe    FAKE_REDBALL    Fake mail from REDBALL
score       FAKE_REDBALL    3

You will need to tell SpamAssassin to load the new code for which one would create a redball.pre file under the same directory with the contents

Code:

loadplugin FromNotReturnPath FromNotReturnPath.pm
header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()
describe FROM_NOT_RETURN_PATH From: does not match Return-path:

You may wish to adjust the score of 3 down a bit, to say 0.1, while you perform testing.

[Plurnay]

i am just wondering... like if you look at this header


Return-Path: support@redballinternet.com
Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
(142.166.48.148) by mail.redballinternet.com with LMTP; Fri, 14 May 2010
05:52:25 -0300 (ADT)
Received: from localhost (localhost [127.0.0.1])
by mail.redballinternet.com (Postfix) with ESMTP id 9D8A82DC005
for <tpoirier@redballinternet.com>; Fri, 14 May 2010 05:52:25 -0300 (ADT)
X-Quarantine-ID: <QYUE3apfXDAH>
X-Virus-Scanned: amavisd-new at mail.redballinternet.com
X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
Received: from mail.redballinternet.com ([127.0.0.1])
by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id QYUE3apfXDAH for <tpoirier@redballinternet.com>;
Fri, 14 May 2010 05:52:20 -0300 (ADT)
Received: from [41.207.162.1] (unknown [41.207.162.1])
by mail.redballinternet.com (Postfix) with ESMTP id 4D2ED2DC004
for <support@redballinternet.com>; Fri, 14 May 2010 05:52:03 -0300 (ADT)
From: *PfizerBrandViagra* <support@redballinternet.com>
To: support@redballinternet.com
Subject: Special offer for support, prices are lowered to 1/4 value. a disuse There
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Message-Id: <20100514085225.9D8A82DC005@mail.redballinternet.c om>
Date: Fri, 14 May 2010 05:52:25 -0300 (ADT)



The from adress is
From: *PfizerBrandViagra* <support@redballinternet.com>
and the return-path is
Return-Path: support@redballinternet.com

its the same email... would that get pick up with the script
because i have a lot of those

[LMStone]

You will get more clarity on why your system is blocking these (and other) emails if you increase Amavis' default logging level from 1 to 2.

Look for the following line in /opt/zimbra/conf/amavis.conf.in and make sure the log level is set to a 2.

Code:

mail2:~ # cat /opt/zimbra/conf/amavisd.conf.in | grep "log_level ="
$log_level = 2;              # verbosity 0..5 - 1 is the minimum for msg tracing
mail2:~ #

Next, as the zimbra user restart amavis:

Code:

zmamavisdctl stop; zmamavisdctl start

Note that this change does not survive Zimbra upgrades.

Now when spam is blocked, you can see why in /var/log/zimbra.log:

Code:

May 13 17:29:40 mail2 amavis[16549]: (16549-13) SPAM, <HighSpeedInternet=12625@accuprofit-specials.com> -> <(recipient_address_removed)>, Yes, score=16.288 tag=-10 tag2=4 kill=14 tests=[BAYES_99=3.5, HTML_IMAGE_ONLY_32=1.778, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, SARE_FROM_SPAM_WORD2=0.555, SARE_HEAD_HDR_XCLIHST=2.999, URIBL_BLACK=1.955, URIBL_OB_SURBL=1.5] autolearn=spam

Hope that helps,
Mark