Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: [SOLVED] We are geting spam for our distribution list

  1. #1
    Plurnay is offline Senior Member
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default [SOLVED] We are geting spam for our distribution list

    We are having this issue for a while now...
    I have look other post.. but a lot of them seem to be getting email from invalide account but for me all emails address are valid

    I thinks because its coming in as our domain its not pick up by the antispam

    here to exemple of email the went straight in the inbox

    Return-Path: support@redballinternet.com
    Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
    (142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 3 May 2010
    17:37:41 -0300 (ADT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.redballinternet.com (Postfix) with ESMTP id 953A02DC005
    for <tpoirier@redballinternet.com>; Mon, 3 May 2010 17:37:41 -0300 (ADT)
    X-Virus-Scanned: amavisd-new at mail.redballinternet.com
    Received: from mail.redballinternet.com ([127.0.0.1])
    by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id WfzQAiBn7V3w for <tpoirier@redballinternet.com>;
    Mon, 3 May 2010 17:37:32 -0300 (ADT)
    Received: from [89.45.37.144] (unknown [89.45.37.144])
    by mail.redballinternet.com (Postfix) with ESMTP id 3F8752DC004
    for <support@redballinternet.com>; Mon, 3 May 2010 17:37:32 -0300 (ADT)
    From: "Real ****** extremely cheap" <support@redballinternet.com>
    To: support@redballinternet.com
    Subject: Discounts for you, support! Save at least 70% Kingdom standard between philosophy
    Date: Mon, 3 May 2010 23:37:49 +0300
    MIME-Version: 1.0
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: 8bit
    Message-Id: <20100503203741.953A02DC005@mail.redballinternet.c om>





    here is another one

    Return-Path: leaflettednduw@r-u-on.com
    Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
    (142.166.48.148) by mail.redballinternet.com with LMTP; Mon, 3 May 2010
    18:24:13 -0300 (ADT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.redballinternet.com (Postfix) with ESMTP id CD2C12DC005
    for <tpoirier@redballinternet.com>; Mon, 3 May 2010 18:24:13 -0300 (ADT)
    X-Virus-Scanned: amavisd-new at mail.redballinternet.com
    Received: from mail.redballinternet.com ([127.0.0.1])
    by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id g8pFNnwhSIAL for <tpoirier@redballinternet.com>;
    Mon, 3 May 2010 18:24:13 -0300 (ADT)
    Received: from 18714178078.user.veloxzone.com.br (unknown [187.14.178.78])
    by mail.redballinternet.com (Postfix) with ESMTP id B7FDA2DC004
    for <support@redballinternet.com>; Mon, 3 May 2010 18:24:12 -0300 (ADT)
    Received: from 187.14.178.78 by mx01.1and1.com; Mon, 3 May 2010 18:24:15 -0300
    Date: Mon, 3 May 2010 18:24:15 -0300
    From: "123greetings.com" <support@redballinternet.com>
    X-Mailer: The Bat! (v2.10.01) Personal
    Reply-To: leaflettednduw@r-u-on.com
    X-Priority: 3 (Normal)
    Message-ID: <105055609.47828718095637@r-u-on.com>
    To: support@redballinternet.com
    Subject: You Received Online Greeting Card
    MIME-Version: 1.0
    Content-Type: text/html;
    charset=Windows-1252
    Content-Transfer-Encoding: 7bit
    Last edited by Plurnay; 05-18-2010 at 09:45 AM.

  2. #2
    Plurnay is offline Senior Member
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default

    I usualy get help pretty quickly but I got no reply yet on this issues...
    PLease ask me if you guys need extra information

  3. #3
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    you should be setting up SPF records for your domain so that people can't spoof it, and setting up zimbra to check spf

  4. #4
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    I see the headers OK, yes, but I'm not sure what is your question exactly?

    Are you looking to block emails just from this sender? Are you wanting to improve your system's anti-spam accuracy?

    All the best,
    Mark

  5. #5
    Plurnay is offline Senior Member
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default

    well i thinks those email are not been pickup by the anti spam because I have white listed our domain name with is @redballinternet.com because when we send email from employe to employe sometime they get pickup as spam

    but now the majority of our spam that get into the inbox all almost all coming from with a distribution list email as the sender

    Basicly what i want know how are those email being send in the first place...
    is it a virus or someone using our mail server to send spam???

    I am reading the SPF stuff that could be one a the problem thanks

    I dont know if i explain myself correctly
    I am very new at this

    Let me know if you need more info...
    Last edited by Plurnay; 05-11-2010 at 12:08 PM.

  6. #6
    dalmate is offline Elite Member
    Join Date
    Jan 2009
    Posts
    369
    Rep Power
    6

    Default

    Can you post some information in zimbra.log (/var/log/zimbra.log) about that mail when it is sent to your server?

  7. #7
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Quote Originally Posted by Plurnay View Post
    well i thinks those email are not been pickup by the anti spam because I have white listed our domain name with is @redballinternet.com because when we send email from employe to employe sometime they get pickup as spam
    There should be no need to white list your domain and you would be better attempting to resolve that issue first.

  8. #8
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    You could also check that the return address matches the from address by dropping the attached SpamAssassin script into /opt/zimbra/conf/spamassassin (please rename it from .txt to .pm as that is the only way I could upload it) and then adding the following rule into salocal.cf.in
    Code:
    ################################################################################
    # Check for Spoofed From
    ################################################################################
    header      __FROM_REDBALL  From =~ /\@redballinternet\.com/i
    meta        FAKE_REDBALL    (__FROM_REDBALL && FROM_NOT_RETURN_PATH)
    describe    FAKE_REDBALL    Fake mail from REDBALL
    score       FAKE_REDBALL    3
    You will need to tell SpamAssassin to load the new code for which one would create a redball.pre file under the same directory with the contents
    Code:
    loadplugin FromNotReturnPath FromNotReturnPath.pm
    header FROM_NOT_RETURN_PATH eval:check_for_from_not_return_path()
    describe FROM_NOT_RETURN_PATH From: does not match Return-path:
    You may wish to adjust the score of 3 down a bit, to say 0.1, while you perform testing.
    Attached Files Attached Files

  9. #9
    Plurnay is offline Senior Member
    Join Date
    Apr 2010
    Location
    New-Brunswick, Canada
    Posts
    67
    Rep Power
    5

    Default

    i am just wondering... like if you look at this header


    Return-Path: support@redballinternet.com
    Received: from mail.redballinternet.com (LHLO mail.redballinternet.com)
    (142.166.48.148) by mail.redballinternet.com with LMTP; Fri, 14 May 2010
    05:52:25 -0300 (ADT)
    Received: from localhost (localhost [127.0.0.1])
    by mail.redballinternet.com (Postfix) with ESMTP id 9D8A82DC005
    for <tpoirier@redballinternet.com>; Fri, 14 May 2010 05:52:25 -0300 (ADT)
    X-Quarantine-ID: <QYUE3apfXDAH>
    X-Virus-Scanned: amavisd-new at mail.redballinternet.com
    X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
    Received: from mail.redballinternet.com ([127.0.0.1])
    by localhost (mail.redballinternet.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id QYUE3apfXDAH for <tpoirier@redballinternet.com>;
    Fri, 14 May 2010 05:52:20 -0300 (ADT)
    Received: from [41.207.162.1] (unknown [41.207.162.1])
    by mail.redballinternet.com (Postfix) with ESMTP id 4D2ED2DC004
    for <support@redballinternet.com>; Fri, 14 May 2010 05:52:03 -0300 (ADT)
    From: *PfizerBrandViagra* <support@redballinternet.com>
    To: support@redballinternet.com
    Subject: Special offer for support, prices are lowered to 1/4 value. a disuse There
    MIME-Version: 1.0
    Content-Type: text/html; charset="utf-8"
    Message-Id: <20100514085225.9D8A82DC005@mail.redballinternet.c om>
    Date: Fri, 14 May 2010 05:52:25 -0300 (ADT)



    The from adress is
    From: *PfizerBrandViagra* <support@redballinternet.com>
    and the return-path is
    Return-Path: support@redballinternet.com

    its the same email... would that get pick up with the script
    because i have a lot of those

  10. #10
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    You will get more clarity on why your system is blocking these (and other) emails if you increase Amavis' default logging level from 1 to 2.

    Look for the following line in /opt/zimbra/conf/amavis.conf.in and make sure the log level is set to a 2.

    Code:
    mail2:~ # cat /opt/zimbra/conf/amavisd.conf.in | grep "log_level ="
    $log_level = 2;              # verbosity 0..5 - 1 is the minimum for msg tracing
    mail2:~ #
    Next, as the zimbra user restart amavis:

    Code:
    zmamavisdctl stop; zmamavisdctl start
    Note that this change does not survive Zimbra upgrades.

    Now when spam is blocked, you can see why in /var/log/zimbra.log:

    Code:
    May 13 17:29:40 mail2 amavis[16549]: (16549-13) SPAM, <HighSpeedInternet=12625@accuprofit-specials.com> -> <(recipient_address_removed)>, Yes, score=16.288 tag=-10 tag2=4 kill=14 tests=[BAYES_99=3.5, HTML_IMAGE_ONLY_32=1.778, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, SARE_FROM_SPAM_WORD2=0.555, SARE_HEAD_HDR_XCLIHST=2.999, URIBL_BLACK=1.955, URIBL_OB_SURBL=1.5] autolearn=spam
    Hope that helps,
    Mark

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Listing Distribution List Members
    By rwjblue in forum Administrators
    Replies: 8
    Last Post: 05-06-2014, 09:20 PM
  2. [SOLVED] Sudden problem synching with gmail
    By bouchardpie in forum Error Reports
    Replies: 8
    Last Post: 09-09-2010, 09:50 AM
  3. [SOLVED] Distribution List user not receiving email
    By Karassik in forum Installation
    Replies: 4
    Last Post: 08-21-2009, 03:10 PM
  4. Problem syncing all folders
    By mark_the_chain in forum Error Reports
    Replies: 0
    Last Post: 11-23-2008, 04:59 PM
  5. Replies: 4
    Last Post: 01-29-2008, 08:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •