Spam That's Pretending To Be Admins!

[axtran]

I have my email passing through an external SMTP gateway that does Anti-Spam (Sophos ES4000). However, I am still getting spam! I do not get the same spam on my other server (Microsoft Exchange) but users on Zimbra Collaboration Suite 6.0.7 GA are receiving these messages:

Quote:

Return-Path: helpdesk@eagles.cui.edu
Received: from eagles.cui.edu (LHLO zcs-mta.cui.edu) (172.16.1.146) by
zcs-ms.cui.edu with LMTP; Tue, 15 Jun 2010 07:41:55 -0700 (PDT)
Received: from cerberus.cui.edu (es4000.cui.edu [172.16.0.252])
by zcs-mta.cui.edu (Postfix) with ESMTP id 943D6501C2
for <david.peterson@eagles.cui.edu>; Tue, 15 Jun 2010 07:40:36 -0700 (PDT)
Received: from cerberus.cui.edu (localhost.localdomain [127.0.0.1])
by localhost (Email Security Appliance) with SMTP id 0B67E101E3D4_C17914CB
for <david.peterson@eagles.cui.edu>; Tue, 15 Jun 2010 14:42:20 +0000 (GMT)
Received: from winter.teisprint.net (winter.teisprint.net [209.183.176.75])
by cerberus.cui.edu (Sophos Email Appliance) with ESMTP id CF47A101B369_C17914BF
for <david.peterson@eagles.cui.edu>; Tue, 15 Jun 2010 14:42:19 +0000 (GMT)
Received: from localhost ([::1] helo=webmail.ezaccess.net)
by winter.teisprint.net with esmtp (Exim 4.69)
(envelope-from <helpdesk@eagles.cui.edu>)
id 1OOXLH-00029W-89
for david.peterson@eagles.cui.edu; Tue, 15 Jun 2010 09:42:19 -0500
Received: from 115.240.89.196
(SquirrelMail authenticated user davidslater)
by webmail.ezaccess.net with HTTP;
Tue, 15 Jun 2010 15:42:19 +0100
Message-ID: <c0b3bf1ca9db8848857cced03db78e6b.squirrel@webmail .ezaccess.net>
Date: Tue, 15 Jun 2010 15:42:19 +0100
Subject: REACTIVATE YOUR MAIL ACCOUNT!!!
From: "Eagles Help Desk" <helpdesk@eagles.cui.edu>
To: david.peterson@eagles.cui.edu
Reply-To: web.upgrade@workmail.com
User-Agent: SquirrelMail/1.4.19
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Sophos-ESA: [cerberus.cui.edu] 3.6.0.1, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.6.15.142414




REACTIVATE YOUR MAIL ACCOUNT.
Your email account will soon be suspended (Reason: Yearly quota
maintenance). To reactivate your email account, please reply to this
mail
immediately for reactivation of your mail account with your

Email Address:
Email Username:
Password:
Confirm Password:



Information Technology Services
E-mail: helpdesk@eagles.cui.edu

These mail is sent to you from our secured ITS service Center. Please
respond to this message for the reactivation of your account with your
current mail account user name and password.
We sincerely apologise for these unusual problem.
WEBMAIL REACTIVATION SERVICE
For ITS Service.

[axtran]

I'm currently wondering if there are any settings inside of Zimbra to prevent self-tagged emails (spoofing non-existent @domain.com emails, for example, helpdesk@eagles.cui.edu doesn't exist).

[phoenix]

Quote:

Originally Posted by axtran

I'm currently wondering if there are any settings inside of Zimbra to prevent self-tagged emails (spoofing non-existent @domain.com emails, for example, helpdesk@eagles.cui.edu doesn't exist).

Yes, there are if you search the forums and wiki for the words 'anti-spam' and check "Discarding Emails Sent to Invalid Addresses " amongst all the other techniques listed.

[axtran]

I figured using Anti-Spam inside of Zimbra might be a bad idea, given I use the Email Appliance--would two levels of anti-spam make it difficult to detect and release false-positives?

[phoenix]

Quote:

Originally Posted by axtran

I figured using Anti-Spam inside of Zimbra might be a bad idea, given I use the Email Appliance--would two levels of anti-spam make it difficult to detect and release false-positives?

The problem seems to be that your anti-spam system in front of your ZImbra server isn't actually recognising that message as spam. It's also forwarding it to a non-existent email address, doesn't it have the facility to verify if the account exists on your Zimbra server? It also seems to be cleaning up the email headers (assuming you posted all the headers?), if either of my comments are true then I think you'd best address your concerns/questions to the appliance vendor.

[axtran]

It has the option--however I co-run Microsoft Exchange which houses user email information in the "proxyAddresses" location. My Zimbra is also set for LDAP lookup for logins, but those users have their email addresses stored in the "mail" location. I am running a lookup called "SMTP look-ahead" for sensing whether or not a email address is "real" or not--I'm assuming that I should simply activate just the Discarding Emails Sent to Invalid Addresses feature... Will that work given I disabled some of the Zimbra Anti-Spam features?

[phoenix]

Quote:

Originally Posted by axtran

It has the option--however I co-run Microsoft Exchange which houses user email information in the "proxyAddresses" location. My Zimbra is also set for LDAP lookup for logins, but those users have their email addresses stored in the "mail" location. I am running a lookup called "SMTP look-ahead" for sensing whether or not a email address is "real" or not--

I'm afraid I don't know enough about your anti-spam appliance to comment on it's set-up.

Quote:

Originally Posted by axtran

I'm assuming that I should simply activate just the Discarding Emails Sent to Invalid Addresses feature... Will that work given I disabled some of the Zimbra Anti-Spam features?

Yes, that should still work as it's a Postfix option and not part of the anti-spam system.

[axtran]

Thanks for the help! Sophos ES4000 just has an option where it tries to do a SMTP look-ahead to sense whether an email account is real or not--because it catches false-positives and lets you LDAP-login to release or permanently mark certain messages as spam. I think I am able to set everything to look at the AD "mail" attribute so Zimbra users can take advantage of the system

And I'll set the postfix option for sure. I want to kill NDR/Backscatter, and I'm sure this helps a bunch with that.