Results 1 to 8 of 8

Thread: Spam That's Pretending To Be Admins!

  1. #1
    axtran is offline Member
    Join Date
    Sep 2009
    Posts
    13
    Rep Power
    5

    Default Spam That's Pretending To Be Admins!

    I have my email passing through an external SMTP gateway that does Anti-Spam (Sophos ES4000). However, I am still getting spam! I do not get the same spam on my other server (Microsoft Exchange) but users on Zimbra Collaboration Suite 6.0.7 GA are receiving these messages:


    Return-Path: helpdesk@eagles.cui.edu
    Received: from eagles.cui.edu (LHLO zcs-mta.cui.edu) (172.16.1.146) by
    zcs-ms.cui.edu with LMTP; Tue, 15 Jun 2010 07:41:55 -0700 (PDT)
    Received: from cerberus.cui.edu (es4000.cui.edu [172.16.0.252])
    by zcs-mta.cui.edu (Postfix) with ESMTP id 943D6501C2
    for <david.peterson@eagles.cui.edu>; Tue, 15 Jun 2010 07:40:36 -0700 (PDT)
    Received: from cerberus.cui.edu (localhost.localdomain [127.0.0.1])
    by localhost (Email Security Appliance) with SMTP id 0B67E101E3D4_C17914CB
    for <david.peterson@eagles.cui.edu>; Tue, 15 Jun 2010 14:42:20 +0000 (GMT)
    Received: from winter.teisprint.net (winter.teisprint.net [209.183.176.75])
    by cerberus.cui.edu (Sophos Email Appliance) with ESMTP id CF47A101B369_C17914BF
    for <david.peterson@eagles.cui.edu>; Tue, 15 Jun 2010 14:42:19 +0000 (GMT)
    Received: from localhost ([::1] helo=webmail.ezaccess.net)
    by winter.teisprint.net with esmtp (Exim 4.69)
    (envelope-from <helpdesk@eagles.cui.edu>)
    id 1OOXLH-00029W-89
    for david.peterson@eagles.cui.edu; Tue, 15 Jun 2010 09:42:19 -0500
    Received: from 115.240.89.196
    (SquirrelMail authenticated user davidslater)
    by webmail.ezaccess.net with HTTP;
    Tue, 15 Jun 2010 15:42:19 +0100
    Message-ID: <c0b3bf1ca9db8848857cced03db78e6b.squirrel@webmail .ezaccess.net>
    Date: Tue, 15 Jun 2010 15:42:19 +0100
    Subject: REACTIVATE YOUR MAIL ACCOUNT!!!
    From: "Eagles Help Desk" <helpdesk@eagles.cui.edu>
    To: david.peterson@eagles.cui.edu
    Reply-To: web.upgrade@workmail.com
    User-Agent: SquirrelMail/1.4.19
    MIME-Version: 1.0
    Content-Type: text/plain;charset=iso-8859-1
    Content-Transfer-Encoding: 8bit
    X-Priority: 3 (Normal)
    Importance: Normal
    X-Sophos-ESA: [cerberus.cui.edu] 3.6.0.1, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.6.15.142414




    REACTIVATE YOUR MAIL ACCOUNT.
    Your email account will soon be suspended (Reason: Yearly quota
    maintenance). To reactivate your email account, please reply to this
    mail
    immediately for reactivation of your mail account with your

    Email Address:
    Email Username:
    Password:
    Confirm Password:



    Information Technology Services
    E-mail: helpdesk@eagles.cui.edu

    These mail is sent to you from our secured ITS service Center. Please
    respond to this message for the reactivation of your account with your
    current mail account user name and password.
    We sincerely apologise for these unusual problem.
    WEBMAIL REACTIVATION SERVICE
    For ITS Service.



  2. #2
    axtran is offline Member
    Join Date
    Sep 2009
    Posts
    13
    Rep Power
    5

    Default

    I'm currently wondering if there are any settings inside of Zimbra to prevent self-tagged emails (spoofing non-existent @domain.com emails, for example, helpdesk@eagles.cui.edu doesn't exist).

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by axtran View Post
    I'm currently wondering if there are any settings inside of Zimbra to prevent self-tagged emails (spoofing non-existent @domain.com emails, for example, helpdesk@eagles.cui.edu doesn't exist).
    Yes, there are if you search the forums and wiki for the words 'anti-spam' and check "Discarding Emails Sent to Invalid Addresses " amongst all the other techniques listed.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    axtran is offline Member
    Join Date
    Sep 2009
    Posts
    13
    Rep Power
    5

    Default

    I figured using Anti-Spam inside of Zimbra might be a bad idea, given I use the Email Appliance--would two levels of anti-spam make it difficult to detect and release false-positives?

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by axtran View Post
    I figured using Anti-Spam inside of Zimbra might be a bad idea, given I use the Email Appliance--would two levels of anti-spam make it difficult to detect and release false-positives?
    The problem seems to be that your anti-spam system in front of your ZImbra server isn't actually recognising that message as spam. It's also forwarding it to a non-existent email address, doesn't it have the facility to verify if the account exists on your Zimbra server? It also seems to be cleaning up the email headers (assuming you posted all the headers?), if either of my comments are true then I think you'd best address your concerns/questions to the appliance vendor.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    axtran is offline Member
    Join Date
    Sep 2009
    Posts
    13
    Rep Power
    5

    Default

    It has the option--however I co-run Microsoft Exchange which houses user email information in the "proxyAddresses" location. My Zimbra is also set for LDAP lookup for logins, but those users have their email addresses stored in the "mail" location. I am running a lookup called "SMTP look-ahead" for sensing whether or not a email address is "real" or not--I'm assuming that I should simply activate just the Discarding Emails Sent to Invalid Addresses feature... Will that work given I disabled some of the Zimbra Anti-Spam features?

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by axtran View Post
    It has the option--however I co-run Microsoft Exchange which houses user email information in the "proxyAddresses" location. My Zimbra is also set for LDAP lookup for logins, but those users have their email addresses stored in the "mail" location. I am running a lookup called "SMTP look-ahead" for sensing whether or not a email address is "real" or not--
    I'm afraid I don't know enough about your anti-spam appliance to comment on it's set-up.

    Quote Originally Posted by axtran View Post
    I'm assuming that I should simply activate just the Discarding Emails Sent to Invalid Addresses feature... Will that work given I disabled some of the Zimbra Anti-Spam features?
    Yes, that should still work as it's a Postfix option and not part of the anti-spam system.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    axtran is offline Member
    Join Date
    Sep 2009
    Posts
    13
    Rep Power
    5

    Default

    Thanks for the help! Sophos ES4000 just has an option where it tries to do a SMTP look-ahead to sense whether an email account is real or not--because it catches false-positives and lets you LDAP-login to release or permanently mark certain messages as spam. I think I am able to set everything to look at the AD "mail" attribute so Zimbra users can take advantage of the system

    And I'll set the postfix option for sure. I want to kill NDR/Backscatter, and I'm sure this helps a bunch with that.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Most of mails showing SPAM & discarded
    By siw919 in forum Administrators
    Replies: 27
    Last Post: 01-12-2010, 01:53 PM
  2. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 10:26 AM
  3. spam - ham training
    By Viking0 in forum Administrators
    Replies: 6
    Last Post: 12-02-2008, 01:07 PM
  4. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM
  5. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •