SPAM issue

[chandu]

Hi GUys,

Today few users informed me similar issue that they are getting spam mails from their own email ID...

For example :
abc@example.com getting mail from abc@example.com which contains abuse statements. ...and user informed that they havent sent any such mail...

Even CEO email ID is also getting similar stuff...

Please have a look on the header information :

################################################## ##

Return-Path: abc@example.com
Received: from mail.example.com(LHLO tcs-itontap.com) (10.10.28.1) by
example.comwith LMTP; Tue, 10 Aug 2010 12:22:07 +0530 (IST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by example.com(Postfix) with ESMTP id 1D500D419A
for <abc@example.com>; Tue, 10 Aug 2010 12:22:07 +0530 (IST)
X-Quarantine-ID: <Tg2P3nG+9KmA>
X-Virus-Scanned: amavisd-new at mail.rebi.in
X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
X-Spam-Flag: NO
X-Spam-Score: 5.038
X-Spam-Level: *****
X-Spam-Status: No, score=5.038 tagged_above=-10 required=6.6
tests=[AWL=-3.120, BAYES_99=3.5, MISSING_DATE=0.001,
RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033,
RDNS_NONE=0.1] autolearn=no
Received: from example.com([127.0.0.1])
by localhost (example.com[127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Tg2P3nG+9KmA; Tue, 10 Aug 2010 12:21:58 +0530 (IST)
Received: from ABTS-North-Dynamic-074.230.173.122.airtelbroadband.in (unknown [122.173.230.74])
by example.com(Postfix) with SMTP id 720DDD4195
for <abc@example.com>; Tue, 10 Aug 2010 12:21:58 +0530 (IST)
Content-Return: allowed
X-Mailer: CME-V6.5.4.3; MSN
Message-Id: <20100810122100.2905.qmail@ABTS-North-Dynamic-074.230.173.122.airtelbroadband.in>
To: <abc@example.com>
Subject: Best Sales 2010!
From: abc@example.com
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Date: Tue, 10 Aug 2010 12:22:07 +0530 (IST)

################################################## ##


Please suggest ....

One more thing.....

I am keep getting below error message in zimbra.log :

Aug 10 04:06:42 mail amavis[6412]: (06412-13) Open relay? Nonlocal recips but not originating: xyz@test.com
I refered below mentioned solution...but no luck ..

http://www.zimbra.com/forums/adminis...imbra-log.html
Is this inter related ???


Please help...

Thanks

[chandu]

I observed that for such mail communication, I am getting below logs :

Aug 10 12:22:07 mail amavis[12050]: (12050-03) Passed BAD-HEADER, [122.173.230.74] [122.173.230.74] <abc@example.com> ->
abc@example.com>, quarantine: badh-Tg2P3nG+9KmA, Message-ID: <20100810122100.2905.qmail@ABTS-North-Dynamic-074.230.173.122.airtelbroadband.in>, mail_id: Tg2P3nG+9KmA, Hits: 5.038, size: 618, queued_as: 1AE58D4199/1D500D419A, 8386 ms


For all fake mails its showing labling BAD-HEADER but itsg etting delivered ...how to restrict this ?

I didnt understand how did spammer got authentication of REAL email ID ?? These email id are exist on the server and thats why its not getting restrict...

Please help...

[hatake_pablo]

i could solve this issue installing postgrey...


you can install :
Improving Anti-spam system - Zimbra :: Wiki

[chandu]

hatake_pablo thanks for your inputs.

But I think I need sender base verification and below link will be useful :

ZIMBRA SMTP AUTH problem

But i dont understand how this happened ?

[ewilen]

This has nothing to do with open relays as far as I can tell. It also doesn't have to do with authentication or anything like that. Your users are simply receiving spam that has forged From: address and smtp envelope sender. It's very easy for this to happen--the spammer just harvested the addresses from a website, or tricked users into entering the addresses into web forms, or received the addresses from the contact list on a computer that was infected. That computer could be the personal computer of someone in your organization, or their work computer, or it could be the computer of an external colleague.

This is your key line:

Code:

Received: from ABTS-North-Dynamic-074.230.173.122.airtelbroadband.in (unknown [122.173.230.74])
by example.com(Postfix) with SMTP id 720DDD4195
for <abc@example.com>; Tue, 10 Aug 2010 12:21:58 +0530 (IST)

Reading forward through the Received lines shows it's genuine.

There are two relatively easy things you can do. One is to make use of more RBLs, either for scoring or for blocking at the MTA. For example, if you'd used b.barracudacentral.org, the spam would have been caught:

Code:

% host 74.230.173.122.b.barracudacentral.org
74.230.173.122.b.barracudacentral.org has address 127.0.0.2

barracudacentral is so reliable that I'm comfortable using it to block at the MTA. Other RBLs, you might want to create custom rules in salocal.conf.in. Just search the forums--I'm pretty sure you'll find examples, by me and Uxbod, among others.

The other thing is to just reduce your "Required" spam score. You've got it at the default of 6.6 (33%). I would reduce it somewhat based on your observation of the scores of some legitimate mail coming from outside and some spams that got through. Personally, I use 4.4 (22%).