Spam issues again

[bhwong]

We have been receiving over 20k of spam from .it domains almost daily! What can we do to drop emails from these domains beside marking them as junk which failed to even move most of them to the junk folder?

We also suspect that some of them are from our internal users who have infected computers. Unfortunately the Origin IP of every emails simply show up as 127.0.0.1. The Zimbra log also shows 127.0.0.1 for most email senders instead of their actual IPs.

I have posted this few week ago before but unable to receive any satisfactory reply. We have no choice but to repost as this is getting more serious without any solution or even workaround in sight. Anyone with experience with spam issue please share your expertise. Thanks!

[phoenix]

Posting an image of your Zimbra queues is not much help it's a) not legible and b) gives no useful information.

You need to provide headers from the emails and full details of what changes you've made to the anti-spam system and what you've done to improve it.

If you're getting spam from an internal user then you need to scan your LAN users PCs for bots or malware, that should be done routinely. You can also search the log files to see which users are the most active senders. Really, these subjects have been covered ad infinitum in the forums if you search for them - there's tips, help, advice, changes you can make to your system, where to look for the problem etc. etc.

[ewilen]

I realize that you weren't able to identify the source of spam by scanning zimbra.log. However if you grep on the ID, you should be able to locate the message-id (a completely separate pattern) and then you may be able to grep on that in /opt/zimbra/log/mailbox.log to find the ip address and userid of the sender.

[bhwong]

Hi Ewilen, thanks for your suggestion. The IP address I found in the log file all point to our router gateway instead of the individual PCs. So I won't be able to pinpoint which PC is it. But at least it's an improvement over Zimbra Admin's 127.0.0.1 local loop which doesn't make sense at all.

Will it be helpful if I post the spam message header? (Note that I have replace our domain for security reason)

Received: from 192.168.100.99 (LHLO mail.mydomain.com) (192.168.100.99) by
mail.mydomain.com with LMTP; Fri, 24 Sep 2010 01:56:30 +0800 (SGT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id 2789E54061
for <user@mydomain.com>; Fri, 24 Sep 2010 01:56:21 +0800 (SGT)
X-Virus-Scanned: amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 6.525
X-Spam-Level: ******
X-Spam-Status: No, score=6.525 tagged_above=-10 required=6.6
tests=[ALL_TRUSTED=-1.8, AWL=-3.997, BASE64_LENGTH_79_INF=1.496,
BAYES_50=0.001, FH_FROMEML_NOTLD=2.696, HTML_IMAGE_ONLY_24=1.552,
HTML_MESSAGE=0.001, HTML_TAG_BALANCE_HEAD=1.334,
NORMAL_HTTP_TO_IP=0.001, URIBL_BLACK=1.955, URIBL_PH_SURBL=1.787,
URIBL_SBL=1.499] autolearn=spam
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id rK3zfTTQb0j9; Fri, 24 Sep 2010 01:56:19 +0800 (SGT)
Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id 1854F5405D
for <spam._napzjmlc@mail.mydomain.com>; Fri, 24 Sep 2010 01:56:19 +0800 (SGT)
To: spam._napzjmlc@mail.mydomain.com
Message-ID: <5162268.14.1285264579097.JavaMail.root@mail.mydom ain.com>
Subject: zimbra-spam-report: user@mydomain.com: spam
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_13_23348857.1285264579096"
X-Zimbra-Spam-Report-Sender: user@mydomain.com
X-Zimbra-Spam-Report-Type: spam
X-Originating-IP: [192.168.100.99]
Date: Fri, 24 Sep 2010 01:56:19 +0800 (SGT)
From: MAILER-DAEMON@mail.mydomain.com

------=_Part_13_23348857.1285264579096
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Description: Zimbra spam classification report

Classified-By: user@mydomain.com
Classified-As: spam

------=_Part_13_23348857.1285264579096
Content-Type: message/rfc822
Content-Disposition: attachment

Return-Path: sicurezza@relaxbanking.it
Received: from 192.168.100.99 (LHLO mail.mydomain.com) (192.168.100.99) by
mail.mydomain.com with LMTP; Fri, 24 Sep 2010 01:55:14 +0800 (SGT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id 5D60E54053
for <user@mydomain.com>; Fri, 24 Sep 2010 01:55:09 +0800 (SGT)
X-Quarantine-ID: <5Opk53+4pvz2>
X-Virus-Scanned: amavisd-new at mail.mydomain.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char E8 hex):
Subject: ...Per ragioni di sicurezza \350 necessario con[...]
X-Spam-Flag: NO
X-Spam-Score: 4.922
X-Spam-Level: ****
X-Spam-Status: No, score=4.922 tagged_above=-10 required=6.6
tests=[ALL_TRUSTED=-1.8, AWL=-2.904, BASE64_LENGTH_79_INF=1.496,
BAYES_50=0.001, HTML_IMAGE_ONLY_24=1.552, HTML_MESSAGE=0.001,
HTML_TAG_BALANCE_HEAD=1.334, NORMAL_HTTP_TO_IP=0.001,
URIBL_BLACK=1.955, URIBL_PH_SURBL=1.787, URIBL_SBL=1.499] autolearn=no
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 5Opk53+4pvz2; Fri, 24 Sep 2010 01:55:08 +0800 (SGT)
Received: from relaxbanking.it (unknown [208.93.150.136])
by mail.mydomain.com (Postfix) with ESMTPA id E996E5405D
for <anaminsantiago@hotmail.com>; Fri, 24 Sep 2010 01:55:03 +0800 (SGT)
From: Relax Banking <sicurezza@relaxbanking.it>
To: anaminsantiago@hotmail.com
Subject: =?utf-8?Q?Spam?=
Per ragioni di sicurezza � necessario confermare il tuo account.
Date: 23 Sep 2010 12:52:56 -0500
Message-ID: <20100923125256.F0BF418597DAD7AF@relaxbanking.it >
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_EAA65E99.2DE55BDB"
X-SpamInfo: FortiGuard - AntiSpam ip, connection black ip 208.93.150.136

[Labsy]

Sorry,
but this seems not to be SPAM, but rather spam REPORT, sent back to your user.

Do you have port 25 opened on your company's firewall/router for EVERYONE to any destination? If yes, then no wonder your users can spam arround & also put your IP on blacklists.
But as Phoenix already said, such a problems are discussed all over the internet godzillion times, which gives you a great chance to find instructions on how to protect.

[bhwong]

Hi Labsy

1. The reason why I post the spam report instead of the spam itself is that none of our users receive any spam from relaxbanking.it at all.

2. All our ports are protected and filtered by Fortigate. According to Fortigate, all these emails are already drop before getting out.

Thus, we concluded that the spam is likely to origin from one or more our 100++ internal users. Unfortunately, Zimbra does not reveal the IP of the sender.

[ewilen]

Labsy, this is the spam report sent to the Zimbra spam account.

While the Admin GUI isn't a great deal of help identifying the source of mail in the queue, the headers do have the information you need. It might help to understand that zimbra relays mail internally with amavis using 127.0.0.1. This causes a few extra headers to appear, but if you dig down you'll see

Quote:

Received: from relaxbanking.it (unknown [208.93.150.136])
by mail.mydomain.com (Postfix) with ESMTPA id E996E5405D

This is the IP address of the sender. Block that IP address at your firewall, or create a manual blacklisting in postfix.

Another option (not as powerful): Improving antispam

[the_griz]

This is what I do to combat this:

As zimbra user,
1) go to conf directory and edit salocal.cf.in
2) Add rule (this is for addresses that in the Received and Form headers have text that matches a .br, .it, .ru, .pl, etc. addresses. Note that is a whitespace after the country code in order to help reduce false positives:

header BLKCO_RCVD Received =~ /\.br |\.it |\.ru |\.pl |\.es |\.au /
describe BLKCO_RCVD BLKRC
score BLKCO_RCVD 10.0

header BLKCO_FROM From =~ /\.br |\.it |\.ru |\.pl |\.es |\.au /
describe BLKCO_FROM BLKFM
score BLKCO_FROM 10.0

3) Save and close
4) zmmtactl restart && zmamavisdctl restart

This has been quite effective at making sure these SPAM go to Junk. I also have my junk threshold set to 1 now (and we whitelist to keep clients from going to Junk.)

Good luck!