Results 1 to 8 of 8

Thread: Spam issues again

  1. #1
    bhwong is offline Outstanding Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    500
    Rep Power
    7

    Default Spam issues again

    We have been receiving over 20k of spam from .it domains almost daily! What can we do to drop emails from these domains beside marking them as junk which failed to even move most of them to the junk folder?

    We also suspect that some of them are from our internal users who have infected computers. Unfortunately the Origin IP of every emails simply show up as 127.0.0.1. The Zimbra log also shows 127.0.0.1 for most email senders instead of their actual IPs.

    I have posted this few week ago before but unable to receive any satisfactory reply. We have no choice but to repost as this is getting more serious without any solution or even workaround in sight. Anyone with experience with spam issue please share your expertise. Thanks!
    Attached Images Attached Images

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,583
    Rep Power
    57

    Default

    Posting an image of your Zimbra queues is not much help it's a) not legible and b) gives no useful information.

    You need to provide headers from the emails and full details of what changes you've made to the anti-spam system and what you've done to improve it.

    If you're getting spam from an internal user then you need to scan your LAN users PCs for bots or malware, that should be done routinely. You can also search the log files to see which users are the most active senders. Really, these subjects have been covered ad infinitum in the forums if you search for them - there's tips, help, advice, changes you can make to your system, where to look for the problem etc. etc.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    I realize that you weren't able to identify the source of spam by scanning zimbra.log. However if you grep on the ID, you should be able to locate the message-id (a completely separate pattern) and then you may be able to grep on that in /opt/zimbra/log/mailbox.log to find the ip address and userid of the sender.

  4. #4
    bhwong is offline Outstanding Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    500
    Rep Power
    7

    Default

    Hi Ewilen, thanks for your suggestion. The IP address I found in the log file all point to our router gateway instead of the individual PCs. So I won't be able to pinpoint which PC is it. But at least it's an improvement over Zimbra Admin's 127.0.0.1 local loop which doesn't make sense at all.

    Will it be helpful if I post the spam message header? (Note that I have replace our domain for security reason)

    Received: from 192.168.100.99 (LHLO mail.mydomain.com) (192.168.100.99) by
    mail.mydomain.com with LMTP; Fri, 24 Sep 2010 01:56:30 +0800 (SGT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 2789E54061
    for <user@mydomain.com>; Fri, 24 Sep 2010 01:56:21 +0800 (SGT)
    X-Virus-Scanned: amavisd-new at mail.mydomain.com
    X-Spam-Flag: NO
    X-Spam-Score: 6.525
    X-Spam-Level: ******
    X-Spam-Status: No, score=6.525 tagged_above=-10 required=6.6
    tests=[ALL_TRUSTED=-1.8, AWL=-3.997, BASE64_LENGTH_79_INF=1.496,
    BAYES_50=0.001, FH_FROMEML_NOTLD=2.696, HTML_IMAGE_ONLY_24=1.552,
    HTML_MESSAGE=0.001, HTML_TAG_BALANCE_HEAD=1.334,
    NORMAL_HTTP_TO_IP=0.001, URIBL_BLACK=1.955, URIBL_PH_SURBL=1.787,
    URIBL_SBL=1.499] autolearn=spam
    Received: from mail.mydomain.com ([127.0.0.1])
    by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id rK3zfTTQb0j9; Fri, 24 Sep 2010 01:56:19 +0800 (SGT)
    Received: from mail.mydomain.com (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 1854F5405D
    for <spam._napzjmlc@mail.mydomain.com>; Fri, 24 Sep 2010 01:56:19 +0800 (SGT)
    To: spam._napzjmlc@mail.mydomain.com
    Message-ID: <5162268.14.1285264579097.JavaMail.root@mail.mydom ain.com>
    Subject: zimbra-spam-report: user@mydomain.com: spam
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_Part_13_23348857.1285264579096"
    X-Zimbra-Spam-Report-Sender: user@mydomain.com
    X-Zimbra-Spam-Report-Type: spam
    X-Originating-IP: [192.168.100.99]
    Date: Fri, 24 Sep 2010 01:56:19 +0800 (SGT)
    From: MAILER-DAEMON@mail.mydomain.com

    ------=_Part_13_23348857.1285264579096
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    Content-Description: Zimbra spam classification report

    Classified-By: user@mydomain.com
    Classified-As: spam

    ------=_Part_13_23348857.1285264579096
    Content-Type: message/rfc822
    Content-Disposition: attachment

    Return-Path: sicurezza@relaxbanking.it
    Received: from 192.168.100.99 (LHLO mail.mydomain.com) (192.168.100.99) by
    mail.mydomain.com with LMTP; Fri, 24 Sep 2010 01:55:14 +0800 (SGT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 5D60E54053
    for <user@mydomain.com>; Fri, 24 Sep 2010 01:55:09 +0800 (SGT)
    X-Quarantine-ID: <5Opk53+4pvz2>
    X-Virus-Scanned: amavisd-new at mail.mydomain.com
    X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char E8 hex):
    Subject: ...Per ragioni di sicurezza \350 necessario con[...]
    X-Spam-Flag: NO
    X-Spam-Score: 4.922
    X-Spam-Level: ****
    X-Spam-Status: No, score=4.922 tagged_above=-10 required=6.6
    tests=[ALL_TRUSTED=-1.8, AWL=-2.904, BASE64_LENGTH_79_INF=1.496,
    BAYES_50=0.001, HTML_IMAGE_ONLY_24=1.552, HTML_MESSAGE=0.001,
    HTML_TAG_BALANCE_HEAD=1.334, NORMAL_HTTP_TO_IP=0.001,
    URIBL_BLACK=1.955, URIBL_PH_SURBL=1.787, URIBL_SBL=1.499] autolearn=no
    Received: from mail.mydomain.com ([127.0.0.1])
    by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 5Opk53+4pvz2; Fri, 24 Sep 2010 01:55:08 +0800 (SGT)
    Received: from relaxbanking.it (unknown [208.93.150.136])
    by mail.mydomain.com (Postfix) with ESMTPA id E996E5405D
    for <anaminsantiago@hotmail.com>; Fri, 24 Sep 2010 01:55:03 +0800 (SGT)
    From: Relax Banking <sicurezza@relaxbanking.it>
    To: anaminsantiago@hotmail.com
    Subject: =?utf-8?Q?Spam?=
    Per ragioni di sicurezza � necessario confermare il tuo account.
    Date: 23 Sep 2010 12:52:56 -0500
    Message-ID: <20100923125256.F0BF418597DAD7AF@relaxbanking.it >
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0012_EAA65E99.2DE55BDB"
    X-SpamInfo: FortiGuard - AntiSpam ip, connection black ip 208.93.150.136

  5. #5
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default

    Sorry,
    but this seems not to be SPAM, but rather spam REPORT, sent back to your user.

    Do you have port 25 opened on your company's firewall/router for EVERYONE to any destination? If yes, then no wonder your users can spam arround & also put your IP on blacklists.
    But as Phoenix already said, such a problems are discussed all over the internet godzillion times, which gives you a great chance to find instructions on how to protect.

  6. #6
    bhwong is offline Outstanding Member
    Join Date
    Feb 2009
    Location
    Singapore
    Posts
    500
    Rep Power
    7

    Default

    Hi Labsy

    1. The reason why I post the spam report instead of the spam itself is that none of our users receive any spam from relaxbanking.it at all.

    2. All our ports are protected and filtered by Fortigate. According to Fortigate, all these emails are already drop before getting out.

    Thus, we concluded that the spam is likely to origin from one or more our 100++ internal users. Unfortunately, Zimbra does not reveal the IP of the sender.

  7. #7
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Labsy, this is the spam report sent to the Zimbra spam account.

    While the Admin GUI isn't a great deal of help identifying the source of mail in the queue, the headers do have the information you need. It might help to understand that zimbra relays mail internally with amavis using 127.0.0.1. This causes a few extra headers to appear, but if you dig down you'll see
    Received: from relaxbanking.it (unknown [208.93.150.136])
    by mail.mydomain.com (Postfix) with ESMTPA id E996E5405D
    This is the IP address of the sender. Block that IP address at your firewall, or create a manual blacklisting in postfix.

    Another option (not as powerful): Improving antispam

  8. #8
    the_griz is offline Loyal Member
    Join Date
    Sep 2008
    Location
    Princeton, NJ
    Posts
    81
    Rep Power
    6

    Default

    This is what I do to combat this:

    As zimbra user,
    1) go to conf directory and edit salocal.cf.in
    2) Add rule (this is for addresses that in the Received and Form headers have text that matches a .br, .it, .ru, .pl, etc. addresses. Note that is a whitespace after the country code in order to help reduce false positives:

    header BLKCO_RCVD Received =~ /\.br |\.it |\.ru |\.pl |\.es |\.au /
    describe BLKCO_RCVD BLKRC
    score BLKCO_RCVD 10.0

    header BLKCO_FROM From =~ /\.br |\.it |\.ru |\.pl |\.es |\.au /
    describe BLKCO_FROM BLKFM
    score BLKCO_FROM 10.0

    3) Save and close
    4) zmmtactl restart && zmamavisdctl restart

    This has been quite effective at making sure these SPAM go to Junk. I also have my junk threshold set to 1 now (and we whitelist to keep clients from going to Junk.)

    Good luck!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. help me fix my spam issues please
    By cornbread in forum Users
    Replies: 5
    Last Post: 04-13-2010, 12:38 PM
  2. [SOLVED] Spam filtering/reporting issues
    By chauvetp in forum Administrators
    Replies: 1
    Last Post: 03-10-2010, 11:21 AM
  3. SPAM issues
    By ZAM in forum Users
    Replies: 6
    Last Post: 07-15-2009, 11:27 AM
  4. [SOLVED] 5.0.4 Upgrade Issues - Logger, Shared Spam
    By Cryophallion in forum Administrators
    Replies: 13
    Last Post: 04-21-2008, 12:37 PM
  5. Spam issues with 3.1.0
    By FunkyPenguin in forum Administrators
    Replies: 6
    Last Post: 04-20-2006, 09:43 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •