Please help - my zimbra sends backscatter spam.

[rokka]

Hi forum,

I'm having this annoying problem how zimbra handles backscatter spam.
Seems like my server gonna be in all blacklists soon, if I don't correct this behaviour.

When spammer sends me a message with banned attachment (exe, src etc), zimbra sends ndr back to the spammer's victim.

I think this is what's configured by default in zimbra, which is pretty thoughtless.

grep 144AAD7601E /var/log/mail.log.1

Feb 15 10:47:26 mail01 postfix/smtpd[15870]: 144AAD7601E: client=cpe-174-097-180-223.nc.res.rr.com[174.97.180.223]
Feb 15 10:47:37 mail01 postfix/cleanup[15874]: 144AAD7601E: message-id=<01cbccfd$bb384390$dfb461ae@info56250>
Feb 15 10:49:10 mail01 postfix/qmgr[17602]: 144AAD7601E: from=<info56250@remote_domain.com>, size=85288, nrcpt=1 (queue active)
Feb 15 10:49:10 mail01 postfix/smtp[15907]: 144AAD7601E: to=<roman@mysuperdomain.com>, orig_to=<roman.second@mysuperdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=105, delays=105/0/0.01/0.27, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=16299-01, BOUNCE)
Feb 15 10:49:10 mail01 postfix/qmgr[17602]: 144AAD7601E: removed


grep C30F6D7602C /var/log/mail.log.1
Feb 15 10:49:10 mail01 postfix/smtpd[15909]: C30F6D7602C: client=localhost.localdomain[127.0.0.1]
Feb 15 10:49:10 mail01 postfix/cleanup[15874]: C30F6D7602C: message-id=<VSHO60gsHQwAKd@mail01.mysuperdomain.com>
Feb 15 10:49:10 mail01 postfix/qmgr[17602]: C30F6D7602C: from=<>, size=4967, nrcpt=1 (queue active)
Feb 15 10:49:12 mail01 postfix/smtp[16306]: C30F6D7602C: to=<info56250@remote_domain.com>, relay=email-vip.remote_domain.com[153.2.xxx.xxx]:25, delay=2.1, delays=0.03/0.01/0.38/1.7, dsn=2.0.0, status=sent (250 +OK message queued for delivery.)
Feb 15 10:49:12 mail01 postfix/qmgr[17602]: C30F6D7602C: removed

How can I disable these NDRs?

Regards,
--Roman

[phoenix]

How can I disable these NDRs?

Search the forums for the word 'backscatter' and try some of the other techniques in the forums and wiki for improving the anti-spam system.

[rokka]

Sigh....

Thanks, I thought there is an option to disables ndr-s somewhere in zimbra management interface.

Otherwise the zimbra has a quite big security breach with default settings.

--Roman

[phoenix]

Otherwise the zimbra has a quite big security breach with default settings.

No, it doesn't. If your server is relaying emails then it's something you would have changed in the server settings - Zimbra by default is not an open relay. Backscatter spam is not a security risk and an NDR is normal for any mail server. As I've said, read the forum threads and wiki articles on what to do about backscatter spam plus other techniques for improving the anti-spam system.