Okay some strange email activity since yesterday. it seems we are getting some spoofed messages and the server is not blocking them.
As you will see below, the outside server is spoofing the helo request but apparently the zimbra server is not checking reverse DNS to verify it?
I am also assuming this got passed because it was from internal addresses to internal addresses?
Version 6.0.10_GA_2692.FOSS
Just something to understand the protected areas:
mail.domain.com is OUR email server domain
user@domain.com is the domain OUR users use
All unchanged ip addresses are the real addresses which the outside entity used.
Return-Path: 1571@public.qd.sd.cn
Received: from mail.domain.com (LHLO mail.domain.com) (our.mail.ip.address) by
mail.domain.com with LMTP; Mon, 11 Apr 2011 13:18:04 -0600 (MDT)
Received: from localhost (localhost [127.0.0.1])
by mail.domain.com (Postfix) with ESMTP id 5218922CC01B;
Mon, 11 Apr 2011 13:18:04 -0600 (MDT)
X-Virus-Scanned: amavisd-new at mail.domain.com
X-Spam-Flag: NO
X-Spam-Score: 1.393
X-Spam-Level: *
X-Spam-Status: No, score=1.393 tagged_above=-10 required=4
tests=[BAYES_00=-1.9, DNS_FROM_RFC_DSN=0.001, RDNS_NONE=0.793,
SORTED_RECIPS=2.499] autolearn=no
Received: from mail.domain.com ([127.0.0.1])
by localhost (mail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id pJbTzPbywflH; Mon, 11 Apr 2011 13:18:03 -0600 (MDT)
Received: from [189.16.132.172] (unknown [189.16.132.172])
by mail.domain.com (Postfix) with ESMTP id 48BD622CC018;
Mon, 11 Apr 2011 13:17:58 -0600 (MDT)
Received: from 189.16.132.172(helo=domain.com)
by domain.com with esmtpa (Exim 4.69)
(envelope-from )
id 1MMA6X-9494ot-5X
for <AUSERNAME1@domain.com>; Mon, 11 Apr 2011 16:17:43 -0300
From: <AUSERNAME1@domain.com>,
<AUSERNAME2@domain.com>,
<AUSERNAME3@domain.com>,
<AUSERNAME4@domain.com>,
<AUSERNAME5@domain.com>,
<AUSERNAME6@domain.com>,
<AUSERNAME7@domain.com>,
<AUSERNAME8@domain.com>,
<AUSERNAME9@domain.com>,
<AUSERNAME10@domain.com>,
<AUSERNAME11@domain.com>,
<AUSERNAME12@domain.com>,
<AUSERNAME13@domain.com>
To: <AUSERNAME1@domain.com>,
<AUSERNAME2@domain.com>,
<AUSERNAME3@domain.com>,
<AUSERNAME4@domain.com>,
<AUSERNAME5@domain.com>,
<AUSERNAME6@domain.com>,
<AUSERNAME7@domain.com>,
<AUSERNAME8@domain.com>,
<AUSERNAME9@domain.com>,
<AUSERNAME10@domain.com>,
<AUSERNAME11@domain.com>,
<AUSERNAME12@domain.com>,
<AUSERNAME13@domain.com>
Subject: Newsletter Mon, 11 Apr 2011 16:17:43 -0300
Date: Mon, 11 Apr 2011 16:17:43 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Message-ID: <4369943970.JY0P52TG600419@vxhfrgdoqp.qlumcorn.u a>
Any help would be greatly appreciated.
Bugzilla
Wiki
Source
Some strange spoofing? 
Linear Mode
