| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
08-09-2011, 09:09 PM
| | |  Blocking blank sender 'From=<>'
Lately in the daily mail report - top 50 senders by message count show highest sender from=<>, what type of sender is this? and can block this type of sender?
Getting worry as this type of sender is growing.  |
08-11-2011, 03:55 AM
| | |
I have the same problem.
Top senders from=<>
Any help |
08-11-2011, 04:04 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,314
| |
Quote:
Originally Posted by sameone  I have the same problem.
Top senders from=<>
Any help | Not really with the lack of information. ARe they from your server or to your server? If they're from your server ahve you checked if there's any infected machines on your LAN or compromised accounts on the server? If they are to your server which of the techniques have you tried to stop this problem? Have you made any modifications to the anti-spam system? Are there any headers for these emails? What have you found in the forums relating to this problem? Have you tried some of the techniques in the wiki article on improving the anti-spam system? Which version & release of Zimbra?
__________________
Regards
Bill
|
08-11-2011, 04:21 AM
| | |
Zimbra 7.1.1 OCS
After I received log to adminLotus@mydomain.com, there I saw Top 50 senders by message count
19 from=<>
If I understand that, this mean that someone (virus,...) has send 19 mail from my domain. ??? |
08-11-2011, 05:41 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,314
| |
Quote:
Originally Posted by sameone Zimbra 7.1.1 OCS
After I received log to adminLotus@mydomain.com, there I saw Top 50 senders by message count
19 from=<>
If I understand that, this mean that someone (virus,...) has send 19 mail from my domain. ??? | It doesn't necessarily mean that at all, ...... and the answers to my other questions are...?
__________________
Regards
Bill
|
08-11-2011, 05:51 AM
| | |
how can i make custome rule, for from block <>
Is posible in salocal.cf.ini how to wrote this rule
blacklist_from <>
or
from LOCAL_RULE /<>/
score LOCAL_RULE 7
Can I do it that way, or what is the right way?
------------------------------------------------------ Quote: |
Are they from your server or to your server?
| If i see the log - Top 50 senders by message count
Then that mean that this is from my server
Where can I see and find this <> and then I will now from where are there.
If they're from your server ahve you checked if there's any infected machines on your LAN or compromised accounts on the server? If they are to your server which of the techniques have you tried to stop this problem? Have you made any modifications to the anti-spam system? Are there any headers for these emails? Quote: |
What have you found in the forums relating to this problem?
| Nothing
Have you tried some of the techniques in the wiki article on mproving the anti-spam system?
I did't find how to block special words in salocal.cf.ini  |
08-11-2011, 06:08 PM
| | |
I have no idea what to look for in the mail.log, I had check through the mail.log but can’t find any ‘<>’ or blank sender. I had also had try the spam control recommended in the wiki but still the same, the ‘from=<>’ came up on top. I using zcs 7.1.2 |
08-12-2011, 09:32 AM
| | Advanced Member | |
Posts: 205
| |
A check on my system Code: grep "from=<>" /var/log/zimbra.log returns a group of messageIDs
A similar grep but for 1 of the messageIDs Code: grep "B321536B15B5" /var/log/zimbra.log returns Code: Aug 12 04:25:21 email postfix/smtpd[14699]: B321536B15B5: client=unknown[203.217.173.15]
Aug 12 04:25:22 email postfix/cleanup[15263]: B321536B15B5: message-id=<20110809083716.6F0BB11E6778@mail.fxmail.ru>
Aug 12 04:25:22 email postfix/qmgr[6326]: B321536B15B5: from=<>, size=1067, nrcpt=2 (queue active)
Aug 12 04:25:22 email postfix/smtp[15264]: B321536B15B5: to=<UserAccount@My.Zimbra.server>, orig_to=<UserAccount@My.Zimbra.server>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=4.9/0/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04414-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A8EFA36B15CC)
Aug 12 04:25:22 email postfix/smtp[15264]: B321536B15B5: to=<UserAccount@My.Zimbra.server>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=4.9/0/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04414-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A8EFA36B15CC)
Aug 12 04:25:22 email postfix/qmgr[6326]: B321536B15B5: removed looks like incoming message to me ip 203.217.173.15 is not one of our public, addresses.
Also the inbound message ID "20110809083716.6F0BB11E6778@mail.fxmail.ru" does not look like a friendly mail server.
you might try something like (note untested by me) Code: header LOCAL_BadFrom From =~ /^$/
describe LOCAL_BadFrom Empty From Address
score LOCAL_BadFrom 1.0 in salocal.cf.in and then stop start zimbra. |
08-22-2011, 02:56 AM
| | | 
Quote:
Originally Posted by jrefl5 A check on my system Code: grep "from=<>" /var/log/zimbra.log returns a group of messageIDs
A similar grep but for 1 of the messageIDs Code: grep "B321536B15B5" /var/log/zimbra.log returns Code: Aug 12 04:25:21 email postfix/smtpd[14699]: B321536B15B5: client=unknown[203.217.173.15]
Aug 12 04:25:22 email postfix/cleanup[15263]: B321536B15B5: message-id=<20110809083716.6F0BB11E6778@mail.fxmail.ru>
Aug 12 04:25:22 email postfix/qmgr[6326]: B321536B15B5: from=<>, size=1067, nrcpt=2 (queue active)
Aug 12 04:25:22 email postfix/smtp[15264]: B321536B15B5: to=<UserAccount@My.Zimbra.server>, orig_to=<UserAccount@My.Zimbra.server>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=4.9/0/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04414-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A8EFA36B15CC)
Aug 12 04:25:22 email postfix/smtp[15264]: B321536B15B5: to=<UserAccount@My.Zimbra.server>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=4.9/0/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04414-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A8EFA36B15CC)
Aug 12 04:25:22 email postfix/qmgr[6326]: B321536B15B5: removed looks like incoming message to me ip 203.217.173.15 is not one of our public, addresses.
Also the inbound message ID "20110809083716.6F0BB11E6778@mail.fxmail.ru" does not look like a friendly mail server.
you might try something like (note untested by me) Code: header LOCAL_BadFrom From =~ /^$/
describe LOCAL_BadFrom Empty From Address
score LOCAL_BadFrom 1.0 in salocal.cf.in and then stop start zimbra. |
I'm sorry this become longer, truly we are holding IP 203.217.173.15 that attached on code above, but we meet problem to locate where the problem come from , this occur from last 3 weeks and we can't do anything because its lack of username there...
this make us blocked from several Spam blocker site, anyone can resolving this problrm? please? |
08-22-2011, 05:52 AM
| | |
Quote:
Originally Posted by acemy Lately in the daily mail report - top 50 senders by message count show highest sender from=<>, what type of sender is this? and can block this type of sender?
Getting worry as this type of sender is growing. | from=<> means ussually NDR (non delivery report) or mailer-daemon. The best way to stop this NDR are finding a root of problem. Blocking this kind of problem doesn't solve your problem.
Look at your Zimbra Admin | Mail Queue and see on your deferred queue, is there any deferred email. If yes, look at your on deferred error tab why it was happened.
You could also using mailq command to find out is there any reason why an NDR report has been generated. Sometimes, NDR would be generated because one or more account has been compromised and sending mass email to unknown address. | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
