Mysterious e-mail

[devicegrip]

3 of my users received e-mails that made it past the AV scan and spamassassin scoring on my Zimbra server. 2 of the users showed up in the AV NOD32 console as being viruses. The header shows no score for spamassassin. Also, the e-mails appear to be coming from our own domain.

I'm in the process of migrating and have another server that handles the mail and forwards it to an alias on the Zimbra server. The original server was able to mark it as spam through spamassassin (note the [***SPAM***] tag in the subject). Is there a setting that I may be missing to stop this kind of e-mail? Atleast one of the users clicked on the attachment.

PHP Code:

Return-Path: LukeGordy@covad.net
Received: from webmail.domain.com (LHLO webmail.domain.com) (Zimbra IP)
 by webmail.domain.com with LMTP; Wed, 21 Sep 2011 09:08:19 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
    by webmail.domain.com (Postfix) with ESMTP id BC1563988E31;
    Wed, 21 Sep 2011 09:08:19 -0400 (EDT)
X-DSPAM-Result: Spam
X-DSPAM-Class: Spam
X-DSPAM-Confidence: 1.00
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: N/A
X-Virus-Scanned: amavisd-new at domain.com
Received: from webmail.domain.com ([127.0.0.1])
    by localhost (webmail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id EopfavABVhBi; Wed, 21 Sep 2011 09:08:19 -0400 (EDT)
Received: from domain.com (mail.domain.com [Legacy mail server IP])
    by webmail.domain.com (Postfix) with ESMTPS id 60FDE3988E30;
    Wed, 21 Sep 2011 09:08:19 -0400 (EDT)
Received: from dsl95.9-19672.static.ttnet.net.tr (dsl95.9-19672.ttnet.net.tr [95.9.76.216] (may be forged))
    by domain.com (8.13.8/8.13.8) with ESMTP id p8LD7b5j002004;
    Wed, 21 Sep 2011 09:07:45 -0400
X-DKIM: Sendmail DKIM Filter v2.8.3 domain.com p8LD7b5j002004
Authentication-Results: domain.com; dkim=none (no signature)
    header.i=unknown; x-dkim-adsp=none
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.96.3 at domain.com
Received: from dsl95.9-19672.static.ttnet.net.tr by mx3c8.carrierinternetsolutions.com; Wed, 21 Sep 2011 06:07:44 +0200
From: <scan@domain.com>
To: <user@domain.com>
Subject: [***SPAM***] Re: Scan from a Hewlett-Packard Officejet  #7974665
Date: Wed, 21 Sep 2011 06:07:44 +0200
Message-ID: <64bc01cc7870$36ee02e0$d84c095f@MARYLIN_Boyer>
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="----=_NextPart_000_0675_01CC7870.37267800"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6838
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.2001
Importance: Normal
X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/
Received-SPF: None (domain.com: domain of lukegordy@covad.net
    does not designate permitted sender hosts)
    receiver=domain.com; client-ip=95.9.76.216;
    envelope-from=<LukeGordy@covad.net>; helo=dsl95.9-19672.static.ttnet.net.tr; 


[devicegrip]

here is the header from another user that got the almost identical e-mail. This one, the legacy server did not recognize as spam. It is sent from hp@mydomain.com (which doesn't exist).

PHP Code:

Return-Path: EdgarCuriel@innovativemgmt.net
Received: from webmail.domain.com (LHLO webmail.domain.com) (Zimbra IP)
 by webmail.domain.com with LMTP; Wed, 21 Sep 2011 07:00:27 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
    by webmail.domain.com (Postfix) with ESMTP id CCF163988D35
    for <userc@domain.com>; Wed, 21 Sep 2011 07:00:27 -0400 (EDT)
X-DSPAM-Result: Spam
X-DSPAM-Class: Spam
X-DSPAM-Confidence: 0.57
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: N/A
X-Virus-Scanned: amavisd-new at domain.com
Received: from webmail.domain.com ([127.0.0.1])
    by localhost (webmail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id kuQBjl8HbcEG for <userc@domain.com>;
    Wed, 21 Sep 2011 07:00:27 -0400 (EDT)
Received: from domain.com (mail.domain.com [Legacy mail server ip])
    by webmail.domain.com (Postfix) with ESMTPS id 8404A39882EE
    for <userc@webmail.domain.com>; Wed, 21 Sep 2011 07:00:27 -0400 (EDT)
Received: from [125.178.91.139] ([125.178.91.139])
    by domain.com (8.13.8/8.13.8) with ESMTP id p8LAxsvI020811;
    Wed, 21 Sep 2011 07:00:01 -0400
X-DKIM: Sendmail DKIM Filter v2.8.3 domain.com p8LAxsvI020811
Authentication-Results: domain.com; dkim=none (no signature)
    header.i=unknown; x-dkim-adsp=none
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.96.3 at domain.com
Received: from [125.178.91.139] (account user@domain.com HELO domain.com) by domain.com (CommuniGate Pro SMTP 5.3.10) with ESMTPA id 449776720 for <user@domain.com>; Wed, 21 Sep 2011 06:00:01 +0900
Message-ID: <E0576E05.4050804@domain.com>
Date: Wed, 21 Sep 2011 06:00:01 +0900
From: <hp@domain.com>
User-Agent: Mozilla/5.0 (Macintosh; PPC Mac OS X 10.5; it; rv:1.9.0.5pre) Gecko/2008120105 Lightning/1.0b3 Thunderbird/2.0.0.0 ThunderBrowse/3.2.6.5
MIME-Version: 1.0
To: user@domain.com
Subject: Fwd: Scan from a HP Officejet  #295524
Content-Type: multipart/mixed;
 boundary="------------040301000307000108090707"
X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/
Received-SPF: None (domain.com: domain of edgarcuriel@innovativemgmt.net
    does not designate permitted sender hosts)
    receiver=domain.com; client-ip=125.178.91.139;
    envelope-from=<EdgarCuriel@innovativemgmt.net>; helo=[125.178.91.139]; 


[devicegrip]

I don't have the "show original" from the third user. However, she got the same e-mail that the first example got. Somehow she got that users e-mail in her inbox as well. She(user3) thought he(user1) sent it since his(user1) name was in the "to:" field. User3 ended up forwarding this e-mail back to user1 in confusion.

I have some of the headers from the forward.

PHP Code:

Date: Wed, 21 Sep 2011 10:18:41 -0400 (EDT)
From: <user3@domain.com>
To: user1@domain.com
Subject: Fwd: [***SPAM***] Re: Scan from a Hewlett-Packard Officejet  #7974665
Message-ID: <0b9e89a5-7722-4b8e-ab0f-5fcafadccde1@webmail.domain.com>
In-Reply-To: <64bc01cc7870$36ee02e0$d84c095f@MARYLIN_Boyer>
Content-Type: multipart/mixed;
 boundary="=_65a9c893-cdc2-4c01-be04-e12d85a9d52d"
MIME-Version: 1.0
X-Originating-IP: [Local Gateway]
X-Mailer: Zimbra 7.1.1_GA_3213 (ZimbraWebClient - [unknown] (Win)/7.1.1_GA_3196)



BELOW was a message sent to user3 even though it shows user1 in the to: field. User3 thought it was sent from user1 by mistake.

----- Forwarded Message -----

From: scan@domain.com 
To: user1@domain.com 
Sent: Wednesday, September 21, 2011 12:07:44 AM 
Subject: [***SPAM***] Re: Scan from a Hewlett-Packard Officejet =C2=A0#7974=
665 

Attached document was scanned and sent 
to you using a Hewlett-Packard HP Officejet 5203A. 
Sent by: MARYLIN 
Images : 4 
Attachment Type: ZIP [DOC] 

Hewlett-Packard Officejet Location: machine location not set 
Device: OFC336AA0BSX92735847 


Hopefully this isn't too confusing and someone can shed light on a setting I may be missing.

Thanks

[devicegrip]

Anyone have any thoughts? I tried to include everything I have as accurate as possible.

This seems like a huge issue and I would rather not have this happen again.

Thanks