Results 1 to 6 of 6

Thread: A lot of emails with FROM and TO addresses being one of ZCS user

  1. #1
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default A lot of emails with FROM and TO addresses being one of ZCS user

    Hi,

    lately many of our users of our ZCS 7.14 have reported to receive SPAM, which has their own e-mail address in FROM and TO fields.
    How can this happen? Does not Zimbra recognize, that e-mail is coming from other server, claiming it is FROM user which Zimbra is the only one responsible to send from?
    Zimbra on SGH dedicated hosting farm, Slovenia.
    In 2013 we announce new program of low cost SSL server certificates.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by Labsy View Post
    Hi,

    lately many of our users of our ZCS 7.14 have reported to receive SPAM, which has their own e-mail address in FROM and TO fields.
    How can this happen? Does not Zimbra recognize, that e-mail is coming from other server, claiming it is FROM user which Zimbra is the only one responsible to send from?
    It's likely to be NDR spam but without any headers it's impossible to say what exactly the problem is.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default

    You are right, Phoenix... here is one of those mail headers.
    I only replaced my original server's name with "myserver.com" and original user's address with "zimbra.user".

    There are 1-5 of such each day, which is a lot - there were none few years.
    I also instructed user to change password, and to make it complex. He did this twice this week, but mails still keep coming.
    Code:
    Received: from zimbra.myserver.com ([127.0.0.1])
    	by localhost (zimbra.myserver.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id sOrL2mrGc2gp for <zimbra.user@myserver.com>;
    	Thu,  7 Jun 2012 21:15:13 +0200 (CEST)
    Received: from localhost (localhost [127.0.0.1])
    	by zimbra.myserver.com (Postfix) with ESMTP id 4730320C060
    	for <zimbra.user@myserver.com>; Thu,  7 Jun 2012 21:15:14 +0200 (CEST)
    Received: from  190.101.9.135 (account <zimbra.user@myserver.com> HELO myserver.com)
    	by myserver.com (CommuniGate Pro SMTP 5.2.3)
    	with ESMTPA id 057001075 for <zimbra.user@myserver.com>; Thu, 7 Jun 2012 15:15:12 -0400
    Received: from pc-135-9-101-190.cm.vtr.net (pc-135-9-101-190.cm.vtr.net [190.101.9.135])
    	by zimbra.myserver.com (Postfix) with ESMTP id EECB020C05B
    	for <zimbra.user@myserver.com>; Thu,  7 Jun 2012 21:15:11 +0200 (CEST)
    Received: from zimbra.myserver.com (LHLO zimbra.myserver.com)
     (195.246.15.126) by zimbra.myserver.com with LMTP; Thu, 7 Jun 2012
     21:15:14 +0200 (CEST)
    Return-Path: <amalgamated7271@cbthomebank.com>
    From: <zimbra.user@myserver.com>
    To: <zimbra.user@myserver.com>
    Subject: financial consulting company
    Date: Thu, 7 Jun 2012 21:15:12 +0200
    Message-ID: <3443995173.3YKNNAKZ359305@mpumeibsuzbmahi.qtvcitlvx.su>
    MIME-Version: 1.0
    Content-Type: text/plain;
    	charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    X-Mailer: Microsoft Outlook 14.0
    Thread-Index: AQGxr/blfB92PSYukkqXp70G47KInA==
    Zimbra on SGH dedicated hosting farm, Slovenia.
    In 2013 we announce new program of low cost SSL server certificates.

  4. #4
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default

    One more thing: also SPF is strict with -all at the end.
    I don't understand how Zimbra let it pass thru...
    Zimbra on SGH dedicated hosting farm, Slovenia.
    In 2013 we announce new program of low cost SSL server certificates.

  5. #5
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default

    One thing leads to another - how could I overlook SPF Check, which is NOT enabled by default in Zimbra install?

    We can enable checking the INCOMING mail for valid SPF records via Amavis, Spamassasin, or Postfix. This is also the recommended order to apply SPF check (one of them, not all). Let's see how to...

    ...Enable SPF Check using Amavis:

    If this returns ERROR:
    Code:
    su - zimbra
    perl -e 'require Mail::SPF::Query'
    you must install the needed PERL module. In my case on Ubuntu 8.04LTS it is libmail-spf-query-perl, but might be some other SPF module on another system:
    Code:
    sudo su root
    apt-get install libmail-spf-query-perl
    Then you need to add SCORING to Spamassasin config files. You can use vim editor to add the following scoring:
    score SPF_FAIL 10.000
    score SPF_HELO_FAIL 10.000
    ...to both config files (one is curent config, and the other is bootup config):
    Code:
    sudo su zimbra
    vim /opt/zimbra/conf/salocal.cf
    vim /opt/zimbra/conf/salocal.cf.in
    Finally, restart Amavis service:
    Code:
    sudo su zimbra
    zmamavisdctl restart
    Now SPF Check is implemented on all incoming messages.
    WARNING: be sure that all domains on Zimbra have properly configured SPF!!!
    Zimbra on SGH dedicated hosting farm, Slovenia.
    In 2013 we announce new program of low cost SSL server certificates.

  6. #6
    Labsy is offline Elite Member
    Join Date
    Nov 2009
    Location
    Ljubljana, Slovenia
    Posts
    268
    Rep Power
    5

    Default

    Unfortunatelly, I had to remove the above settings, because they generated a lot of FALSE POZITIVES.
    Many regular e-mails, which had different FROM and TO, and where sending mail server had properly set SPF, and mail was sent PROPERLY, were placed into Junk folder, marked as possible spam. As I look at those mail's headers, I found SPF_FAIL score to be 10, which was incorrect.
    Seems like a bug in SPF module.
    Zimbra on SGH dedicated hosting farm, Slovenia.
    In 2013 we announce new program of low cost SSL server certificates.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Sending emails from diffrent addresses
    By cscan in forum General Questions
    Replies: 0
    Last Post: 02-04-2012, 11:42 PM
  2. Replies: 4
    Last Post: 09-11-2009, 11:49 AM
  3. can zimbra do user+blah@domain.com style addresses?
    By ajayrockrock in forum Administrators
    Replies: 1
    Last Post: 02-06-2008, 03:08 PM
  4. Multiple addresses for one user?
    By aiken in forum Administrators
    Replies: 1
    Last Post: 12-14-2006, 05:33 PM
  5. Single user-Two email addresses-One interface
    By mansuper in forum Administrators
    Replies: 2
    Last Post: 09-07-2006, 06:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •