Results 1 to 4 of 4

Thread: Spoofed Mail Not Being Spam Checked

  1. #1
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default Spoofed Mail Not Being Spam Checked

    We've started to receive some targeted phishing messages, and most recently they have been spoofing email accounts that are "@ourdomain.com". This is causing these messages to NOT be spam checked. We are running Zimbra 8.0.2.

    I thought I configured amavisd to not spam check mail that was sent from the receiving MTA, but it seems that this is not the case. It looks like if the message contains a from address @ourdomain (spoofed or real), regarless of the sending MTA, it is not spam checked.

    How do I resolve this? Is there a way to have my cake and eat it too? Any help would be MUCH appreciated.
    Last edited by thunder04; 02-01-2013 at 12:32 PM.

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    You're going to have to post the headers from one of these messages so someone can check it and see what the problem is.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    Here are the headers:

    Code:
    Return-Path: webmail@mpcsd.org
    Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)
     by cottontail.mpcsd.org with LMTP; Fri, 1 Feb 2013 10:04:28 -0800 (PST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by cottontail.mpcsd.org (Postfix) with ESMTP id 479D31300611;
    	Fri,  1 Feb 2013 10:04:28 -0800 (PST)
    X-Virus-Scanned: amavisd-new at mpcsd.org
    Received: from cottontail.mpcsd.org ([127.0.0.1])
    	by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id AdD-2MEju-ip; Fri,  1 Feb 2013 10:04:26 -0800 (PST)
    Received: from services-01.ionline.co.za (smtprelay-01.ionline.co.za [41.181.89.137])
    	by cottontail.mpcsd.org (Postfix) with ESMTPS id 3804213001A6;
    	Fri,  1 Feb 2013 10:04:25 -0800 (PST)
    Received: from mx01.ionline.co.za ([41.181.89.138] helo=webmail.ionline.co.za)
    	by services-01.ionline.co.za with esmtp (Exim 4.71)
    	(envelope-from <webmail@mpcsd.org>)
    	id 1U1Kzn-000333-3Q; Fri, 01 Feb 2013 20:05:51 +0200
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
     boundary="=_a72296471320d3f362d6e455f571a6d6"
    Date: Fri, 01 Feb 2013 18:55:10 +0100
    From: Menlo Park City School District <webmail@mpcsd.org>
    To: undisclosed-recipients:;
    Subject: Confirm Email Update
    Reply-To: <help-desks@ml.lt>
    Mail-Reply-To: <help-desks@ml.lt>
    Message-ID: <8dfc11f8c68f105f07b53029e54b1365@ionline.co.za>
    X-Sender: webmail@mpcsd.org
    User-Agent: Roundcube Webmail/0.7.2
    As you can see, it was not passed through any spam checks.

  4. #4
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    Here are the headers of another spoofed message not spam checked:

    Code:
    Return-Path: fearfullerj70@gmail.com
    Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)
     by cottontail.mpcsd.org with LMTP; Wed, 20 Feb 2013 16:46:29 -0800 (PST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by cottontail.mpcsd.org (Postfix) with ESMTP id AEF7613001D9
    	for <lipsum@mpcsd.org>; Wed, 20 Feb 2013 16:46:29 -0800 (PST)
    X-Virus-Scanned: amavisd-new at mpcsd.org
    Received: from cottontail.mpcsd.org ([127.0.0.1])
    	by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id Rc9Pt06vzRTA for <lipsum@mpcsd.org>;
    	Wed, 20 Feb 2013 16:46:24 -0800 (PST)
    Received: from [149.61.112.84] (unknown [149.61.112.84])
    	by cottontail.mpcsd.org (Postfix) with ESMTP id C02CE13001E3
    	for <lipsum@mpcsd.org>; Wed, 20 Feb 2013 16:46:23 -0800 (PST)
    Received: from 149.61.112.84(helo=mpcsd.org)
    	by mpcsd.org with esmtpa (Exim 4.69)
    	(envelope-from )
    	id 1MMXXZ-1909ba-LP
    	for <lipsum@mpcsd.org>; Wed, 20 Feb 2013 14:46:14 -0500
    From: <lipsum@mpcsd.org>
    To: <lipsum@mpcsd.org>
    Subject: elevate yourself
    Date: Wed, 20 Feb 2013 14:46:14 -0500
    MIME-Version: 1.0
    Content-Type: text/plain;
    	charset="windows-1250"
    Content-Transfer-Encoding: 7bit
    X-Mailer: tvbjpjqmfz.39
    Message-ID: <7995647300.8YM8GFMS503777@xecoeuhcijeryow.wfxyppg.com>
    
    How does making $70 EVERY 60 Seconds
    sound to you?
    
    To thousnds before you, it's a reality
    as seen on CNN, NBC, Fox, and USA Today
    
    I've reserved a special Access Link For You:
    http://archemakersmone.com/
    
    But you only have 4.5 hours to access it
    
    I'll see you on the other side.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. spam problems - from spoofed address
    By mickier in forum Administrators
    Replies: 2
    Last Post: 03-14-2011, 05:23 PM
  2. Spam from spoofed local accounts
    By mezza in forum Administrators
    Replies: 5
    Last Post: 05-14-2008, 01:27 PM
  3. [SOLVED] Mail addresses get spoofed
    By stefan in forum Installation
    Replies: 3
    Last Post: 04-25-2008, 08:21 AM
  4. Keeping white list from Being SPAM-checked
    By tilinhonh in forum Administrators
    Replies: 0
    Last Post: 09-28-2007, 04:59 AM
  5. Checking Last time a user checked their mail?
    By jam764 in forum Administrators
    Replies: 1
    Last Post: 02-16-2006, 12:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •