Results 1 to 5 of 5

Thread: Backscatter NDR spam messages received with clear original spam message attachment

  1. #1
    arnisraido is offline Intermediate Member
    Join Date
    Dec 2010
    Location
    Riga
    Posts
    15
    Rep Power
    4

    Default Backscatter NDR spam messages received with clear original spam message attachment

    I am running ZCS version: Release 8.0.1.GA.5438.UBUNTU12.64 UBUNTU12_64 FOSS edition.

    Last week I started to reiceive a lot of ndr (~1 per minute) from different XYZ servers. Original message comes always from one ZZZ spamming host, but I cannot control it of course.

    Almost all messages have attached "original" spam message, often already marked as SPAM on receiveing XYZ server. But - Zimbra antispam does not check/mark them as spam!

    I know, there are little to do fighting backscatter spam - but i need at least understand - why or why not Zimbra checks attachments, but cannot mark them as spam?

    Few examples in attachments:
    message2.txt
    message1.txt
    Release 8.0.1.GA.5438.UBUNTU12.64 UBUNTU12_64 FOSS edition.

  2. #2
    arnisraido is offline Intermediate Member
    Join Date
    Dec 2010
    Location
    Riga
    Posts
    15
    Rep Power
    4

    Default

    Anyone? Can someone give an advice?
    Release 8.0.1.GA.5438.UBUNTU12.64 UBUNTU12_64 FOSS edition.

  3. #3
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,468
    Rep Power
    56

    Default

    What have you tried to actually combat NDR spam? There are several thing you can do, check the wiki article on improving the anti-spam system and implement cbpolicyd to reject SPF failures (for example) and there are several threads in the forums on the subject - have you read them?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    arnisraido is offline Intermediate Member
    Join Date
    Dec 2010
    Location
    Riga
    Posts
    15
    Rep Power
    4

    Default

    The problem is: Server A sends mail with forged "from" our address to Server B, and server B bounces back NDR to "from" address, and NDR comes to our server C.

    I have
    • added spf to our domain
    • upgraded clamav to latest version (manually!)
    • enabled cbpolicyd
    • contacted ISP who hosts "spamming" server A, but they still did nothing only contacted server owner.

    may be I have incorrect configuration somewhere, but this problem hits only one e-mail account. Nothing looks help a lot.
    If receiver server B does not check spf, then its helpless, right?
    And I think, cbpolicyd will not help a lot if server B has correct host/ip, right?

    1) Why antispam does not check/or has low hit value for an attachment, even if it's completely spam?
    2) how I can check original message source server with antispam at any way? (there are one original source server only, who is sending this spam.
    3) I have enabled cbpolicyd, log files looks like:
    Code:
    [2013/09/17-12:44:25 - 27677] [CORE] INFO: Killing "1" children
    [2013/09/17-12:44:44 - 4542] [CBPOLICYD] INFO: Got request #35 (pipelined)
    [2013/09/17-12:45:31 - 30045] [CBPOLICYD] INFO: Got request #6 (pipelined)
    [2013/09/17-12:45:35 - 11592] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:38211, Local: 127.0.0.1:10031
    [2013/09/17-12:45:35 - 27677] [CORE] INFO: Killing "1" children
    [2013/09/17-12:45:38 - 4542] [CBPOLICYD] INFO: Got request #36 (pipelined)
    [2013/09/17-12:45:40 - 4542] [CBPOLICYD] INFO: Got request #37 (pipelined)
    [2013/09/17-12:45:41 - 30045] [CBPOLICYD] INFO: Got request #7 (pipelined)
    Last edited by arnisraido; 09-17-2013 at 02:59 AM.
    Release 8.0.1.GA.5438.UBUNTU12.64 UBUNTU12_64 FOSS edition.

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,468
    Rep Power
    56

    Default

    Quote Originally Posted by arnisraido View Post
    The problem is: Server A sends mail with forged "from" our address to Server B, and server B bounces back NDR to "from" address, and NDR comes to our server C.
    I do actually understand what NDR spam is.

    Quote Originally Posted by arnisraido View Post
    I have
    • added spf to our domain
    • upgraded clamav to latest version (manually!)
    • enabled cbpolicyd
    • contacted ISP who hosts "spamming" server A, but they still did nothing only contacted server owner.
    Yes but have you actually configured cbpolicyd to reject SPF failures, one of the headers you posted had that problem even though it came from google.

    I asked if you'd read any of the other threads or wiki articles on this topic, have you? There's also details on the Postfix site about NDR Spam, have you read that?

    BTW, you really should move from your installed version of ZCS - it has the possibility of corruption in the LDAP DB. I expect 8.0.5 to be out shortly and I'd suggest you wait for that as it also has changes to the anti-spam system that may help your problem meanwhile make sure you have adequate backups of your ZCS installation.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 1
    Last Post: 06-14-2013, 11:15 PM
  2. Please help prevent Spam Backscatter !
    By nt29 in forum Administrators
    Replies: 1
    Last Post: 11-01-2011, 03:35 AM
  3. Replies: 5
    Last Post: 08-10-2010, 01:24 AM
  4. [SOLVED] Spam Backscatter
    By jrefl5 in forum Administrators
    Replies: 23
    Last Post: 12-06-2009, 05:55 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •