[SOLVED] Mail addresses get spoofed

[stefan]

Hi everybody!

I am pretty new to Zimbra and have a strange problem. We are running Zimbra 5.0.4 on a Suse ES 10.1 server in our company and since a few days we receive mails like this one:

Code:

Received: from zimbra.mailserver.com (LHLO zimbra.mailserver.com )
 (196.*.*.*) by zimbra.mailserver.com with LMTP; Thu, 24 Apr 2008 06:46:43
 +0200 (SAST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by zimbra.mailserver.com  (Postfix) with ESMTP id B155D9B0A8A
	for info@company.co.za; Thu, 24 Apr 2008 06:46:43 +0200 (SAST)
X-Virus-Scanned: amavisd-new at 
X-Spam-Flag: NO
X-Spam-Score: -0.642
X-Spam-Level: 
X-Spam-Status: No, score=-0.642 tagged_above=-10 required=4
	tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001,
	URIBL_BLACK=1.955]
Received: from zimbra.mailserver.com ([127.0.0.1])
	by localhost (zimbra.mailserver.com  [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 13rpIb38YlIB for info@company.co.za;
	Thu, 24 Apr 2008 06:46:42 +0200 (SAST)
Received: from PulseOld.CyberPulse.ru (mail3.cyberpulse.ru [194.67.144.42])
	by zimbra.mailserver.com (Postfix) with ESMTP id EDE169B0AC2
	for info@company.co.za; Thu, 24 Apr 2008 06:46:40 +0200 (SAST)
Received: from localhost (localhost)
	by PulseOld.CyberPulse.ru (8.12.9/8.12.9) id m3O4N3vf027424;
	Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
	(envelope-from MAILER-DAEMON)
Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
From: Mail Delivery Subsystem MAILER-DAEMON@PulseOld.CyberPulse.ru
Message-Id: 200804240442.m3O4N3vf027424@PulseOld.CyberPulse.ru
To: info@company.co.za
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="m3O4N3vf027424.1209012127/PulseOld.CyberPulse.ru"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--m3O4N3vf027424.1209012127/PulseOld.CyberPulse.ru

The original message was received at Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
from 121.148.57.59.board.xm.fj.dynamic.163data.com.cn [59.57.148.121] (may be forged)

   ----- The following addresses had permanent fatal errors -----
eam@jamstation.ru

   ----- Transcript of session follows -----
eam@jamstation.ru... Deferred
Message could not be delivered for 2 days
Message will be deleted from queue

--m3O4N3vf027424.1209012127/PulseOld.CyberPulse.ru
Content-Type: message/delivery-status

Reporting-MTA: dns; PulseOld.CyberPulse.ru
Arrival-Date: Tue, 22 Apr 2008 08:21:12 +0400 (MSD)

Final-Recipient: RFC822; eam@jam-station.ru
Action: failed
Status: 4.4.7
Last-Attempt-Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)

--m3O4N3vf027424.1209012127/PulseOld.CyberPulse.ru
Content-Type: message/rfc822

Return-Path: info@company.co.za
Received: from 121.148.57.59.board.xm.fj.dynamic.163data.com.cn (121.148.57.59.board.xm.fj.dynamic.163data.com.cn [59.57.148.121] (may be forged))
	by PulseOld.CyberPulse.ru (8.12.9/8.12.9) with ESMTP id m3M4LAdY067633
	for eam@jamstation.ru; Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
	(envelope-from info@company.co.za)
Message-ID: <000501c8a430$04238eaa$d54c7b99@tkpewh>
From: info@company.co.za
To: eam@jamstation.ru
Subject: =?koi8-r?B?7sEg68nQ0iDOwSDLwc7Jy9XM2Q==?=
Date: Tue, 22 Apr 2008 02:36:46 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0002_01C8A430.042258FC"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

For me it looks like someone spoofes our clients mail address (info@company.co.za) and sends anything to eam@jamstation.ru which obviously doesn't exist. That's why our client gets a reply from MAILER-DAEMON@PulseOld.CyberPulse.ru which tells that the mail could not be delivered.

In this case, just one client receives such a reply, but most of the time some of our distribution lists got spoofed and a lot of our people in the company get such replys. And most of the time this happens nearly twice a minute, so we really receive a lot of them.

Our idea to prevent this was to set up a Sender Policy Framework. Therefore, we added a TXT record to our nameserver and entered "v=spf1 +a zimbra.mailserver.com -all" but it didn't work either.

At this point we are completely stuck and don't really know what else we could do. It would be great if someone of you has an idea how we can fix that. Thanks very much.

Cheers,
Stefan

[pwd]

We get some of the same thing here (it is in fact not a zimbra issue, it is a general
mail and spam issue).

I have to answer question from my users every so often about something like this.


SPF won't fix the problem as many sites don't bother to use SPF on there inbound mail
(we don't, we use can-it to keep the spam to a manageable level).

[phoenix]

It's commonly known as backscatter spam. Someone sends an email to a mail server with a forged header of the intended target (you) and when the mail finally gets bounced as undeliverable it gets returned to the original (spoofed header address i.e. you) sender.

There was a thread recently that has some tips for catching backscatter spam with spamassassin, search the forums for the thread.

[stefan]

Quote:

Originally Posted by phoenix

There was a thread recently that has some tips for catching backscatter spam with spamassassin, search the forums for the thread.

Thank you! I found the thread and will give it a try.

Cheers,
Stefan