Results 1 to 4 of 4

Thread: [SOLVED] Mail addresses get spoofed

  1. #1
    stefan is offline Junior Member
    Join Date
    Apr 2008
    Location
    Hout Bay, South Africa
    Posts
    8
    Rep Power
    7

    Question [SOLVED] Mail addresses get spoofed

    Hi everybody!

    I am pretty new to Zimbra and have a strange problem. We are running Zimbra 5.0.4 on a Suse ES 10.1 server in our company and since a few days we receive mails like this one:

    Code:
    Received: from zimbra.mailserver.com (LHLO zimbra.mailserver.com )
     (196.*.*.*) by zimbra.mailserver.com with LMTP; Thu, 24 Apr 2008 06:46:43
     +0200 (SAST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by zimbra.mailserver.com  (Postfix) with ESMTP id B155D9B0A8A
    	for info@company.co.za; Thu, 24 Apr 2008 06:46:43 +0200 (SAST)
    X-Virus-Scanned: amavisd-new at 
    X-Spam-Flag: NO
    X-Spam-Score: -0.642
    X-Spam-Level: 
    X-Spam-Status: No, score=-0.642 tagged_above=-10 required=4
    	tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001,
    	URIBL_BLACK=1.955]
    Received: from zimbra.mailserver.com ([127.0.0.1])
    	by localhost (zimbra.mailserver.com  [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id 13rpIb38YlIB for info@company.co.za;
    	Thu, 24 Apr 2008 06:46:42 +0200 (SAST)
    Received: from PulseOld.CyberPulse.ru (mail3.cyberpulse.ru [194.67.144.42])
    	by zimbra.mailserver.com (Postfix) with ESMTP id EDE169B0AC2
    	for info@company.co.za; Thu, 24 Apr 2008 06:46:40 +0200 (SAST)
    Received: from localhost (localhost)
    	by PulseOld.CyberPulse.ru (8.12.9/8.12.9) id m3O4N3vf027424;
    	Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
    	(envelope-from MAILER-DAEMON)
    Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
    From: Mail Delivery Subsystem MAILER-DAEMON@PulseOld.CyberPulse.ru
    Message-Id: 200804240442.m3O4N3vf027424@PulseOld.CyberPulse.ru
    To: info@company.co.za
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    	boundary="m3O4N3vf027424.1209012127/PulseOld.CyberPulse.ru"
    Subject: Returned mail: see transcript for details
    Auto-Submitted: auto-generated (failure)
    
    This is a MIME-encapsulated message
    
    --m3O4N3vf027424.1209012127/PulseOld.CyberPulse.ru
    
    The original message was received at Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
    from 121.148.57.59.board.xm.fj.dynamic.163data.com.cn [59.57.148.121] (may be forged)
    
       ----- The following addresses had permanent fatal errors -----
    eam@jamstation.ru
    
       ----- Transcript of session follows -----
    eam@jamstation.ru... Deferred
    Message could not be delivered for 2 days
    Message will be deleted from queue
    
    --m3O4N3vf027424.1209012127/PulseOld.CyberPulse.ru
    Content-Type: message/delivery-status
    
    Reporting-MTA: dns; PulseOld.CyberPulse.ru
    Arrival-Date: Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
    
    Final-Recipient: RFC822; eam@jam-station.ru
    Action: failed
    Status: 4.4.7
    Last-Attempt-Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
    
    --m3O4N3vf027424.1209012127/PulseOld.CyberPulse.ru
    Content-Type: message/rfc822
    
    Return-Path: info@company.co.za
    Received: from 121.148.57.59.board.xm.fj.dynamic.163data.com.cn (121.148.57.59.board.xm.fj.dynamic.163data.com.cn [59.57.148.121] (may be forged))
    	by PulseOld.CyberPulse.ru (8.12.9/8.12.9) with ESMTP id m3M4LAdY067633
    	for eam@jamstation.ru; Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
    	(envelope-from info@company.co.za)
    Message-ID: <000501c8a430$04238eaa$d54c7b99@tkpewh>
    From: info@company.co.za
    To: eam@jamstation.ru
    Subject: =?koi8-r?B?7sEg68nQ0iDOwSDLwc7Jy9XM2Q==?=
    Date: Tue, 22 Apr 2008 02:36:46 +0000
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_000_0002_01C8A430.042258FC"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    
    This is a multi-part message in MIME format.

    For me it looks like someone spoofes our clients mail address (info@company.co.za) and sends anything to eam@jamstation.ru which obviously doesn't exist. That's why our client gets a reply from MAILER-DAEMON@PulseOld.CyberPulse.ru which tells that the mail could not be delivered.

    In this case, just one client receives such a reply, but most of the time some of our distribution lists got spoofed and a lot of our people in the company get such replys. And most of the time this happens nearly twice a minute, so we really receive a lot of them.

    Our idea to prevent this was to set up a Sender Policy Framework. Therefore, we added a TXT record to our nameserver and entered "v=spf1 +a zimbra.mailserver.com -all" but it didn't work either.

    At this point we are completely stuck and don't really know what else we could do. It would be great if someone of you has an idea how we can fix that. Thanks very much.

    Cheers,
    Stefan

  2. #2
    pwd
    pwd is offline Intermediate Member
    Join Date
    Oct 2005
    Posts
    22
    Rep Power
    9

    Default There is not much you can do

    We get some of the same thing here (it is in fact not a zimbra issue, it is a general
    mail and spam issue).

    I have to answer question from my users every so often about something like this.


    SPF won't fix the problem as many sites don't bother to use SPF on there inbound mail
    (we don't, we use can-it to keep the spam to a manageable level).

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    It's commonly known as backscatter spam. Someone sends an email to a mail server with a forged header of the intended target (you) and when the mail finally gets bounced as undeliverable it gets returned to the original (spoofed header address i.e. you) sender.

    There was a thread recently that has some tips for catching backscatter spam with spamassassin, search the forums for the thread.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    stefan is offline Junior Member
    Join Date
    Apr 2008
    Location
    Hout Bay, South Africa
    Posts
    8
    Rep Power
    7

    Default

    Quote Originally Posted by phoenix View Post
    There was a thread recently that has some tips for catching backscatter spam with spamassassin, search the forums for the thread.
    Thank you! I found the thread and will give it a try.

    Cheers,
    Stefan

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Problems with port 25
    By yogiman in forum Installation
    Replies: 57
    Last Post: 06-13-2011, 01:55 PM
  2. Replies: 7
    Last Post: 02-03-2011, 07:01 AM
  3. [SOLVED] Mailserver down when send file attach of 50Mb
    By ZMilton in forum Administrators
    Replies: 20
    Last Post: 04-10-2008, 11:44 AM
  4. Issues...
    By timothyalangorman in forum Administrators
    Replies: 3
    Last Post: 11-19-2007, 10:43 AM
  5. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •