Results 1 to 6 of 6

Thread: Spam from spoofed local accounts

  1. #1
    Join Date
    Mar 2007
    Posts
    26
    Rep Power
    8

    Default Spam from spoofed local accounts

    In general, I'm pretty happy with Zimbra's default SPAM settings. However, I've got one curious issue that I wonder there's actually a solution for (assuming Zimbra itself doesn't use SPF which we've configured on our DNS).

    Basically, I've noticed that although all SMTP connections are set to be authenticated, Zimbra will receive emails on port 25 for local accounts, where the sender is also being spoofed as the intended recipient. So if my domain is 'puzzleduser.org' then Zimbra will receive unauthenticated SMTP connections (as I guess it must to receive incoming emails) from 'me@puzzeduser.org' for 'me@puzzleduser.org'.

    Aside from implementing SPF using the info on the wiki here Improving Anti-spam system - Zimbra :: Wiki is there anything else I need do?

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    I would certainly look at implementing Greylisting. You could also implement a SA rule to increase the score if sender/recipient combination are the same, and the IP is not of your local ZCS server.

    Also, http://www.zimbra.com/forums/announc...r-profile.html please
    Last edited by uxbod; 05-14-2008 at 02:19 AM.

  3. #3
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    Authentication is used when a client tries to send mail through Zimbra to the outside world but not when the outside world sends to a zimbra user. The spoofed sender is just a ploy and doesn't mean that person is actually looging into (authenticating) to Zimbra. SMTP authentication is to stop relaying but not necessarily receiving e-mail.

  4. #4
    Join Date
    Mar 2007
    Posts
    26
    Rep Power
    8

    Default

    Thanks for replying Bill. I'm fairly comfortable with SMTP AUTH and how it works. But would appreciate any feedback on my thoughts below.

    After some more thinking, I think the only way for me to avoid this issue is to obfuscate the zimbra server, ie setup a separate SMTP relay which will be listed as the MX server for this domain, and then have it relay mail to our zimbra server.

    This way, incoming emails should still get through, but spoofers trying to connect to our relay to send mail to the local accounts as the published MX server (the relay) will not have any local accounts which can be used by spoofers to connect.

  5. #5
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    What difference will that make as they can still forge the sender/recipient combination ?

  6. #6
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    Spoofers are not connecting to your local account as I was trying to explain earlier.

    The sender's e-mail address has no affect on this issue. In other words, the mail isn't being accepted based on the spoofed sender's address.
    Last edited by Bill Brock; 05-14-2008 at 01:33 PM.

Similar Threads

  1. postfix transport maps
    By pheonix1t in forum Administrators
    Replies: 12
    Last Post: 01-17-2009, 10:42 PM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. Deleted spam training accounts by fault
    By karmek in forum Administrators
    Replies: 6
    Last Post: 07-13-2007, 05:05 AM
  4. Replies: 2
    Last Post: 03-20-2006, 09:50 PM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 06:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •