Results 1 to 6 of 6

Thread: SPAM getting through check_recipient_access after upgrading 5.0.7->5.0.13

  1. #1
    Join Date
    Apr 2008
    Posts
    69
    Rep Power
    7

    Unhappy SPAM getting through check_recipient_access after upgrading 5.0.7->5.0.13

    Zimbra has rejected tons of spam whose TO: email address is specified in the blacklisted list 100% of the time, but after upgrading from 5.0.7 to 5.0.13, *some* spam mails to those specified non-existent addresses are getting through daily.

    I've setup postfix to block spam to specific addresses, because I have catchall account and 99% of spam are sent to the same ~60 non-exist addresses. This was working without fail until after the upgrade.

    The /var/log/zimbra.log shows the spam was rejected (my domain is replaced with "example.com"):
    Code:
    Apr 27 08:58:32 power postfix/smtpd[8938]: NOQUEUE: reject: RCPT from 9-89-223-201.adsl.terra.cl[201.223.89.9]: 554 5.7.1 <001930512.17852335868475@example.com>: Recipient address rejected: Access denied; from=<personagesz@perfectgarden.es> to=<001930512.17852335868475@example.com> proto=ESMTP helo=<DMNNSUNZ>
    But the spam is in my inbox.

    What can I do to find out why spam Zimbra is sometimes allowing REJECTED emails through?

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    We would need to see the headers of such a email and the extract from zimbra.log. If it has been rejected at the MTA level then it will not hit your Inbox! Perhaps a second one came through with the same details

  3. #3
    Join Date
    Apr 2008
    Posts
    69
    Rep Power
    7

    Default

    Thanks for the reply!

    Here's the headers from the spam that got through. I specifically reject emails sent to "001930512.17852335868475@example.com", note the leading "00":
    (note: replaced hostname with "zimbra.example.com", IP to 10.1.2.3, my domain with "example.com", and catchall to "catchall@example.com".)

    Code:
    Return-Path: personagesz@perfectgarden.es
    Received: from zimbra.example.com (LHLO zimbra.example.com) (10.1.2.3)
     by zimbra.example.com with LMTP; Mon, 27 Apr 2009 08:58:38 +0900 (JST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by zimbra.example.com (Postfix) with ESMTP id C9F08118000F
    	for <catchall@example.com>; Mon, 27 Apr 2009 08:58:38 +0900 (JST)
    X-Virus-Scanned: amavisd-new at zimbra.example.com
    X-Spam-Flag: NO
    X-Spam-Score: 4.517
    X-Spam-Level: ****
    X-Spam-Status: No, score=4.517 tagged_above=-10 required=6.6
    	tests=[BAYES_50=0.001, DYN_RDNS_AND_INLINE_IMAGE=0.001,
    	DYN_RDNS_SHORT_HELO_HTML=0.499, DYN_RDNS_SHORT_HELO_IMAGE=0.001,
    	HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877,
    	RDNS_DYNAMIC=0.1, SHORT_HELO_AND_INLINE_IMAGE=0.781,
    	TVD_RCVD_SINGLE=1.351]
    Received: from zimbra.example.com ([127.0.0.1])
    	by localhost (zimbra.example.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id fVLfb8IZV1f1 for <catchall@example.com>;
    	Mon, 27 Apr 2009 08:58:34 +0900 (JST)
    Received: from DMNNSUNZ (9-89-223-201.adsl.terra.cl [201.223.89.9])
    	by zimbra.example.com (Postfix) with ESMTP id 638AA1170010
    	for <01930512.17852335868475@example.com>; Mon, 27 Apr 2009 08:58:32 +0900 (JST)
    Received: from 201.223.89.9 by mx01.dns-servicios.com; Sun, 26 Apr 2009 19:58:09 -0400
    Message-ID: <000d01c9c6ca$d968fe80$6400a8c0@personagesz>
    From: "Lolita Isaac" <personagesz@perfectgarden.es>
    To: <001930512.17852335868475@example.com>
    Subject: boost your sweet night event
    Date: Sun, 26 Apr 2009 19:58:09 -0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    	boundary="----=_NextPart_000_0075_01C9C6CA.D968FE80"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Mail 6.0.6001.18000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
    
    This is a multi-part message in MIME format.
    
    ------=_NextPart_000_0075_01C9C6CA.D968FE80
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_001_0076_01C9C6CA.D968FE80"
    
    ------=_NextPart_001_0076_01C9C6CA.D968FE80
    Content-Type: text/plain;
    	charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    
    <...snipped out the spam body...>
    After examining those headers, I noticed that these 2 lines don't match!

    Code:
    	for <01930512.17852335868475@example.com>; Mon, 27 Apr 2009
    and
    Code:
    To: <001930512.17852335868475@example.com>
    The first one in the header is missing a leading "0"! I put in rejection for "001930512.17852335868475@example.com", not the first one "01930512.17852335868475@example.com".

    So I checked other spams that got through. And the same result!
    I specifically rejected "alanrqh@example.com", but this spam got through:
    Code:
    Received: from cust-10-121.on5.ontelecoms.gr (unknown [79.107.67.137])
    	by zimbra.example.com (Postfix) with ESMTP id 37DF21170010
    	for <catchall@example.com>; Sun, 26 Apr 2009 21:31:32 +0900 (JST)
    Received: from 79.107.67.137 by mail5.frk.com; Sun, 26 Apr 2009 15:30:23 +0200
    ...
    To: <alanrqh@example.com>
    So I have 2 guesses at what's might be happening:
    #1 Zimbra is somehow ignoring the To: field and looking at something else.

    #2 Wild guess: Is Zimbra (or Postfix) ignoring rejections because the email format in the "To:" field has angle brackets <>? All the spam that got through had the addresses in angle brackets:
    To: <alanrqh@example.com>
    To: <dimoj@example.com>
    To: <001930512.17852335868475@example.com>

    Spam without brackets gets rejected:
    To: alanrqh@example.com (gets rejected).
    To: dimoj@example.com (gets rejected).
    etc.

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    How about regex'ing the pattern so it would match with or without angle brackets ?

  5. #5
    Join Date
    Apr 2008
    Posts
    69
    Rep Power
    7

    Default

    How do you regex the pattern? I only know how to do hash.

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    You should only need to change from hash: to regexp: and then in the file use the same syntax of <what to match> REJECT.

Similar Threads

  1. Upgrading from 5.0.7 to 5.0.11 Single Node Cluster
    By 2myhre in forum Installation
    Replies: 1
    Last Post: 02-06-2009, 02:30 PM
  2. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 10:26 AM
  3. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 11:54 PM
  4. Replies: 6
    Last Post: 09-02-2008, 01:04 AM
  5. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •