Results 1 to 7 of 7

Thread: Receiving spam email from myself

  1. #1
    Join Date
    Aug 2007
    Posts
    31
    Rep Power
    8

    Default Receiving spam email from myself

    I've been reported by users while a long time, and i see with my own eyes:
    i'm getting spam from myself. Other users have this issue too.
    Isn't a worm/spyware/virus or threads like that.

    Checking the logs i found:

    Jul 13 02:20:21 myserver postfix/smtpd[19853]: connect from unknown[219.64.128.217]
    Jul 13 02:20:22 myserver postfix/smtpd[20836]: warning: 122.172.11.67: hostname ABTS-KK-dynamic-067.11.172.122.airtelbroadband.in verification failed: Name or service not known
    Jul 13 02:20:22 myserver postfix/smtpd[20836]: connect from unknown[122.172.11.67]
    Jul 13 02:20:22 myserver postfix/smtpd[19853]: NOQUEUE: reject: RCPT from unknown[219.64.128.217]: 550 5.1.1 <me@mydomain.com>: Recipient address rejected: mydomain.com; from=<me@mydomain.com> to=<me@mydomain.com> proto=SMTP helo=<219.64.128.217.hyd.dialup.vsnl.net.in>
    Jul 13 02:20:23 myserver postfix/smtpd[19853]: lost connection after RCPT from unknown[219.64.128.217]
    Jul 13 02:20:23 myserver postfix/smtpd[19853]: disconnect from unknown[219.64.128.217]

    It looks like droped email, but i GOT IT on my mail box. The other users too.
    The "219.64.128.217" isn't alone, i found a lot of conections from others addresses.

    I check the forums, looking for open relay instructions, and is not the case here.

    It looks like a bug or vulnerability from spamassassing, something like that.
    it proceed?

    anyone having the same problem?
    how could i solve this case??


    thanks for all,
    and sorry for my poor english.

  2. #2
    Join Date
    Aug 2007
    Posts
    31
    Rep Power
    8

    Default

    UPDATE:
    telnet myserver 25
    from an external network:
    helo anydomain.com
    250 myserver.mydomain.com
    mail from:myself@mydomain.com
    250 2.1.0 Ok
    rcpt to:myself@mydomain.com
    250 2.1.5 Ok
    data
    354 End data with <CR><LF>.<CR><LF>
    lalalala
    .
    250 2.0.0 Ok: queued as C2E74616001
    delivered.


    again from internet:
    Connected to mail.mydomain.com (xx.xx.xx.xx).
    Escape character is '^]'.
    220 myserver.mydomain.com ESMTP Postfix
    helo hotmail.com
    250 myserver.mydomain.com
    mail from:myself@mydomain.com
    250 2.1.0 Ok
    rcpt to:myself@mydomain.com
    250 2.1.5 Ok
    data
    354 End data with <CR><LF>.<CR><LF>
    Subject:nasty
    dam dam dam dam
    .
    250 2.0.0 Ok: queued as 52287616001

    spamassassin shoudn't block things like that?
    Last edited by dougz; 07-29-2009 at 07:02 AM.

  3. #3
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    this is why SPF records were invented. I"m not sure if zimbra antispam uses them or not i don't use zimbra's antispam. Basically in your dns you setup records that say "email from domain.com only comes from these ip addresses"

    the test you did is the expected behavior. until recently it wasn't uncommon for some of my users to be using their home isp's smtp server to send e-mail but with our domain. so if they were e-mailing someone here, it would appear that email from someone@domain.com was coming from external soruces.

  4. #4
    Join Date
    Aug 2007
    Posts
    31
    Rep Power
    8

    Default

    Quote Originally Posted by bdial View Post
    this is why SPF records were invented. I"m not sure if zimbra antispam uses them or not i don't use zimbra's antispam. Basically in your dns you setup records that say "email from domain.com only comes from these ip addresses"

    the test you did is the expected behavior. until recently it wasn't uncommon for some of my users to be using their home isp's smtp server to send e-mail but with our domain. so if they were e-mailing someone here, it would appear that email from someone@domain.com was coming from external soruces.
    thanks for quick reply

    then, if i enable SPF to filter that behavior, all users cannot send email from any remote location? Authentication isn't relevant to bypass spf filter?

    i'll read about SPF, thanks again.

    IF anyone have more KB about this issue, please comment.
    Thanks.

  5. #5
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    users can send emails from remote locations provided they're using one of your servers either

    1. sending from the web client
    2. sending via outlook connector
    3. sending using your zimbra server as smtp server using smtp-auth

    or really any servers as long as they're listed in spf servers. if you have multiple smtp servers for users at other offices you can add their ips to the spf records
    Last edited by bdial; 07-29-2009 at 07:34 AM.

  6. #6
    Join Date
    Jul 2008
    Posts
    78
    Rep Power
    7

    Default

    Correct. If you add a SPF record specifying your IP then mail servers that check SPF will only accept connections from your mail server's IP.

    Here's a handy wizard for generating SPF DNS records; The SPF Setup Wizard

    You could also look at adding SPF filter to your Zimbra install to check incoming connections;
    Improving Anti-spam system - Zimbra :: Wiki

  7. #7
    Join Date
    Oct 2009
    Posts
    1
    Rep Power
    6

    Thumbs up Short Cut

    I know SPF is correct and working. In my case I found it is timed out when checking spf records, and lots of my clients mails was rejected. It was a problem with my slow leased line (I guess). So I disabled SPF and searched for any other solution.

    My Situation:
    I got around 100 email users in side the office. No one out side. We receives emails from out side, displaying it from my self. One day I found a spam message about *** has mailed to all my staff members showing it is from system admin(me).

    My solution:

    In postfix -(/etc/postfix/main.cf) -

    mynetworks = 127.0.0.0/8,192.168.1.0/24
    smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/maps/reject

    I created a reject map and included my own domain to be rejected.
    I permitted the LAN side (mynetworks) before reject map.

    Now no one can send mail to us using my domain name from out side.

    Reject map :
    a file with any name. one record for one line. syntax should be as ,

    abc.com REJECT error_message
    ubsdsoc.com REJECT Service unavailable
    socsadomer.com REJECT Service unavailable


    When my staff member going out side, They uses the webmail system which is hosted in my LAN. so no probs

    good luck

Similar Threads

  1. [SOLVED] mailboxmanager does not start
    By jrefl5 in forum Administrators
    Replies: 18
    Last Post: 01-30-2012, 10:40 PM
  2. [SOLVED] Moving Zimbra to a new server
    By krolen in forum Administrators
    Replies: 109
    Last Post: 02-05-2009, 10:38 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. upgrade to 4.0.3 antispam does'nt work
    By lucanannipieri in forum Administrators
    Replies: 14
    Last Post: 11-07-2006, 02:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •