Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: SPAM sourced from virtual domain user to same user

  1. #1
    Join Date
    Feb 2010
    Posts
    5
    Rep Power
    5

    Default SPAM sourced from virtual domain user to same user

    I'm running 6.0.4 OSE and I'm seeing SPAM from the world where the MAIL TO is a user on the system and the RCPT TO is the same user. Shouldn't Postfix block this before it gets to Spamassassin/SPAM checking? The SMTP client is not in my trusted networks and has not authenticated as a user of the system. What can be done to stop this commonly used SPAM loophole?

    Below is what is happening.

    Feb 4 16:14:48 zimbrahost postfix/smtpd[18837]: D33BC2F6049: client=unknown[204.14.36.5]
    Feb 4 16:14:56 zimbrahost postfix/cleanup[19205]: D33BC2F6049: message-id=<>
    Feb 4 16:14:56 zimbrahost postfix/qmgr[9572]: D33BC2F6049: from=<user@domain.com>, size=192, nrcpt=1 (queue active)
    Feb 4 16:14:57 zimbrahost postfix/smtpd[19209]: connect from localhost[127.0.0.1]
    Feb 4 16:14:57 zimbrahost postfix/smtpd[19209]: 301A52F6055: client=localhost[127.0.0.1]
    Feb 4 16:14:57 zimbrahost postfix/cleanup[19205]: 301A52F6055: message-id=<20100205001457.301A52F6055@zimbrahost.domain.c om>
    Feb 4 16:14:57 zimbrahost postfix/qmgr[9572]: 301A52F6055: from=<user@domain.com>, size=1136, nrcpt=1 (queue active)
    Feb 4 16:14:57 zimbrahost postfix/smtpd[19209]: disconnect from localhost[127.0.0.1]
    Feb 4 16:14:57 zimbrahost postfix/smtp[19206]: D33BC2F6049: to=<user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=16, delays=15/0.02/0.01/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=07174-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 301A52F6055)
    Feb 4 16:14:57 zimbrahost postfix/qmgr[9572]: D33BC2F6049: removed
    Feb 4 16:14:57 zimbrahost postfix/lmtp[19210]: 301A52F6055: to=<user@domain.com>, relay=zimbrahost.domain.com[192.168.200.100]:7025, delay=0.15, delays=0/0.04/0.01/0.1, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Feb 4 16:14:57 zimbrahost postfix/qmgr[9572]: 301A52F6055: removed
    Feb 4 16:14:59 zimbrahost postfix/smtpd[18837]: disconnect from unknown[204.14.36.5]

  2. #2
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    setup some sort of sender verification for your domain like spf records.

    Basically you add a dns record for your domain that says "mail from this domain is only going to come from the following ips/networks:"

    then when your server, or any other server recdeives mail from your domain, it queries for hte spf record and if the originating ip is not listed in the spf then it will score it high or just plain drop the mail

  3. #3
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    this very common kind of spam
    you can do tons of things on top of default zimbra install to improve anti-spam
    list is in the link..
    Improving Anti-spam system - Zimbra :: Wiki

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  4. #4
    Join Date
    Feb 2010
    Posts
    5
    Rep Power
    5

    Default

    I've setup SPF as recommended and sometimes see the SPF check in the headers, however this same SPAM still gets through. The headers are as follows (no SPF check):

    X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
    X-Spam-Flag: NO
    X-Spam-Score: 4.265
    X-Spam-Level: ****
    X-Spam-Status: No, score=4.265 tagged_above=-10 required=5
    tests=[BAYES_05=-1.11, MISSING_DATE=0.001, MISSING_HEADERS=1.292,
    MISSING_MID=0.001, MISSING_SUBJECT=1.762, RDNS_NONE=0.1,
    TVD_SPACE_RATIO=2.219] autolearn=no

    My zimbra installation does not seem to be logging spamassassin activities. How do I enable spamassassin logging so I can see what is going on and why SPF checking is not happening for these particular spams.

  5. #5
    Join Date
    Feb 2010
    Posts
    5
    Rep Power
    5

    Default

    I found how to increase the SA log level and now see the SA headers within the zimbra.log. Still having issues with SA and SPF however.

    I followed the wiki instructions for SPF and installed the SPF library and set the scores but I'm seeing this when starting zimbra:

    Feb 10 16:36:53 postal amavis[19703]: INFO: SA version: 3.2.5, 3.002005, no optional modules: Encode:etect Razor2::Client::Agent IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d auto::NetAddr::IP::Util::ipv6_n2x

    Are there additional steps needed to enable these optional modules?

    # apt-get -s install libmail-spf-query-perl
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    libmail-spf-query-perl is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

    Excerpt from /opt/zimbra/conf/salocal.cf:

    ok_languages en es
    ok_locales en es
    trusted_networks 127. 192.168.
    use_bayes 1
    dns_available yes
    score SPF_FAIL 10.000
    score SPF_HELO_FAIL 10.000
    score FH_DATE_PAST_20XX 0.0

  6. #6
    Join Date
    Feb 2010
    Posts
    5
    Rep Power
    5

    Default

    It appears the SPF module and others are loading despite the last post. I am seeing this upon startup so it appears SPF is loading just fine:

    Code:
    Feb 10 16:36:55 postal amavis[19708]: SpamAssassin loaded plugins: AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DNSEval, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
    Feb 10 16:36:55 postal amavis[19708]: SpamControl: init_pre_fork on SpamAssassin done
    Feb 10 16:36:55 postal amavis[19708]: extra modules loaded after daemonizing/chrooting: Mail/SPF/Query.pm
    That said, the initial issue with SPAM (same valid user used as MAIL TO and RCPT TO) getting through continues and it does not appear SPF is checked by SA:

    Code:
    Feb 10 17:40:41 host postfix/smtpd[17972]: warning: 204.14.36.5: hostname las-204-14-36-5.commpartners.us verification failed: Name or service not known
    Feb 10 17:40:41 host postfix/smtpd[17972]: connect from unknown[204.14.36.5]
    Feb 10 17:40:44 host zmmailboxdmgr[18047]: status requested
    Feb 10 17:40:44 host zmmailboxdmgr[18047]: status OK
    Feb 10 17:40:45 host zmmailboxdmgr[18108]: status requested
    Feb 10 17:40:45 host zmmailboxdmgr[18108]: status OK
    Feb 10 17:40:59 host postfix/smtpd[17972]: D5D142F602F: client=unknown[204.14.36.5]
    Feb 10 17:41:05 host postfix/cleanup[18143]: D5D142F602F: message-id=<>
    Feb 10 17:41:05 host postfix/qmgr[6280]: D5D142F602F: from=<email@xyz.com>, size=181, nrcpt=1 (queue active)
    Feb 10 17:41:05 host amavis[4137]: (04137-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20100210T174105-04137: <email@xyz.com> -> <email@xyz.com> SIZE=181 Received: from zimbra.server.com ([127.0.0.1]) by localhost (zimbra.server.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <email@xyz.com>; Wed, 10 Feb 2010 17:41:05 -0800 (PST)
    Feb 10 17:41:05 host amavis[4137]: (04137-01) Checking: mDZetvP+aMsx [204.14.36.5] <email@xyz.com> -> <email@xyz.com>
    Feb 10 17:41:05 host amavis[4137]: (04137-01) p001 1 Content-Type: text/plain, size: 9 B, name: 
    Feb 10 17:41:05 host amavis[4137]: (04137-01) check_header: 7, Missing required header field: "Date"
    Feb 10 17:41:05 host amavis[4137]: (04137-01) check_header: 7, Missing required header field: "From"
    Feb 10 17:41:05 host clamd[4146]: No stats for Database check - forcing reload 
    Feb 10 17:41:07 host clamd[4146]: Reading databases from /opt/zimbra/data/clamav/db 
    Feb 10 17:41:08 host postfix/smtpd[17972]: disconnect from unknown[204.14.36.5]
    Feb 10 17:41:11 host clamd[4146]: Database correctly reloaded (1257414 signatures) 
    Feb 10 17:41:11 host amavis[4137]: (04137-01) local delivery: <> -> bad-header-quarantine, mbx=/opt/zimbra/data/amavisd/quarantine/badh-mDZetvP+aMsx
    Feb 10 17:41:11 host amavis[4137]: (04137-01) SPAM-TAG, <email@xyz.com> -> <email@xyz.com>, No, score=4.265 tagged_above=-10 required=5 tests=[BAYES_05=-1.11, MISSING_DATE=0.001, MISSING_HEADERS=1.292, MISSING_MID=0.001, MISSING_SUBJECT=1.762, RDNS_NONE=0.1, TVD_SPACE_RATIO=2.219] autolearn=no
    Feb 10 17:41:11 host postfix/smtpd[18155]: connect from localhost[127.0.0.1]
    Feb 10 17:41:11 host postfix/smtpd[18155]: ABD722F605D: client=localhost[127.0.0.1]
    Feb 10 17:41:11 host postfix/cleanup[18143]: ABD722F605D: message-id=<20100211014111.ABD722F605D@zimbra.server.com>
    Feb 10 17:41:11 host postfix/qmgr[6280]: ABD722F605D: from=<email@xyz.com>, size=1152, nrcpt=1 (queue active)
    Feb 10 17:41:11 host amavis[4137]: (04137-01) FWD via SMTP: <email@xyz.com> -> <email@xyz.com>,BODY=7BIT 250 2.0.0 Ok, id=04137-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as ABD722F605D
    Feb 10 17:41:11 host amavis[4137]: (04137-01) Passed BAD-HEADER, [204.14.36.5] [204.14.36.5] <email@xyz.com> -> <email@xyz.com>, quarantine: badh-mDZetvP+aMsx, mail_id: mDZetvP+aMsx, Hits: 4.265, size: 181, queued_as: ABD722F605D, 6127 ms
    Feb 10 17:41:11 host postfix/smtp[18151]: D5D142F602F: to=<email@xyz.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=19, delays=12/0.02/0.06/6.1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04137-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as ABD722F605D)
    Feb 10 17:41:11 host amavis[4137]: (04137-01) TIMING [total 6132 ms] - ldap-prepare: 21 (0%)0, SMTP greeting: 15 (0%)1, SMTP EHLO: 3 (0%)1, SMTP pre-MAIL: 1 (0%)1, mkdir tempdir: 2 (0%)1, create email.txt: 2 (0%)1, ldap-connect: 79 (1%)2, lookup_ldap: 8 (0%)2, SMTP pre-DATA-flush: 6 (0%)2, SMTP DATA: 1 (0%)2, check_init: 2 (0%)2, digest_hdr: 3 (0%)2, digest_body_dkim: 1 (0%)2, gen_mail_id: 2 (0%)2, mkdir parts: 2 (0%)2, mime_decode: 23 (0%)3, get-file-type1: 36 (1%)3, decompose_part: 5 (0%)3, parts_decode: 0 (0%)3, check_header: 5 (0%)4, AV-scan-1: 5554 (91%)94, spam-wb-list: 4 (0%)94, SA parse: 13 (0%)94, SA check: 210 (3%)98, update_cache: 9 (0%)98, decide_mail_destiny: 3 (0%)98, notif-quar: 6 (0%)98, stat-mbx: 5 (0%)98, open-mbx: 1 (0%)98, write-header: 1 (0%)98, save-to-local-mailbox: 0 (0%)98, fwd-connect: 39 (1%)99, fwd-mail-pip: 47 (1%)100, fwd-rcpt-pip: 0 (0%)100, fwd-data-chkpnt: 0 (0%)100, write-header: 0 (0%)100, fwd-data-contents: 0 (0%)100, fwd-end-chkpnt: 4 (0%)100, prepare-dsn: 2 (0...
    Feb 10 17:41:11 host postfix/qmgr[6280]: D5D142F602F: removed
    Feb 10 17:41:11 host amavis[4137]: (04137-01) ...%)100, main_log_entry: 13 (0%)100, SMTP pre-response: 1 (0%)100, SMTP response: 2 (0%)100, unlink-1-files: 1 (0%)100, rundown: 2 (0%)100
    Feb 10 17:41:11 host amavis[4137]: (04137-01) extra modules loaded: /opt/zimbra/zimbramon/lib/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/zimbramon/lib/x86_64-linux-gnu-thread-multi/auto/Net/SSLeay/randomize.al, IO/Socket/SSL.pm, Net/LDAP/Extension.pm, Net/SSLeay.pm
    Feb 10 17:41:11 host postfix/lmtp[18158]: ABD722F605D: to=<email@xyz.com>, relay=zimbra.server.com[192.168.200.100]:7025, delay=0.16, delays=0.01/0.05/0/0.1, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Feb 10 17:41:11 host postfix/qmgr[6280]: ABD722F605D: removed

  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Okay, here is a idea. I do it on my front-end MTA so not sure what will happen when configured directly on the ZCS server.
    Code:
    su - zimbra
    Create a file under /opt/zimbra/conf called spoofprotection with the following content
    Code:
    yourdomain		REJECT we never email ourself from outside so go away!
    We then need to convert it to a database
    Code:
    postmap spoofprotection
    then Zimbra needs to know to look at it so we need to change /opt/zimbra/conf/postfix_recipient_restrictions.cf and add
    Code:
    check_sender_access hash:/etc/postfix/spoofprotection
    this need to go after the permit_mynetworks so the file looks like
    Code:
    reject_non_fqdn_recipient
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    reject_unlisted_recipient
    check_sender_access hash:/opt/zimbra/conf/spoofprotection
    %%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    %%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
    permit
    Then restart Postfix
    Code:
    postfix reload
    The result should be that people mailing each other internally will work fine as they will hit permit_mynetworks and match. If somebody from the outside attempts to spoof your domain in the from field they will be rejected.

    Again this has been un-tested directly on the ZCS server.

  8. #8
    Join Date
    Feb 2010
    Posts
    5
    Rep Power
    5

    Default

    Thanks Uxbod. I appreciate the response.

    I ended up getting SPF working to block this spam. I think my issue with SPF was with running a internal DNS server. Since SA queries DNS I had to also add SPF records to my internal zone files for it to work. I'm not sure this is mentioned within the spam wiki or SPF configuration and could be a big gotcha for anyone running their own DNS.

    That said, I still would prefer that postfix stop this sort of spam loophole before ever getting to AV/SA. I thought this was the intent of trusted networks and SMTP Auth but obviously not. I'm surprised this is not a bigger issue since this affects every Zimbra installation out there (and possibly postfix). So I'll likely try your possibly better solution to this issue.

  9. #9
    Join Date
    Jan 2010
    Posts
    26
    Rep Power
    5

    Default

    I too have implemented SPF, though I see in the logs that it is working much of the time, I still receive some email for which there appears to be no SPF check done. Can anyone tell me what this happens?

    Here is an example of the headder of one of these spam emails


    Return-Path: harmfulh9@beautifuldom.ru
    Received: from zimbra.MyDomain.com (LHLO zimbra.MyDomain.com)
    (172.20.1.4) by zimbra.MyDomain.com with LMTP; Tue, 23 Feb 2010 07:34:20
    -0800 (PST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by zimbra.MyDomain.com (Postfix) with ESMTP id 0F1DA8D8004
    for <goodtogo@MyDomain.com>; Tue, 23 Feb 2010 07:34:20 -0800 (PST)
    X-Virus-Scanned: amavisd-new at zimbra.MyDomain.com
    X-Spam-Flag: YES
    X-Spam-Score: 11.613
    X-Spam-Level: ***********
    X-Spam-Status: Yes, score=11.613 tagged_above=-10 required=6.6
    tests=[BAYES_99=3.5, PYZOR_CHECK=2.5, RCVD_IN_BL_SPAMCOP_NET=1.96,
    RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, STOX_REPLY_TYPE=0.001]
    autolearn=no
    Received: from zimbra.MyDomain.com ([127.0.0.1])
    by localhost (zimbra.MyDomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id PyZ1a5tD9kBB for <goodtogo@MyDomain.com>;
    Tue, 23 Feb 2010 07:34:16 -0800 (PST)
    Received: from 69.209.broadband13.iol.cz (69.209.broadband13.iol.cz [90.180.209.69])
    by zimbra.MyDomain.com (Postfix) with ESMTP id 4CA778D8003
    for <goodtogo@MyDomain.com>; Tue, 23 Feb 2010 07:34:15 -0800 (PST)
    Received: from 90.180.209.69 by aspmx5.googlemail.com; Tue, 23 Feb 2010 16:34:52 +0100
    Date: Tue, 23 Feb 2010 16:34:52 +0100
    From: goodtogo@MyDomain.com
    Subject: Complete your wardrobe today with a brand new Vertu, the ultimate fashion accessory for the high powered personality that you are
    To: <goodtogo@MyDomain.com>
    Message-ID: <000d01cab49d$be0a1f40$6400a8c0@harmfulh9>
    MIME-Version: 1.0
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    Content-type: text/plain; format=flowed; charset="UTF-8"; reply-type=original
    Content-transfer-encoding: 7bit
    X-Priority: 3
    X-MSMail-priority: Normal

    Feel the luxurious gem in your hand. Be the envy with just a click of your mobile. http://inroad87.spaces.live.com

  10. #10
    Join Date
    Jan 2010
    Posts
    26
    Rep Power
    5

    Default

    uxbod, does the spoofprotection file support multiple lines. Say for instance I host multiple domains.

Similar Threads

  1. [SOLVED] Install Problem in Ubuntu 6.06 Server
    By xtimox in forum Installation
    Replies: 16
    Last Post: 03-27-2008, 09:36 AM
  2. Replies: 20
    Last Post: 03-18-2008, 05:37 AM
  3. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  4. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 06:38 PM
  5. Network edition - strange behavior
    By goetzi in forum Installation
    Replies: 6
    Last Post: 11-16-2005, 02:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •