Results 1 to 5 of 5

Thread: SPAM issue

Hybrid View

  1. #1
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default SPAM issue



    Hi GUys,

    Today few users informed me similar issue that they are getting spam mails from their own email ID...

    For example :
    abc@example.com getting mail from abc@example.com which contains abuse statements. ...and user informed that they havent sent any such mail...

    Even CEO email ID is also getting similar stuff...

    Please have a look on the header information :

    ################################################## ##

    Return-Path: abc@example.com
    Received: from mail.example.com(LHLO tcs-itontap.com) (10.10.28.1) by
    example.comwith LMTP; Tue, 10 Aug 2010 12:22:07 +0530 (IST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by example.com(Postfix) with ESMTP id 1D500D419A
    for <abc@example.com>; Tue, 10 Aug 2010 12:22:07 +0530 (IST)
    X-Quarantine-ID: <Tg2P3nG+9KmA>
    X-Virus-Scanned: amavisd-new at mail.rebi.in
    X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
    X-Spam-Flag: NO
    X-Spam-Score: 5.038
    X-Spam-Level: *****
    X-Spam-Status: No, score=5.038 tagged_above=-10 required=6.6
    tests=[AWL=-3.120, BAYES_99=3.5, MISSING_DATE=0.001,
    RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033,
    RDNS_NONE=0.1] autolearn=no
    Received: from example.com([127.0.0.1])
    by localhost (example.com[127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id Tg2P3nG+9KmA; Tue, 10 Aug 2010 12:21:58 +0530 (IST)
    Received: from ABTS-North-Dynamic-074.230.173.122.airtelbroadband.in (unknown [122.173.230.74])
    by example.com(Postfix) with SMTP id 720DDD4195
    for <abc@example.com>; Tue, 10 Aug 2010 12:21:58 +0530 (IST)
    Content-Return: allowed
    X-Mailer: CME-V6.5.4.3; MSN
    Message-Id: <20100810122100.2905.qmail@ABTS-North-Dynamic-074.230.173.122.airtelbroadband.in>
    To: <abc@example.com>
    Subject: Best Sales 2010!
    From: abc@example.com
    MIME-Version: 1.0
    Content-Type: text/plain; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit
    Date: Tue, 10 Aug 2010 12:22:07 +0530 (IST)

    ################################################## ##


    Please suggest ....

    One more thing.....

    I am keep getting below error message in zimbra.log :

    Aug 10 04:06:42 mail amavis[6412]: (06412-13) Open relay? Nonlocal recips but not originating: xyz@test.com
    I refered below mentioned solution...but no luck ..

    http://www.zimbra.com/forums/adminis...imbra-log.html
    Is this inter related ???


    Please help...

    Thanks
    Last edited by chandu; 08-10-2010 at 03:38 AM.

  2. #2
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    I observed that for such mail communication, I am getting below logs :

    Aug 10 12:22:07 mail amavis[12050]: (12050-03) Passed BAD-HEADER, [122.173.230.74] [122.173.230.74] <abc@example.com> ->
    abc@example.com>, quarantine: badh-Tg2P3nG+9KmA, Message-ID: <20100810122100.2905.qmail@ABTS-North-Dynamic-074.230.173.122.airtelbroadband.in>, mail_id: Tg2P3nG+9KmA, Hits: 5.038, size: 618, queued_as: 1AE58D4199/1D500D419A, 8386 ms


    For all fake mails its showing labling BAD-HEADER but itsg etting delivered ...how to restrict this ?

    I didnt understand how did spammer got authentication of REAL email ID ?? These email id are exist on the server and thats why its not getting restrict...

    Please help...

  3. #3
    Join Date
    Jun 2010
    Posts
    12
    Rep Power
    5

    Default

    i could solve this issue installing postgrey...


    you can install :
    Improving Anti-spam system - Zimbra :: Wiki

  4. #4
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    hatake_pablo thanks for your inputs.

    But I think I need sender base verification and below link will be useful :

    http://www.zimbra.com/forums/adminis...problem-7.html

    But i dont understand how this happened ?

  5. #5
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    This has nothing to do with open relays as far as I can tell. It also doesn't have to do with authentication or anything like that. Your users are simply receiving spam that has forged From: address and smtp envelope sender. It's very easy for this to happen--the spammer just harvested the addresses from a website, or tricked users into entering the addresses into web forms, or received the addresses from the contact list on a computer that was infected. That computer could be the personal computer of someone in your organization, or their work computer, or it could be the computer of an external colleague.

    This is your key line:

    Code:
    Received: from ABTS-North-Dynamic-074.230.173.122.airtelbroadband.in (unknown [122.173.230.74])
    by example.com(Postfix) with SMTP id 720DDD4195
    for <abc@example.com>; Tue, 10 Aug 2010 12:21:58 +0530 (IST)
    Reading forward through the Received lines shows it's genuine.

    There are two relatively easy things you can do. One is to make use of more RBLs, either for scoring or for blocking at the MTA. For example, if you'd used b.barracudacentral.org, the spam would have been caught:

    Code:
    % host 74.230.173.122.b.barracudacentral.org
    74.230.173.122.b.barracudacentral.org has address 127.0.0.2
    barracudacentral is so reliable that I'm comfortable using it to block at the MTA. Other RBLs, you might want to create custom rules in salocal.conf.in. Just search the forums--I'm pretty sure you'll find examples, by me and Uxbod, among others.

    The other thing is to just reduce your "Required" spam score. You've got it at the default of 6.6 (33%). I would reduce it somewhat based on your observation of the scores of some legitimate mail coming from outside and some spams that got through. Personally, I use 4.4 (22%).

Similar Threads

  1. Spam Issue
    By akertis in forum Administrators
    Replies: 10
    Last Post: 09-02-2010, 12:38 PM
  2. spam training account
    By getridoff in forum Installation
    Replies: 8
    Last Post: 07-27-2010, 11:34 PM
  3. Ham going into Spam issue
    By briceb in forum Administrators
    Replies: 1
    Last Post: 06-21-2010, 05:29 PM
  4. Spam issue
    By kaushik209 in forum Administrators
    Replies: 4
    Last Post: 06-03-2009, 02:25 AM
  5. Possible spam issue
    By dljordaneku in forum Administrators
    Replies: 8
    Last Post: 08-27-2008, 07:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •