You need to give some details of the headers from your 'spam', posting what text is in there doesn't tell us much. You should also post details of what modifications (if any) you've made to improve the anti-spam system (from the wiki articles and forum threads) and you really should upgrade to the most recent release of Zimbra and I mean immediately. ;)
Increase of SPAM volume
I see more and more users complaining about a typical SPAM activity that occurs since early December. I'm very surprised that these messages are successful at defeating numerous anti-SPAM techniques used on our Zimbra server. RBLs are enabled, SpamAssassin too as well as Greylisting. The SPAM comes from domains with good reputation.
My first question is : Anyone else is seeing this? Am I under a targeted attack?
My second question is: Anyone having a suggestion so we could tweak SpamAssassin to increase the spam score for these messages?
Thanks in advance!
Here is the typical SPAM message we receive :
I just earned $563 in five days doing simple things online! I went to - Business Week Journal You will thank me!
I just made $501 in 5 days browsing the internet! It came from - Business Week Journal Dont forget to thank me!
I just made $609 in a month doing simple things online! I used - Business Week Journal Keep this a secret!
I racked in $362 in a weekend being on the web! I went to - Business Week Journal friends help friends!
I just racked $72 in 5 days doing easy things! I went to - Channel 7 News friends help friends!
I just profited $118 in five days being online! All thanks to - Business Week Journal trust me, you will be happy
You'll find attached a copy of those spam
I am seeing these emails slip through as well. I have been just black listing the senders email address which is usually always the same, just does not match the name.
I've analyzed some of these SPAM messages. They seem to come from a large botnet. They are infecting machines which in turn uses Hotmail and Yahoo MTAs to distribute those SPAM.
SANS ISC also published an article about these particular SPAM
From X-Originating-IP Country
firstname.lastname@example.org 18.104.22.168 Russia
email@example.com 22.214.171.124 Mexico
firstname.lastname@example.org 126.96.36.199 Poland
email@example.com 188.8.131.52 Hong Kong
firstname.lastname@example.org 184.108.40.206 Russia
email@example.com 220.127.116.11 USA
firstname.lastname@example.org 18.104.22.168 USA
email@example.com 22.214.171.124 Mexico
firstname.lastname@example.org 126.96.36.199 Australia
email@example.com 188.8.131.52 Russia
firstname.lastname@example.org 184.108.40.206 Portugal
email@example.com 220.127.116.11 Romania
firstname.lastname@example.org 18.104.22.168 Uruguay
T'is the season to be SPAMMY, trallalalaa la la la laaa