Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Blocking blank sender 'From=<>'

  1. #1
    Join Date
    Aug 2010
    Posts
    5
    Rep Power
    5

    Default Blocking blank sender 'From=<>'

    Lately in the daily mail report - top 50 senders by message count show highest sender from=<>, what type of sender is this? and can block this type of sender?

    Getting worry as this type of sender is growing.

  2. #2
    Join Date
    May 2011
    Posts
    32
    Rep Power
    4

    Default

    I have the same problem.

    Top senders from=<>


    Any help

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by sameone View Post
    I have the same problem.

    Top senders from=<>

    Any help
    Not really with the lack of information. ARe they from your server or to your server? If they're from your server ahve you checked if there's any infected machines on your LAN or compromised accounts on the server? If they are to your server which of the techniques have you tried to stop this problem? Have you made any modifications to the anti-spam system? Are there any headers for these emails? What have you found in the forums relating to this problem? Have you tried some of the techniques in the wiki article on improving the anti-spam system? Which version & release of Zimbra?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Join Date
    May 2011
    Posts
    32
    Rep Power
    4

    Default

    Zimbra 7.1.1 OCS

    After I received log to adminLotus@mydomain.com, there I saw Top 50 senders by message count
    19 from=<>


    If I understand that, this mean that someone (virus,...) has send 19 mail from my domain. ???

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by sameone View Post
    Zimbra 7.1.1 OCS

    After I received log to adminLotus@mydomain.com, there I saw Top 50 senders by message count
    19 from=<>


    If I understand that, this mean that someone (virus,...) has send 19 mail from my domain. ???
    It doesn't necessarily mean that at all, ...... and the answers to my other questions are...?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    May 2011
    Posts
    32
    Rep Power
    4

    Default

    how can i make custome rule, for from block <>

    Is posible in salocal.cf.ini

    how to wrote this rule

    blacklist_from <>

    or

    from LOCAL_RULE /<>/
    score LOCAL_RULE 7


    Can I do it that way, or what is the right way?


    ------------------------------------------------------
    Are they from your server or to your server?
    If i see the log - Top 50 senders by message count

    Then that mean that this is from my server

    Where can I see and find this <> and then I will now from where are there.




    If they're from your server ahve you checked if there's any infected machines on your LAN or compromised accounts on the server? If they are to your server which of the techniques have you tried to stop this problem? Have you made any modifications to the anti-spam system? Are there any headers for these emails?

    What have you found in the forums relating to this problem?
    Nothing

    Have you tried some of the techniques in the wiki article on mproving the anti-spam system?
    I did't find how to block special words in salocal.cf.ini

  7. #7
    Join Date
    Aug 2010
    Posts
    5
    Rep Power
    5

    Default

    I have no idea what to look for in the mail.log, I had check through the mail.log but can’t find any ‘<>’ or blank sender. I had also had try the spam control recommended in the wiki but still the same, the ‘from=<>’ came up on top. I using zcs 7.1.2

  8. #8
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    7

    Default

    A check on my system
    Code:
    grep "from=<>" /var/log/zimbra.log
    returns a group of messageIDs

    A similar grep but for 1 of the messageIDs
    Code:
    grep "B321536B15B5" /var/log/zimbra.log
    returns
    Code:
    Aug 12 04:25:21 email postfix/smtpd[14699]: B321536B15B5: client=unknown[203.217.173.15]
    Aug 12 04:25:22 email postfix/cleanup[15263]: B321536B15B5: message-id=<20110809083716.6F0BB11E6778@mail.fxmail.ru>
    Aug 12 04:25:22 email postfix/qmgr[6326]: B321536B15B5: from=<>, size=1067, nrcpt=2 (queue active)
    Aug 12 04:25:22 email postfix/smtp[15264]: B321536B15B5: to=<UserAccount@My.Zimbra.server>, orig_to=<UserAccount@My.Zimbra.server>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=4.9/0/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04414-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A8EFA36B15CC)
    Aug 12 04:25:22 email postfix/smtp[15264]: B321536B15B5: to=<UserAccount@My.Zimbra.server>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=4.9/0/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04414-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A8EFA36B15CC)
    Aug 12 04:25:22 email postfix/qmgr[6326]: B321536B15B5: removed
    looks like incoming message to me ip 203.217.173.15 is not one of our public, addresses.
    Also the inbound message ID "20110809083716.6F0BB11E6778@mail.fxmail.ru" does not look like a friendly mail server.
    you might try something like (note untested by me)
    Code:
    header   LOCAL_BadFrom           From =~ /^$/
    describe LOCAL_BadFrom           Empty From Address
    score    LOCAL_BadFrom           1.0
    in salocal.cf.in and then stop start zimbra.

  9. #9
    Join Date
    Aug 2011
    Posts
    1
    Rep Power
    4

    Unhappy

    Quote Originally Posted by jrefl5 View Post
    A check on my system
    Code:
    grep "from=<>" /var/log/zimbra.log
    returns a group of messageIDs

    A similar grep but for 1 of the messageIDs
    Code:
    grep "B321536B15B5" /var/log/zimbra.log
    returns
    Code:
    Aug 12 04:25:21 email postfix/smtpd[14699]: B321536B15B5: client=unknown[203.217.173.15]
    Aug 12 04:25:22 email postfix/cleanup[15263]: B321536B15B5: message-id=<20110809083716.6F0BB11E6778@mail.fxmail.ru>
    Aug 12 04:25:22 email postfix/qmgr[6326]: B321536B15B5: from=<>, size=1067, nrcpt=2 (queue active)
    Aug 12 04:25:22 email postfix/smtp[15264]: B321536B15B5: to=<UserAccount@My.Zimbra.server>, orig_to=<UserAccount@My.Zimbra.server>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=4.9/0/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04414-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A8EFA36B15CC)
    Aug 12 04:25:22 email postfix/smtp[15264]: B321536B15B5: to=<UserAccount@My.Zimbra.server>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.4, delays=4.9/0/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04414-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A8EFA36B15CC)
    Aug 12 04:25:22 email postfix/qmgr[6326]: B321536B15B5: removed
    looks like incoming message to me ip 203.217.173.15 is not one of our public, addresses.
    Also the inbound message ID "20110809083716.6F0BB11E6778@mail.fxmail.ru" does not look like a friendly mail server.
    you might try something like (note untested by me)
    Code:
    header   LOCAL_BadFrom           From =~ /^$/
    describe LOCAL_BadFrom           Empty From Address
    score    LOCAL_BadFrom           1.0
    in salocal.cf.in and then stop start zimbra.

    I'm sorry this become longer, truly we are holding IP 203.217.173.15 that attached on code above, but we meet problem to locate where the problem come from , this occur from last 3 weeks and we can't do anything because its lack of username there...

    this make us blocked from several Spam blocker site, anyone can resolving this problrm? please?

  10. #10
    Join Date
    Nov 2007
    Location
    AZ, USA
    Posts
    205
    Rep Power
    7

    Default

    My References were meant for the OP ACEMY. as a possible salocal rule to filter/dump the blank from e-mails, also provides some log searching suggestions for him/her.
    In the case of the examples I used they were dumped into the SPAM folder, or dropped due to other issues in the e-mail (RBLs, key-words, ...).

Similar Threads

  1. Sent Emails are Blank
    By Sealevel in forum General Questions
    Replies: 24
    Last Post: 04-07-2014, 08:28 AM
  2. Blocking unknown sender mails for relaying on zimbra
    By prasadpimple in forum Administrators
    Replies: 1
    Last Post: 02-14-2011, 06:59 AM
  3. Replies: 4
    Last Post: 01-20-2011, 12:11 PM
  4. Replies: 0
    Last Post: 01-16-2011, 08:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •