Results 1 to 4 of 4

Thread: Mysterious e-mail

  1. #1
    Join Date
    May 2011
    Posts
    33
    Rep Power
    4

    Default Mysterious e-mail

    3 of my users received e-mails that made it past the AV scan and spamassassin scoring on my Zimbra server. 2 of the users showed up in the AV NOD32 console as being viruses. The header shows no score for spamassassin. Also, the e-mails appear to be coming from our own domain.

    I'm in the process of migrating and have another server that handles the mail and forwards it to an alias on the Zimbra server. The original server was able to mark it as spam through spamassassin (note the [***SPAM***] tag in the subject). Is there a setting that I may be missing to stop this kind of e-mail? Atleast one of the users clicked on the attachment.

    PHP Code:
    Return-PathLukeGordy@covad.net
    Received
    from webmail.domain.com (LHLO webmail.domain.com) (Zimbra IP)
     
    by webmail.domain.com with LMTPWed21 Sep 2011 09:08:19 -0400 (EDT)
    Receivedfrom localhost (localhost.localdomain [127.0.0.1])
        
    by webmail.domain.com (Postfixwith ESMTP id BC1563988E31;
        
    Wed21 Sep 2011 09:08:19 -0400 (EDT)
    X-DSPAM-ResultSpam
    X
    -DSPAM-Class: Spam
    X
    -DSPAM-Confidence1.00
    X
    -DSPAM-Probability1.0000
    X
    -DSPAM-SignatureN/A
    X
    -Virus-Scannedamavisd-new at domain.com
    Received
    from webmail.domain.com ([127.0.0.1])
        
    by localhost (webmail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
        
    with ESMTP id EopfavABVhBiWed21 Sep 2011 09:08:19 -0400 (EDT)
    Receivedfrom domain.com (mail.domain.com [Legacy mail server IP])
        
    by webmail.domain.com (Postfixwith ESMTPS id 60FDE3988E30;
        
    Wed21 Sep 2011 09:08:19 -0400 (EDT)
    Receivedfrom dsl95.9-19672.static.ttnet.net.tr (dsl95.9-19672.ttnet.net.tr [95.9.76.216] (may be forged))
        
    by domain.com (8.13.8/8.13.8with ESMTP id p8LD7b5j002004;
        
    Wed21 Sep 2011 09:07:45 -0400
    X
    -DKIMSendmail DKIM Filter v2.8.3 domain.com p8LD7b5j002004
    Authentication
    -Resultsdomain.comdkim=none (no signature)
        
    header.i=unknownx-dkim-adsp=none
    X
    -Virus-StatusClean
    X
    -Virus-Scannedclamav-milter 0.96.3 at domain.com
    Received
    from dsl95.9-19672.static.ttnet.net.tr by mx3c8.carrierinternetsolutions.comWed21 Sep 2011 06:07:44 +0200
    From
    : <scan@domain.com>
    To: <user@domain.com>
    Subject: [***SPAM***] ReScan from a Hewlett-Packard Officejet  #7974665
    DateWed21 Sep 2011 06:07:44 +0200
    Message
    -ID: <64bc01cc7870$36ee02e0$d84c095f@MARYLIN_Boyer>
    MIME-Version1.0
    Content
    -Typemultipart/related;
        
    boundary="----=_NextPart_000_0675_01CC7870.37267800"
    X-Priority(Normal)
    X-MSMail-PriorityNormal
    X
    -MailerMicrosoft OutlookBuild 10.0.6838
    X
    -MimeOLEProduced By Microsoft MimeOLE V6.00.2800.2001
    Importance
    Normal
    X
    -SPF-Scan-Bysmf-spf v2.0.2 http://smfs.sf.net/
    Received-SPFNone (domain.comdomain of lukegordy@covad.net
        does not designate permitted sender hosts
    )
        
    receiver=domain.comclient-ip=95.9.76.216;
        
    envelope-from=<LukeGordy@covad.net>; helo=dsl95.9-19672.static.ttnet.net.tr
    Last edited by devicegrip; 09-22-2011 at 09:02 AM.

  2. #2
    Join Date
    May 2011
    Posts
    33
    Rep Power
    4

    Default

    here is the header from another user that got the almost identical e-mail. This one, the legacy server did not recognize as spam. It is sent from hp@mydomain.com (which doesn't exist).

    PHP Code:
    Return-PathEdgarCuriel@innovativemgmt.net
    Received
    from webmail.domain.com (LHLO webmail.domain.com) (Zimbra IP)
     
    by webmail.domain.com with LMTPWed21 Sep 2011 07:00:27 -0400 (EDT)
    Receivedfrom localhost (localhost.localdomain [127.0.0.1])
        
    by webmail.domain.com (Postfixwith ESMTP id CCF163988D35
        
    for <userc@domain.com>; Wed21 Sep 2011 07:00:27 -0400 (EDT)
    X-DSPAM-ResultSpam
    X
    -DSPAM-Class: Spam
    X
    -DSPAM-Confidence0.57
    X
    -DSPAM-Probability1.0000
    X
    -DSPAM-SignatureN/A
    X
    -Virus-Scannedamavisd-new at domain.com
    Received
    from webmail.domain.com ([127.0.0.1])
        
    by localhost (webmail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
        
    with ESMTP id kuQBjl8HbcEG for <userc@domain.com>;
        
    Wed21 Sep 2011 07:00:27 -0400 (EDT)
    Receivedfrom domain.com (mail.domain.com [Legacy mail server ip])
        
    by webmail.domain.com (Postfixwith ESMTPS id 8404A39882EE
        
    for <userc@webmail.domain.com>; Wed21 Sep 2011 07:00:27 -0400 (EDT)
    Receivedfrom [125.178.91.139] ([125.178.91.139])
        
    by domain.com (8.13.8/8.13.8with ESMTP id p8LAxsvI020811;
        
    Wed21 Sep 2011 07:00:01 -0400
    X
    -DKIMSendmail DKIM Filter v2.8.3 domain.com p8LAxsvI020811
    Authentication
    -Resultsdomain.comdkim=none (no signature)
        
    header.i=unknownx-dkim-adsp=none
    X
    -Virus-StatusClean
    X
    -Virus-Scannedclamav-milter 0.96.3 at domain.com
    Received
    from [125.178.91.139] (account user@domain.com HELO domain.comby domain.com (CommuniGate Pro SMTP 5.3.10with ESMTPA id 449776720 for <user@domain.com>; Wed21 Sep 2011 06:00:01 +0900
    Message
    -ID: <E0576E05.4050804@domain.com>
    DateWed21 Sep 2011 06:00:01 +0900
    From
    : <hp@domain.com>
    User-AgentMozilla/5.0 (MacintoshPPC Mac OS X 10.5itrv:1.9.0.5preGecko/2008120105 Lightning/1.0b3 Thunderbird/2.0.0.0 ThunderBrowse/3.2.6.5
    MIME
    -Version1.0
    To
    user@domain.com
    Subject
    FwdScan from a HP Officejet  #295524
    Content-Typemultipart/mixed;
     
    boundary="------------040301000307000108090707"
    X-SPF-Scan-Bysmf-spf v2.0.2 http://smfs.sf.net/
    Received-SPFNone (domain.comdomain of edgarcuriel@innovativemgmt.net
        does not designate permitted sender hosts
    )
        
    receiver=domain.comclient-ip=125.178.91.139;
        
    envelope-from=<EdgarCuriel@innovativemgmt.net>; helo=[125.178.91.139]; 

  3. #3
    Join Date
    May 2011
    Posts
    33
    Rep Power
    4

    Default

    I don't have the "show original" from the third user. However, she got the same e-mail that the first example got. Somehow she got that users e-mail in her inbox as well. She(user3) thought he(user1) sent it since his(user1) name was in the "to:" field. User3 ended up forwarding this e-mail back to user1 in confusion.

    I have some of the headers from the forward.

    PHP Code:
    DateWed21 Sep 2011 10:18:41 -0400 (EDT)
    From: <user3@domain.com>
    Touser1@domain.com
    Subject
    Fwd: [***SPAM***] ReScan from a Hewlett-Packard Officejet  #7974665
    Message-ID: <0b9e89a5-7722-4b8e-ab0f-5fcafadccde1@webmail.domain.com>
    In-Reply-To: <64bc01cc7870$36ee02e0$d84c095f@MARYLIN_Boyer>
    Content-Typemultipart/mixed;
     
    boundary="=_65a9c893-cdc2-4c01-be04-e12d85a9d52d"
    MIME-Version1.0
    X
    -Originating-IP: [Local Gateway]
    X-MailerZimbra 7.1.1_GA_3213 (ZimbraWebClient - [unknown] (Win)/7.1.1_GA_3196)



    BELOW was a message sent to user3 even though it shows user1 in the tofieldUser3 thought it was sent from user1 by mistake.

    ----- 
    Forwarded Message -----

    Fromscan@domain.com 
    To
    user1@domain.com 
    Sent
    WednesdaySeptember 212011 12:07:44 AM 
    Subject
    : [***SPAM***] ReScan from a Hewlett-Packard Officejet =C2=A0#7974=
    665 

    Attached document was scanned 
    and sent 
    to you using a Hewlett
    -Packard HP Officejet 5203A
    Sent byMARYLIN 
    Images 

    Attachment Type
    ZIP [DOC

    Hewlett-Packard Officejet Locationmachine location not set 
    Device
    OFC336AA0BSX92735847 
    Hopefully this isn't too confusing and someone can shed light on a setting I may be missing.

    Thanks

  4. #4
    Join Date
    May 2011
    Posts
    33
    Rep Power
    4

    Default

    Anyone have any thoughts? I tried to include everything I have as accurate as possible.

    This seems like a huge issue and I would rather not have this happen again.

    Thanks

Similar Threads

  1. Replies: 8
    Last Post: 04-10-2011, 10:14 AM
  2. Replies: 7
    Last Post: 02-03-2011, 07:01 AM
  3. Problem with Postfix and MTA
    By ZMilton in forum Administrators
    Replies: 16
    Last Post: 04-16-2008, 07:47 AM
  4. [SOLVED] Mailserver down when send file attach of 50Mb
    By ZMilton in forum Administrators
    Replies: 20
    Last Post: 04-10-2008, 12:44 PM
  5. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 09:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •