Hello,

In the past 12 months, we have seen an increase in the amount of spam allowed through by spamassassin, along with numerous backscatter problems getting us blacklisted (even though support has told us how to stop backscatter, it still doesn't seem to work).

Most concerning is the number of phishing emails allowed through, which turn into a massive bot attack as soon as one user falls for it. This occurs every 2-3 months regardless of the number of time we tell users to NEVER release their password, and that we will NEVER ask them for it. The bots are specifically targeting Zimbra servers and using SOAP calls to send thousands of emails in a very short time. We usually find out when we get a blacklist alert, or the user notices bounces in their inbox, at which point they remember that they let their password out...

We need:

1. rate-limiting to prevent any account from sending more than x messages per y interval.
2. rate-limiting to prevent more than x SOAP connections from a single IP per y interval.
3. alerts when any of the limits are reached.

I think we can do the above, but haven't looked into it yet.

One complication is how the scenario plays out:
1. One user falls for a phishing email. Sometimes the email is sent to only a small number of users, so we don't see it right away. In the recent incident, the spammer waited at least a week (until the Easter weekend) before actually doing anything.
2. Once that user is breached, a second phishing email pretending to be from our IT Department, usually describing a Zimbra upgrade or problem, is sent to ALL local users, and others in the addressbook.
3. User 1 starts sending waves of spam from Nigerian SOAP connections.
4. Subsequent users fall for more convincing (although still with poor English) second phish from internal address with Yahoo reply-to. Yahoo is useless at dealing with these accounts, so they continue to use yahoo (does yahoo still use Zimbra?)
5. We run a script to remove all messages based on phishing subject line when we notice it.
6. Nearly every attack starts on a weekend, so our response time is longer.

What I don't know is if I should spend any more time with the Zimbra spam solutions of spamassassin or dspam. We really don't have time to constantly tweak the system, and also deal with losing settings on every Zimbra update (although we are told where to make changes to avoid this, it still seems to occur every so often, or at least the changes are rendered ineffective). Should we be looking at Barracuda, IronPort, or others? We are already using barracuda for dnsbl, and it seems to be either the fastest to respond, or the most accurate, or both:

b.barracudacentral.org 358341
zen.spamhaus.org 27991
urbl.hostedemail.com=127.0.0.100 3520
bl.spamcop.net 1030
ix.dnsbl.manitu.net 156
hostkarma.junkemailfilter.com=127.0.0.2 68
hostkarma.junkemailfilter.com 41
urbl.hostedemail.com 32
db.wpbl.info 7
bb.barracudacentral.org 4
cbl.abuseat.org 3
db.wpbl.info=127.0.0.2 2
ubl.unsubscore.com 1
b.barracudacentral.org=127.0.0.2 1
=================================================
Total DNSBL rejections: 391197


We are a school with ~700 users, 450 of them students. Surprisingly, our staff are usually the worst offenders at falling for phishing attempts. All of the attacks appear to be monitored by a human until an account is breached, then the bot takes over. The recent wave of attacks on the weekend started with test connections from a proxy/anon ip block, then the bots hit from a Nigerian ip block. We have blocked all of these at the firewall, but there will be others soon I'm sure. Attempting to contact admins for either ip block have been ignored.

Hotspot Shield Free and Elite VPN Download for Internet Privacy, Security and to Access Blocked Sites - AnchorFree
74.115.0.0 - 74.115.7.255

Visafone Communications Limited - visafone.com.ng
41.71.128.0 - 41.71.255.255