Results 1 to 5 of 5

Thread: ZCS 8 Sending Backscatter Spam

  1. #1
    Join Date
    Nov 2005
    Posts
    63
    Rep Power
    10

    Default ZCS 8 Sending Backscatter Spam

    I'm not sure of the exact mechanism being used, but my Release 8.0.6.GA.5922.UBUNTU12.64 UBUNTU12_64 FOSS edition server seems to be being used to send something akin to backscatter spam. The relevent portion of /var/log/mail.log for one such message appears to be the following:

    Code:
    Apr  9 12:16:33 mail postfix/smtpd[25171]: NOQUEUE: filter: RCPT from unknown[116.127.80.21]: <c99ba9e7@neps.ch>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<c99ba9e7@neps.ch> to=<c99ba9e7@MYDOMAIN.com> proto=ESMTP helo=<[116.127.80.21]>
    Apr  9 12:16:33 mail postfix/smtpd[25171]: NOQUEUE: filter: RCPT from unknown[116.127.80.21]: <c99ba9e7@neps.ch>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<c99ba9e7@neps.ch> to=<c99ba9e7@MYDOMAIN.com> proto=ESMTP helo=<[116.127.80.21]>
    Apr  9 12:16:34 mail postfix/qmgr[15987]: 323AF322FEC: from=<c99ba9e7@neps.ch>, size=42262, nrcpt=1 (queue active)
    Apr  9 12:16:34 mail amavis[30525]: (30525-02) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140409T121552-30525-bpuQiROu: <c99ba9e7@neps.ch> -> <c99ba9e7@MYDOMAIN.com> SIZE=42262 Received: from mail.MYDOMAIN.com ([127.0.0.1]) by localhost (mail.MYDOMAIN.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <c99ba9e7@MYDOMAIN.com>; Wed,  9 Apr 2014 12:16:34 -0500 (CDT)
    Apr  9 12:16:34 mail amavis[30525]: (30525-02) Checking: QYtYK-KSswHK [116.127.80.21] <c99ba9e7@neps.ch> -> <c99ba9e7@MYDOMAIN.com>
    Apr  9 12:16:38 mail postfix/qmgr[15987]: D9484323001: from=<c99ba9e7@neps.ch>, size=43119, nrcpt=1 (queue active)
    Apr  9 12:16:38 mail amavis[30525]: (30525-02) FWD from <c99ba9e7@neps.ch> -> <c99ba9e7@MYDOMAIN.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D9484323001
    Apr  9 12:16:38 mail amavis[30525]: (30525-02) Passed SPAMMY {RelayedTaggedInbound}, [116.127.80.21]:61110 [116.127.80.21] <c99ba9e7@neps.ch> -> <c99ba9e7@MYDOMAIN.com>, Queue-ID: 323AF322FEC, Message-ID: <N0U3RDM2MEU3MEY=DDCD349B71AF42D724@mail.MYDOMAIN.com>, mail_id: QYtYK-KSswHK, Hits: 11.238, size: 42262, queued_as: D9484323001, 4676 ms
    Apr  9 12:16:39 mail postfix/smtp[30949]: connect to mail.neps.ch[88.198.143.220]:25: Connection refused
    Apr  9 12:16:39 mail postfix/smtp[30949]: DA996323003: to=<c99ba9e7@neps.ch>, relay=none, delay=0.15, delays=0/0/0.14/0, dsn=4.4.1, status=deferred (connect to mail.neps.ch[88.198.143.220]:25: Connection refused)
    *Note: c99ba9e7@MYDOMAIN.com is not a valid email address on my server.

    I'm not sure why the message is being accepted and why an email from "mailer-daemon" is being generated bouncing back at the (forged) from address. I've made the "Rejecting false mail from address" changes described here -> Rejecting false "mail from" addresses - Zimbra :: Wiki. This had no impact. I'm getting hit from IPs around the globe - not just one single annoying sender.
    Any ideas anyone can offer would be greatly appreciated!

    --Will
    Last edited by wdimmit; 04-09-2014 at 01:14 PM. Reason: Additional Information

  2. #2
    Join Date
    Nov 2005
    Posts
    63
    Rep Power
    10

    Default

    This problem has continued to get worse, presumably as more bots figure out how to take advantage of my server. I've got a pretty well stock installation here, so I'm really curious if anyone else has encountered this (and what they did about it). Is there any further information I could add to help provide further clues to what might be happening?

    Thanks,
    Will

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Have you looked at any of the suggestions in the wiki article on Improving Anti-spam system? Does your server reject unlisted recipients? What RBLs do you use?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Bill, the wiki was wrong about this particular part (the explanations apply to ZCS before 8).

    The correct way for 8.x is:
    Code:
    su - zimbra
    zmlocalconfig -e postfix_smtpd_reject_unlisted_recipient=yes
    zmmtactl restart
    Last edited by Klug; 04-12-2014 at 03:53 AM. Reason: Updated wiki

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by Klug View Post
    Bill, the wiki is wrong about this particular part (the explanations apply to ZCS before 8).
    Yes, I realise that but I was asking if they are already doing it - if this is an upgraded ZCS I believe that's not changed from the earlier default of being set to "no".
    Last edited by phoenix; 04-12-2014 at 04:31 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. Replies: 4
    Last Post: 09-17-2013, 04:29 AM
  2. Please help prevent Spam Backscatter !
    By nt29 in forum Administrators
    Replies: 1
    Last Post: 11-01-2011, 04:35 AM
  3. Please help - my zimbra sends backscatter spam.
    By rokka in forum Administrators
    Replies: 3
    Last Post: 02-16-2011, 04:15 AM
  4. [SOLVED] Spam Backscatter
    By jrefl5 in forum Administrators
    Replies: 23
    Last Post: 12-06-2009, 05:55 AM
  5. How to stop Backscatter Spam
    By yoom@hostwebase.com in forum Administrators
    Replies: 10
    Last Post: 10-15-2008, 07:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •