[SOLVED] Mail addresses get spoofed
I am pretty new to Zimbra and have a strange problem. We are running Zimbra 5.0.4 on a Suse ES 10.1 server in our company and since a few days we receive mails like this one:
Received: from zimbra.mailserver.com (LHLO zimbra.mailserver.com )
(196.*.*.*) by zimbra.mailserver.com with LMTP; Thu, 24 Apr 2008 06:46:43
Received: from localhost (localhost.localdomain [127.0.0.1])
by zimbra.mailserver.com (Postfix) with ESMTP id B155D9B0A8A
for firstname.lastname@example.org; Thu, 24 Apr 2008 06:46:43 +0200 (SAST)
X-Virus-Scanned: amavisd-new at
X-Spam-Status: No, score=-0.642 tagged_above=-10 required=4
tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001,
Received: from zimbra.mailserver.com ([127.0.0.1])
by localhost (zimbra.mailserver.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 13rpIb38YlIB for email@example.com;
Thu, 24 Apr 2008 06:46:42 +0200 (SAST)
Received: from PulseOld.CyberPulse.ru (mail3.cyberpulse.ru [126.96.36.199])
by zimbra.mailserver.com (Postfix) with ESMTP id EDE169B0AC2
for firstname.lastname@example.org; Thu, 24 Apr 2008 06:46:40 +0200 (SAST)
Received: from localhost (localhost)
by PulseOld.CyberPulse.ru (8.12.9/8.12.9) id m3O4N3vf027424;
Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
From: Mail Delivery Subsystem MAILER-DAEMON@PulseOld.CyberPulse.ru
Content-Type: multipart/report; report-type=delivery-status;
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
The original message was received at Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
from 188.8.131.52.board.xm.fj.dynamic.163data.com.cn [184.108.40.206] (may be forged)
----- The following addresses had permanent fatal errors -----
----- Transcript of session follows -----
Message could not be delivered for 2 days
Message will be deleted from queue
Reporting-MTA: dns; PulseOld.CyberPulse.ru
Arrival-Date: Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
Final-Recipient: RFC822; email@example.com
Last-Attempt-Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
Received: from 220.127.116.11.board.xm.fj.dynamic.163data.com.cn (18.104.22.168.board.xm.fj.dynamic.163data.com.cn [22.214.171.124] (may be forged))
by PulseOld.CyberPulse.ru (8.12.9/8.12.9) with ESMTP id m3M4LAdY067633
for firstname.lastname@example.org; Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
Date: Tue, 22 Apr 2008 02:36:46 +0000
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
This is a multi-part message in MIME format.
For me it looks like someone spoofes our clients mail address (email@example.com) and sends anything to firstname.lastname@example.org which obviously doesn't exist. That's why our client gets a reply from MAILER-DAEMON@PulseOld.CyberPulse.ru which tells that the mail could not be delivered.
In this case, just one client receives such a reply, but most of the time some of our distribution lists got spoofed and a lot of our people in the company get such replys. And most of the time this happens nearly twice a minute, so we really receive a lot of them.
Our idea to prevent this was to set up a Sender Policy Framework. Therefore, we added a TXT record to our nameserver and entered "v=spf1 +a zimbra.mailserver.com -all" but it didn't work either.
At this point we are completely stuck and don't really know what else we could do. It would be great if someone of you has an idea how we can fix that. Thanks very much.
There is not much you can do
We get some of the same thing here (it is in fact not a zimbra issue, it is a general
mail and spam issue).
I have to answer question from my users every so often about something like this.
SPF won't fix the problem as many sites don't bother to use SPF on there inbound mail
(we don't, we use can-it to keep the spam to a manageable level).