Results 1 to 4 of 4

Thread: [SOLVED] Mail addresses get spoofed

Hybrid View

  1. #1
    Join Date
    Apr 2008
    Hout Bay, South Africa
    Rep Power

    Question [SOLVED] Mail addresses get spoofed

    Hi everybody!

    I am pretty new to Zimbra and have a strange problem. We are running Zimbra 5.0.4 on a Suse ES 10.1 server in our company and since a few days we receive mails like this one:

    Received: from (LHLO )
     (196.*.*.*) by with LMTP; Thu, 24 Apr 2008 06:46:43
     +0200 (SAST)
    Received: from localhost (localhost.localdomain [])
    	by  (Postfix) with ESMTP id B155D9B0A8A
    	for; Thu, 24 Apr 2008 06:46:43 +0200 (SAST)
    X-Virus-Scanned: amavisd-new at 
    X-Spam-Flag: NO
    X-Spam-Score: -0.642
    X-Spam-Status: No, score=-0.642 tagged_above=-10 required=4
    	tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001,
    Received: from ([])
    	by localhost (  []) (amavisd-new, port 10024)
    	with ESMTP id 13rpIb38YlIB for;
    	Thu, 24 Apr 2008 06:46:42 +0200 (SAST)
    Received: from ( [])
    	by (Postfix) with ESMTP id EDE169B0AC2
    	for; Thu, 24 Apr 2008 06:46:40 +0200 (SAST)
    Received: from localhost (localhost)
    	by (8.12.9/8.12.9) id m3O4N3vf027424;
    	Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
    	(envelope-from MAILER-DAEMON)
    Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
    From: Mail Delivery Subsystem
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    Subject: Returned mail: see transcript for details
    Auto-Submitted: auto-generated (failure)
    This is a MIME-encapsulated message
    The original message was received at Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
    from [] (may be forged)
       ----- The following addresses had permanent fatal errors -----
       ----- Transcript of session follows ----- Deferred
    Message could not be delivered for 2 days
    Message will be deleted from queue
    Content-Type: message/delivery-status
    Reporting-MTA: dns;
    Arrival-Date: Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
    Final-Recipient: RFC822;
    Action: failed
    Status: 4.4.7
    Last-Attempt-Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
    Content-Type: message/rfc822
    Received: from ( [] (may be forged))
    	by (8.12.9/8.12.9) with ESMTP id m3M4LAdY067633
    	for; Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
    Message-ID: <000501c8a430$04238eaa$d54c7b99@tkpewh>
    Subject: =?koi8-r?B?7sEg68nQ0iDOwSDLwc7Jy9XM2Q==?=
    Date: Tue, 22 Apr 2008 02:36:46 +0000
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
    This is a multi-part message in MIME format.

    For me it looks like someone spoofes our clients mail address ( and sends anything to which obviously doesn't exist. That's why our client gets a reply from which tells that the mail could not be delivered.

    In this case, just one client receives such a reply, but most of the time some of our distribution lists got spoofed and a lot of our people in the company get such replys. And most of the time this happens nearly twice a minute, so we really receive a lot of them.

    Our idea to prevent this was to set up a Sender Policy Framework. Therefore, we added a TXT record to our nameserver and entered "v=spf1 +a -all" but it didn't work either.

    At this point we are completely stuck and don't really know what else we could do. It would be great if someone of you has an idea how we can fix that. Thanks very much.


  2. #2
    Join Date
    Oct 2005
    Rep Power

    Default There is not much you can do

    We get some of the same thing here (it is in fact not a zimbra issue, it is a general
    mail and spam issue).

    I have to answer question from my users every so often about something like this.

    SPF won't fix the problem as many sites don't bother to use SPF on there inbound mail
    (we don't, we use can-it to keep the spam to a manageable level).

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Vannes, France
    Rep Power


    It's commonly known as backscatter spam. Someone sends an email to a mail server with a forged header of the intended target (you) and when the mail finally gets bounced as undeliverable it gets returned to the original (spoofed header address i.e. you) sender.

    There was a thread recently that has some tips for catching backscatter spam with spamassassin, search the forums for the thread.


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Join Date
    Apr 2008
    Hout Bay, South Africa
    Rep Power


    Quote Originally Posted by phoenix View Post
    There was a thread recently that has some tips for catching backscatter spam with spamassassin, search the forums for the thread.
    Thank you! I found the thread and will give it a try.


Similar Threads

  1. Problems with port 25
    By yogiman in forum Installation
    Replies: 57
    Last Post: 06-13-2011, 01:55 PM
  2. Replies: 7
    Last Post: 02-03-2011, 06:01 AM
  3. [SOLVED] Mailserver down when send file attach of 50Mb
    By ZMilton in forum Administrators
    Replies: 20
    Last Post: 04-10-2008, 11:44 AM
  4. Issues...
    By timothyalangorman in forum Administrators
    Replies: 3
    Last Post: 11-19-2007, 09:43 AM
  5. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts