Hi everybody!

I am pretty new to Zimbra and have a strange problem. We are running Zimbra 5.0.4 on a Suse ES 10.1 server in our company and since a few days we receive mails like this one:

Received: from zimbra.mailserver.com (LHLO zimbra.mailserver.com )
 (196.*.*.*) by zimbra.mailserver.com with LMTP; Thu, 24 Apr 2008 06:46:43
 +0200 (SAST)
Received: from localhost (localhost.localdomain [])
	by zimbra.mailserver.com  (Postfix) with ESMTP id B155D9B0A8A
	for info@company.co.za; Thu, 24 Apr 2008 06:46:43 +0200 (SAST)
X-Virus-Scanned: amavisd-new at 
X-Spam-Flag: NO
X-Spam-Score: -0.642
X-Spam-Status: No, score=-0.642 tagged_above=-10 required=4
	tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001,
Received: from zimbra.mailserver.com ([])
	by localhost (zimbra.mailserver.com  []) (amavisd-new, port 10024)
	with ESMTP id 13rpIb38YlIB for info@company.co.za;
	Thu, 24 Apr 2008 06:46:42 +0200 (SAST)
Received: from PulseOld.CyberPulse.ru (mail3.cyberpulse.ru [])
	by zimbra.mailserver.com (Postfix) with ESMTP id EDE169B0AC2
	for info@company.co.za; Thu, 24 Apr 2008 06:46:40 +0200 (SAST)
Received: from localhost (localhost)
	by PulseOld.CyberPulse.ru (8.12.9/8.12.9) id m3O4N3vf027424;
	Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
	(envelope-from MAILER-DAEMON)
Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)
From: Mail Delivery Subsystem MAILER-DAEMON@PulseOld.CyberPulse.ru
Message-Id: 200804240442.m3O4N3vf027424@PulseOld.CyberPulse.ru
To: info@company.co.za
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message


The original message was received at Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
from [] (may be forged)

   ----- The following addresses had permanent fatal errors -----

   ----- Transcript of session follows -----
eam@jamstation.ru... Deferred
Message could not be delivered for 2 days
Message will be deleted from queue

Content-Type: message/delivery-status

Reporting-MTA: dns; PulseOld.CyberPulse.ru
Arrival-Date: Tue, 22 Apr 2008 08:21:12 +0400 (MSD)

Final-Recipient: RFC822; eam@jam-station.ru
Action: failed
Status: 4.4.7
Last-Attempt-Date: Thu, 24 Apr 2008 08:42:07 +0400 (MSD)

Content-Type: message/rfc822

Return-Path: info@company.co.za
Received: from ( [] (may be forged))
	by PulseOld.CyberPulse.ru (8.12.9/8.12.9) with ESMTP id m3M4LAdY067633
	for eam@jamstation.ru; Tue, 22 Apr 2008 08:21:12 +0400 (MSD)
	(envelope-from info@company.co.za)
Message-ID: <000501c8a430$04238eaa$d54c7b99@tkpewh>
From: info@company.co.za
To: eam@jamstation.ru
Subject: =?koi8-r?B?7sEg68nQ0iDOwSDLwc7Jy9XM2Q==?=
Date: Tue, 22 Apr 2008 02:36:46 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

For me it looks like someone spoofes our clients mail address (info@company.co.za) and sends anything to eam@jamstation.ru which obviously doesn't exist. That's why our client gets a reply from MAILER-DAEMON@PulseOld.CyberPulse.ru which tells that the mail could not be delivered.

In this case, just one client receives such a reply, but most of the time some of our distribution lists got spoofed and a lot of our people in the company get such replys. And most of the time this happens nearly twice a minute, so we really receive a lot of them.

Our idea to prevent this was to set up a Sender Policy Framework. Therefore, we added a TXT record to our nameserver and entered "v=spf1 +a zimbra.mailserver.com -all" but it didn't work either.

At this point we are completely stuck and don't really know what else we could do. It would be great if someone of you has an idea how we can fix that. Thanks very much.