Backscatter NDR spam messages received with clear original spam message attachment

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
arnisraido
Posts: 20
Joined: Sat Sep 13, 2014 1:44 am

Backscatter NDR spam messages received with clear original spam message attachment

Postby arnisraido » Mon Sep 16, 2013 3:15 am

I AM RUNNING ZCS VERSION: RELEASE 8.0.1.GA.5438.UBUNTU12.64 UBUNTU12_64 FOSS EDITION.
LAST WEEK I STARTED TO REICEIVE A LOT OF NDR (~1 PER MINUTE) FROM DIFFERENT XYZ SERVERS. ORIGINAL MESSAGE COMES ALWAYS FROM ONE ZZZ SPAMMING HOST, BUT I CANNOT CONTROL IT OF COURSE.
ALMOST ALL MESSAGES HAVE ATTACHED "ORIGINAL" SPAM MESSAGE, OFTEN ALREADY MARKED AS SPAM ON RECEIVEING XYZ SERVER. BUT - ZIMBRA ANTISPAM DOES NOT CHECK/MARK THEM AS SPAM!
I KNOW, THERE ARE LITTLE TO DO FIGHTING BACKSCATTER SPAM - BUT I NEED AT LEAST UNDERSTAND - WHY OR WHY NOT ZIMBRA CHECKS ATTACHMENTS, BUT CANNOT MARK THEM AS SPAM?
FEW EXAMPLES IN ATTACHMENTS:




message1.txt


message2.txt



arnisraido
Posts: 20
Joined: Sat Sep 13, 2014 1:44 am

Backscatter NDR spam messages received with clear original spam message attachment

Postby arnisraido » Tue Sep 17, 2013 4:25 am

Anyone? Can someone give an advice?
phoenix
Ambassador
Ambassador
Posts: 26677
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Backscatter NDR spam messages received with clear original spam message attachment

Postby phoenix » Tue Sep 17, 2013 4:35 am

What have you tried to actually combat NDR spam? There are several thing you can do, check the wiki article on improving the anti-spam system and implement cbpolicyd to reject SPF failures (for example) and there are several threads in the forums on the subject - have you read them?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
arnisraido
Posts: 20
Joined: Sat Sep 13, 2014 1:44 am

Backscatter NDR spam messages received with clear original spam message attachment

Postby arnisraido » Tue Sep 17, 2013 4:51 am

The problem is: Server A sends mail with forged "from" our address to Server B, and server B bounces back NDR to "from" address, and NDR comes to our server C.
I have



  • added spf to our domain

  • upgraded clamav to latest version (manually!)

  • enabled cbpolicyd

  • contacted ISP who hosts "spamming" server A, but they still did nothing only contacted server owner.



may be I have incorrect configuration somewhere, but this problem hits only one e-mail account. Nothing looks help a lot.

If receiver server B does not check spf, then its helpless, right?

And I think, cbpolicyd will not help a lot if server B has correct host/ip, right?
1) Why antispam does not check/or has low hit value for an attachment, even if it's completely spam?

2) how I can check original message source server with antispam at any way? (there are one original source server only, who is sending this spam.

3) I have enabled cbpolicyd, log files looks like:

[2013/09/17-12:44:25 - 27677] [CORE] INFO: Killing "1" children

[2013/09/17-12:44:44 - 4542] [CBPOLICYD] INFO: Got request #35 (pipelined)

[2013/09/17-12:45:31 - 30045] [CBPOLICYD] INFO: Got request #6 (pipelined)

[2013/09/17-12:45:35 - 11592] [CBPOLICYD] WARNING: Client closed connection => Peer: 127.0.0.1:38211, Local: 127.0.0.1:10031

[2013/09/17-12:45:35 - 27677] [CORE] INFO: Killing "1" children

[2013/09/17-12:45:38 - 4542] [CBPOLICYD] INFO: Got request #36 (pipelined)

[2013/09/17-12:45:40 - 4542] [CBPOLICYD] INFO: Got request #37 (pipelined)

[2013/09/17-12:45:41 - 30045] [CBPOLICYD] INFO: Got request #7 (pipelined)

phoenix
Ambassador
Ambassador
Posts: 26677
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Backscatter NDR spam messages received with clear original spam message attachment

Postby phoenix » Tue Sep 17, 2013 5:29 am

[quote user="arnisraido"]The problem is: Server A sends mail with forged "from" our address to Server B, and server B bounces back NDR to "from" address, and NDR comes to our server C.[/QUOTE]I do actually understand what NDR spam is. ;)
[quote user="arnisraido"]I have



  • added spf to our domain

  • upgraded clamav to latest version (manually!)

  • enabled cbpolicyd

  • contacted ISP who hosts "spamming" server A, but they still did nothing only contacted server owner.

[/QUOTE]Yes but have you actually configured cbpolicyd to reject SPF failures, one of the headers you posted had that problem even though it came from google.
I asked if you'd read any of the other threads or wiki articles on this topic, have you? There's also details on the Postfix site about NDR Spam, have you read that?
BTW, you really should move from your installed version of ZCS - it has the possibility of corruption in the LDAP DB. I expect 8.0.5 to be out shortly and I'd suggest you wait for that as it also has changes to the anti-spam system that may help your problem meanwhile make sure you have adequate backups of your ZCS installation.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 9 guests