Issue is mail spoofing. How to avoid mail spoofing in zimbra 8.8.6.
If you are digitally signing all your email and use SPF, you can use Spamassassin and look at some rules that fired like: DKIM_VALID_AU (signed by a valid author of a domain) and look inside the message for Return-Path which is the envelope 'from' at the top of every email. Here is one method that is pretty generic and works across most scenarios using SA and Zimbra.
Add this to your /opt/zimbra/data/spamassassin/localrules/sauser.cf after changing the domains in the __SPFSENDER_FROM rule to your domains.
Code: Select all
header __SPFSENDER_FROM From =~ /example\.com|example\.net/i
meta SPOOFED_FROM (__SPFSENDER_FROM && !DKIM_VALID_AU)
score SPOOFED_FROM 7
describe SPOOFED_FROM Not DKIM signed
header __RETURNPATH_FROM Return-Path =~ /\@example\.com|\@example\.net/i
meta SPOOFED_FROM_1 (!__RETURNPATH_FROM && __SPFSENDER_FROM && !DKIM_VALID_AU)
score SPOOFED_FROM_1 7
describe SPOOFED_FROM_1 Spoofed Return-Path and From
#whitelist if its from us (optional)
meta J_WHITELISTUS (!SPOOFED_FROM && __RETURNPATH_FROM && DKIM_VALID_AU)
score J_WHITELISTUS -10
describe J_WHITELISTUS Kludge for mime parser FP
Followed by this:
Code: Select all
# su - zimbra
% /opt/zimbra/common/bin/spamassassin --lint
#pickup rule changes
% zmamavisdctl restart
Note: You don't need to wait to see if this works. Saved the spoofed email to a file and run it through SA in debug mode and look at the score and if this rule fired before doing your zmamavisdctl restart and putting it into production.
I have written more on the subject here on how to test your rules and debug them: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
PS... You might want to re-think your topic title and re-edit this title because "spam issue" is a little generic.
How about something like: "Stopping Forged or Spoofed email?" to help others in the future. After you have a working solution, pre-pend "Solved:" in front of your topic title" by re-editing the topic title again.