Spam comes from local mailboxes, but from external ip addresses.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
xmana
Posts: 12
Joined: Tue Mar 21, 2017 12:58 pm

Spam comes from local mailboxes, but from external ip addresses.

Postby xmana » Fri Nov 22, 2019 1:06 pm

Hello people!

Please help me deal with the problem.
Recently, spam has begun to arrive, where the sender and recipient are users of our mail server.
Letters come from outside, there is no mention of authorization anywhere.
That is, a letter arrives from outside with the local address of the sender.
But the sender's host does not pass authorization, is not included in the "white" lists, all security settings are made.
How is this possible and where to look for a reason?

The letters contain the following information:
As you can see, the letter came from your account, so I have access to it, ..... transfer money to bitcoin such and such ....

short info:

Code: Select all

[zimbra@mail ~]$ /opt/zimbra/bin/zmcontrol -v
Release 8.8.11_GA_3737.RHEL6_64_20181207111719 RHEL6_64 FOSS edition, Patch 8.8.11_P2.


Code: Select all

[zimbra@mail ~]$ zmprov gs `zmhostname` zimbraMtaMyNetworks
# name mail.my.domain
zimbraMtaMyNetworks: 127.0.0.0/8 192.168.0.0/22 external_ip1/29 external_ip2/32 external_ip3/32


SMTP authentication is included,
all SMTP checks are included,
open relay is not available,
DKIM, DMARK, SPF are present...

and all the information that I could find in the logs regarding this letter:

in the letter code:

Code: Select all

Received: from x4e300cc3.dyn.telefonica.de (x4e300cc3.dyn.telefonica.de [78.48.12.195])
   by mail.my.domain (Postfix) with ESMTP id 5A6E05D82289
   for <mailbox@my.domain>; Fri, 22 Nov 2019 01:51:59 +0200 (EET)


IP address 78.48.12.195 is not in the range of allowed addresses in zimbraMtaMyNetworks.

In log files:

Code: Select all

[root@mail log]# grep -bir '78.48.12.195' /var/log/*
/var/log/maillog:107188006:Nov 22 01:51:52 mail postfix/postscreen[6913]: CONNECT from [78.48.12.195]:19337 to [mail_server_internal_ip]:25
/var/log/maillog:107188107:Nov 22 01:51:58 mail postfix/postscreen[6913]: PASS NEW [78.48.12.195]:19337
/var/log/maillog:107188184:Nov 22 01:51:58 mail postfix/smtpd[6918]: connect from x4e300cc3.dyn.telefonica.de[78.48.12.195]
/var/log/maillog:107188281:Nov 22 01:51:59 mail postfix/smtpd[6918]: NOQUEUE: filter: RCPT from x4e300cc3.dyn.telefonica.de[78.48.12.195]: <mailbox@my.domain>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<mailbox@my.domain> to=<mailbox@my.domain> proto=ESMTP helo=<x4e300cc3.dyn.telefonica.de>
/var/log/maillog:107188544:Nov 22 01:51:59 mail postfix/smtpd[6918]: NOQUEUE: filter: RCPT from x4e300cc3.dyn.telefonica.de[78.48.12.195]: <mailbox@my.domain>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<mailbox@my.domain> to=<mailbox@my.domain> proto=ESMTP helo=<x4e300cc3.dyn.telefonica.de>
/var/log/maillog:107188807:Nov 22 01:51:59 mail postfix/smtpd[6918]: 5A6E05D82289: client=x4e300cc3.dyn.telefonica.de[78.48.12.195]
/var/log/maillog:107189120:Nov 22 01:52:00 mail postfix/smtpd[6918]: disconnect from x4e300cc3.dyn.telefonica.de[78.48.12.195] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5


Code: Select all

[root@mail log]# grep -bir '78.48.12.195' /opt/zimbra/log/*
...nothing...


Is this a vulnerability of this version of zimbra?

Perhaps a configuration problem?
Then in what?

Tell me where to look, please ...

If necessary, I can provide the current configuration settings, tell me which ones ...

I very much hope for a quick response,
best regards,
Alexander.


valery
Posts: 3
Joined: Sat Apr 13, 2019 6:58 am

Re: Spam comes from local mailboxes, but from external ip addresses.

Postby valery » Fri Nov 22, 2019 5:11 pm

Hi, xmana
I have the same issue. Zimbra Collaboration 8.8.15 Patch-3. Centos6.9
I've done this on my firewall (it's another Centos 7 system) as a temporary decision:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="AA.BB.CC.DD" drop'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="AA.BB.CC.DD" drop'
xmana
Posts: 12
Joined: Tue Mar 21, 2017 12:58 pm

Re: Spam comes from local mailboxes, but from external ip addresses.

Postby xmana » Fri Nov 22, 2019 6:50 pm

valery wrote:Hi, xmana
I have the same issue. Zimbra Collaboration 8.8.15 Patch-3. Centos6.9
I've done this on my firewall (it's another Centos 7 system) as a temporary decision:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="AA.BB.CC.DD" drop'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="AA.BB.CC.DD" drop'


Have a good time of day valery!
Thanks for the reaction to my message ...

I understand that this is not only my problem, and I would very much like to fix it. Since switching to another software will take a lot of time and problems ...
I really would not want this, so I appreciate any help in this matter.

And I would also like to see some information from the developers ...

What you offer, of course, is a solution, but it does not localize the problem.
the problem is that the zimbra harvester skips emails from external ip-addresses without authentication and authorization for unknown reasons.
As far as practice shows, letters pass, provided that the recipient and sender have valid mailboxes of your domain and they are the same ...

on a pure postfix of this problem is not observed ...

it looks like a "hole" in the system Zimbru security.
Perhaps exploit.
I really wanted to hear the opinion of the developers of this program complex.

In the case of solving the problem according to your recommendations, I supposedly looked in the direction of File2Ban ...
Create rules for matching the address of the sender is equivalent to the address of the recipient and block connection.
But in my case, even that is not a solution to the problem.

No matter how much the developer ignores this situation, sooner or later it will lead to the crash of a certain company, not the fact that it works at a free tariff ....
Due to the lack of developer feedback, I’m already seriously considering the options for switching to another, similar mail processor.
For information, I have 7 domains, and about 600 mailboxes / per domain, which requires careful attention to the server, with the maximum allowable downtime from Saturday to Sunday, no more than 20-30 minutes for technical work, not more than once a month.

P.S.:
By the way, if you need help configuring Fayl2Ban ready to help you...
Please contact in PM or here ...
User avatar
zimico
Advanced member
Advanced member
Posts: 184
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Spam comes from local mailboxes, but from external ip addresses.

Postby zimico » Sat Nov 23, 2019 2:06 am

Basing on info you provied, everything is working as normal. You simply recieved a spam mail having FROM field was modified by spammer. Please have a look at https://imanudin.net/2019/05/23/zimbra- ... not-match/ to know how to filter out this kind of spam.
You can also follow nice guide of Mark here blog.missioncriticalemail.com
Regards,
Minh.
valery
Posts: 3
Joined: Sat Apr 13, 2019 6:58 am

Re: Spam comes from local mailboxes, but from external ip addresses.

Postby valery » Mon Nov 25, 2019 1:31 pm

Hi, zimico and Alexander (xmana) !
Thank you for your answers !

I've got the same spam message like xmana had ("a letter arrives from outside with the local address of the sender").
But in my case Email address of Return-Path and From fields was the same address. A Hacker knows about it.
I've seen it in a original spam letter : "Received: from ip-31-0-120-247.multi.internet.cyfrowypolsat.pl (unknown [31.0.120.247])".
I checked out zimbra log files: "postfix/smtpd[19667]: warning: hostname ip-31-0-120-247.multi.internet.cyfrowypolsat.pl does not resolve to address 31.0.120.247: Name or service not known".

I checked Global settings - MTA settings - DNS checks.
And turned on these settings: reject unknown client hostname and reject unknown sender domain.

P.S. I forgot I have no SPF/DKIM settings on my DNS server.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 8 guests