Backscatter? MisConfiguration? Educational!

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
tonyg
Posts: 49
Joined: Fri Mar 16, 2018 5:25 pm
Location: USA
ZCS/ZD Version: 8.8.12.GA.3794.UBUNTU18.64 FOSS
Contact:

Backscatter? MisConfiguration? Educational!

Postby tonyg » Thu Nov 28, 2019 2:20 am

I received a "mail failure" email with the info below. I think someone might be sending mail with crafted headers. The receiving server, mail.ru, may not be checking it. So mail.ru sends a message back to me, where I'm like "I didn't send this...".

I was originally thinking this whole email could have been a spoof. But based on the headers, the bounce message itself "account is disabled" looks legit. So I'm sure the mail I got came From them. The questions are, how did email get To them? And, is anything here worth my/our concern?

Code: Select all

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

  zzzzzz@mail.ru
    account is disabled

------ This is a copy of the message, including all the headers. ------

Return-path: <info@mydomain.tld>
Received-SPF: pass (mx44.mail.ru: domain of mydomain.tld designates 190.119.240.999 as permitted sender) client-ip=190.119.240.999; envelope-from=info@mydomain.tld; helo=cBy3P4k;
Received: from [190.119.240.999] (port=43188 helo=cBy3P4k)
   by mx44.mail.ru with esmtp (envelope-from <info@mydomain.tld>)
   id 1iZh3o-0004I3-Tx; Tue, 26 Nov 2019 23:03:46 +0300
Message-ID: <z4Fw0776yS9KwAItic0Du.732a22orHAT90T9DIx34Yv@gmail.com>
From: =?utf-zzzzzzz?= <info@mydomain.tld>
Reply-To: =?utf-zzzzzz?= <info@mydomain.tld>
To: zzzzzzzzzzzz@mail.ru
Subject: =?utf-zzzzz?=
Date: Tue, 26 Nov 2019 21:03:32 +0300
Organization: Vtcvm
MIME-Version: 1.0
...
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5675
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5675
...
X-Mailru-Dmarc-Auth: dmarc=pass header.from=info@mydomain.tld
X-Mras: PROBABLE_SPAM
X-Spam: undefined
Authentication-Results: mxs.mail.ru; spf=pass (mx44.mail.ru: domain of mydomain.tld designates 190.119.240.106 as permitted sender) smtp.mailfrom=info@mydomain.tld smtp.helo=cBy3P4k; dmarc=pass header.from=info@mydomain.tld

What got me concerned are these headers in the message sent To mail.ru :

Code: Select all

"Received-SPF: pass (mx44.mail.ru: domain of mydomain.tld designates 190.119.240.999 as permitted sender)".
X-Mailru-Dmarc-Auth: dmarc=pass header.from=info@mydomain.tld
Authentication-Results: mxs.mail.ru; spf=pass (mx44.mail.ru: domain of mydomain.tld designates 190.119.240.106 as permitted sender) smtp.mailfrom=info@mydomain.tld smtp.helo=cBy3P4k; dmarc=pass header.from=info@mydomain.tld

That is not true. My server is not in the 190.119 block. That IP is registered to a company in Peru, and I'm in the USA. My SPF, DKIM, and DMARC have been verified by different public services. I just rechecked and neither mydomain.tld nor the Zimbra server domain reference that IP range in any way.

The original Message-ID shows @gmail.com. It looks to me like someone at that IP address, in Peru, using MS Outlook Express (or a script that included such headers) sent a Gmail with mymdomain.tld as the From. I'm not relaying through Gmail. Gmail doesn't use that IP block. It looks to me like the sender injected that Received-SPF and Authentication-Results headers themselves.

But would Gmail SMTP accept a payload with a "Received-SPF" header?
Doesn't mail.ru check SPF for mail sent through them? ( I believe the answer to that would be "ROFLMAO". )

I tried to search for the "Organization: Vtcvm" text to see if I could find other evidence of this being used by spammers. That does not reference the Peru company, does not reference anything related to my servers.


So coming back to the questions...

While I don't believe this came from my Zimbra server, I'm hoping for some evidence-based reassurance.

If it did somehow come from my server, then I'm hoping this thread can be educational for myself and others.

Whether or not it came from my server, is there any reason to be concerned that mail.ru Thinks it came from me? I'm thinking they may report spam to RBLs like other hosts, and without being involved in any way I might find my server on a blacklist. I actually am on one right now and am trying to figure out how that happened, given that pretty much all of my mail from all domains on this Zimbra server is still only internal.

And finally (really? ;) ) If this is really just backscatter from mail.ru which is probably allowing anything to/from their servers, can someone recommend a spam rule or other option to help avoid these? I'd be fine blacklisting anything from .ru, but that one-off answer to this problem isn't a good solution to the scenario in general.

Thanks for your time!


Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests