IP shared in SPAM - Multiples domains

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Christovam
Posts: 16
Joined: Thu May 14, 2015 1:55 pm

IP shared in SPAM - Multiples domains

Post by Christovam »

Good afternoon people. All right?

I have a zimbra installed and working fine. The main domain is mbox.dominiocorp.com.br (fictitious).. I have SPF, DKIM, _dmarc, reverse configured and tested. The emails of the domain mbox.dominiocorp.com.br enter the inbox.
I added two more domains on top of this zimbra (dominiocorp3.com.br and dominiocorp4.com.br). Both have been configured their SPF, DKIM, _dmarc and the reverse of these domains is the IP of the domain mbox.dominiocorp.com.br. All emails from new domains, are going to the box SPAM of gmail, yahoo, hotmail. I see in the original message that SPF and DKIM are correct, without errors.

#dig -t txt mbox.domaincorp.com.br
mbox.domaincorp.com.br. 300 IN TXT "v=spf1 mx ip4:177.222.222.222 -all"

#dig -t txt domaincorp3.com.br
domaincorp3.com.br. 84600 IN TXT "v=spf1 a mx ip4:177.222.222.222/29 ~all"

#host mbox.domaincorp.com.br
mbox.domaincorp.com.br has address 177.222.222.222
mbox.domaincorp.com.br mail is handled by 1 mbox.domaincorp.com.br.

#host domaincorp3.com.br
domaincorp3.com.br has address 177.222.222.222
domaincorp3.com.br mail is handled by 10 mail.domaincorp3.com.br.

#host 177.222.222.222
222.222.222.177.in-addr.arpa domain name pointer mbox.domaincorp.com.br

dig -t mx domaincorp3.com.br
domaincorp3.com.br. 83829 IN MX 10 mail.domaincorp3.com.br

dig -t mx mbox.domaincorp.com.br
mbox.domaincorp.com.br. 300 IN MX 1 mbox.domaincorp.com.br.

Can it be some wrong pointing? Suddenly I should point the domain MX domaincorp3.com.br to mbox.domaincorp.com.br = "domaincorp3.com.br. 83829 IN MX 10 mbox.domaincorp.com.br" ?

Could anyone tell me what might be happening? Is it any configuration due to IP being shared? Or any add-on settings that I need to perform on zimbra?
Is an original gmail header.

Code: Select all

Delivered-To: nome@gmail.com
Received: by 10.79.108.10 with SMTP id h10csp4265190ivc;
        Mon, 4 Dec 2017 04:35:18 -0800 (PST)
X-Google-Smtp-Source: AGs4zMa2jsY8Ops41o9CjBfNHTdQWGxZlf0guaVEw6EiVR1SPAUsCWCVligsDlGGitErLD9zoLK+
X-Received: by 10.237.54.138 with SMTP id f10mr19762696qtb.261.1512390918949;
        Mon, 04 Dec 2017 04:35:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1512390918; cv=none;
        d=google.com; s=arc-20160816;
        b=CYlMXZW+XLWea+0CBmxv8cJk3dc/mvixtaq8QeSG6NE7KwGou+KS5AXa7II5FkFQyv
         8HurG3FfgmM00i/PYd0s5ci7YeziPkyHK5h3Om5QDYVHq9GQvUtV56fmbGE4K1hXeIJz
         5m/6d+7kaJaLkyRIMI+lWeCNUhmBO9/S8MIuGueI9Xn1HsbN5gWsybmPLpCJ3/Xj257X
         0p3vekl7s1xw8Gn2Pfi9JykcHVRGpPoJn2aQ/kDYYkBDZ2HuHJggFFP/NgxB7VRctPRb
         esbY7kDFH1kCGFZ4Fu1hehs61yxCQmHpTToSiiP1tE2qUsdySt210+IrXWZwG31aUGkx
         GZsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=thread-topic:thread-index:mime-version:subject:message-id:to:from
         :date:dkim-signature:dkim-filter:arc-authentication-results;
        bh=BxAYQdFKrVKkpmf7NmsPryqGUzkIiY9QC1rDEFkGGG8=;
        b=PlOKQ1kGemhZ4KaqwhNRVvz0LqYdbBO9HGhrRx1CQyfjumTRju6vJUtj+NGPQlR83l
         XOW8Ask+eBFyymsQJzXk6QIOAjTc4Lifdxj37uuWF+EGtG2Ydx0Jk9FpTGejnDIKfgbT
         5CnLhK0S/beZ7+mO2Kwg1sTfs7U1WpomNcGbC7oAoM/QJUJKah3VinmeAB55Wy2A01M/
         q2LIFcmvUhfznaQ0H72UzuFY3+oEi5mnfmpBdRN3Pj5ZgQDCBLYXrXxULQXAwQbz+b1p
         1wDvT9vI7kul8YxBeOwked9VDoOXTfGT7jNrVS2UqW/lTMMcLzBnqMUd8WTtVlJb+B6O
         t/yA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@dominiocorp3.com.br header.s=F20CB098-D5C6-11E7-B174-4512CF52EF43 header.b=ZuHTZ04Y;
       spf=pass (google.com: domain of contato@dominiocorp3.com.br designates 177.222.222.222 as permitted sender) smtp.mailfrom=contato@dominiocorp3.com.br;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=dominiocorp3.com.br
Return-Path: <contato@dominiocorp3.com.br>
Received: from dominiocorp.com.br (dominiocorp.com.br. [177.222.222.222])
        by mx.google.com with ESMTPS id y84si4615226qkb.309.2017.12.04.04.35.17
        for <nome@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 04 Dec 2017 04:35:18 -0800 (PST)
Received-SPF: pass (google.com: domain of contato@dominiocorp3.com.br designates 177.222.222.222 as permitted sender) client-ip=177.222.222.222;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@dominiocorp3.com.br header.s=F20CB098-D5C6-11E7-B174-4512CF52EF43 header.b=ZuHTZ04Y;
       spf=pass (google.com: domain of contato@dominiocorp3.com.br designates 177.222.222.222 as permitted sender) smtp.mailfrom=contato@dominiocorp3.com.br;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=dominiocorp3.com.br
Received: from localhost (localhost [127.0.0.1])
	by dominiocorp.com.br (Postfix) with ESMTP id 68DDB62AA2D8
	for <nome@gmail.com>; Mon,  4 Dec 2017 10:39:49 -0200 (-02)
Received: from dominiocorp.com.br ([127.0.0.1])
	by localhost (dominiocorp.com.br [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id roSjM3coxhj8 for <nome@gmail.com>;
	Mon,  4 Dec 2017 10:39:48 -0200 (-02)
Received: from localhost (localhost [127.0.0.1])
	by dominiocorp.com.br (Postfix) with ESMTP id B3DB262AA2C3
	for <nome@gmail.com>; Mon,  4 Dec 2017 10:39:48 -0200 (-02)
DKIM-Filter: OpenDKIM Filter v2.10.3 dominiocorp.com.br B3DB262AA2C3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dominiocorp3.com.br;
	s=F20CB098-D5C6-11E7-B174-4512CF52EF43; t=1512391188;
	bh=BxAYQdFKrVKkpmf7NmsPryqGUzkIiY9QC1rDEFkGGG8=;
	h=Date:From:To:Message-ID:MIME-Version;
	b=ZuHTZ04YQYv+MDFlTwVR5jXF0lJxvM0DKx2L8IuFwkvtXEwBAeF5gW4snSO9cFWHV
	 F7Q1sFlqGDG1L6VcmNVAxon3aEevCx2uFWPHQJfkRWrpRK0AfgquIf5zmbMK+7SoPt
	 wTHQ2j+giYKZrp1tez5+nplxVW/4yju1grcHqIQh5+xKf8DKKXhRwMW/Y95XjaLG6M
	 rh32W7HcCtqyaiJZENZ+++xVU7oDet1+Jgqv9gTjuwbfsOJZAZUxyxLYBUMMuyBiuu
	 E027VgQl6ivIYjjkaZ8vm4zsZm+4LPxWtJNnq4Rih2zh81Iza1i/uGS/k4SeyrCijn
	 dfl0sXTlLVoYw==
X-Virus-Scanned: amavisd-new at dominiocorp.com.br
Received: from dominiocorp.com.br ([127.0.0.1])
	by localhost (dominiocorp.com.br [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id A6AT9E6pmNAQ for <nome@gmail.com>;
	Mon,  4 Dec 2017 10:39:48 -0200 (-02)
Received: from dominiocorp.com.br (dominiocorp.com.br [192.168.25.240])
	by dominiocorp.com.br (Postfix) with ESMTP id 957A762AA2D8
	for <nome@gmail.com>; Mon,  4 Dec 2017 10:39:48 -0200 (-02)
Date: Mon, 4 Dec 2017 10:39:48 -0200 (BRST)
From: Contato Empresa <contato@dominiocorp3.com.br>
To: nome@gmail.com
Message-ID: <1020247422.9.1512391188537.JavaMail.zimbra@dominiocorp3.com.br>
Subject: email teste
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="=_b992df4c-4618-45c3-b415-8fdea6c8b4d1"
X-Originating-IP: [200.175.75.9]
X-Mailer: Zimbra 8.8.3_GA_1872 (ZimbraWebClient - GC61 (Linux)/8.8.3_GA_1872)
Thread-Index: VB43h77LXtcPL92H+ovIUAN4XbXeBA==
Thread-Topic: email teste

--=_b992df4c-4618-45c3-b415-8fdea6c8b4d1
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Bom dia, tudo bem?=20

Segue um email teste para validar a mensagem...


--=_b992df4c-4618-45c3-b415-8fdea6c8b4d1
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable


--=_b992df4c-4618-45c3-b415-8fdea6c8b4d1--
Christovam
Posts: 16
Joined: Thu May 14, 2015 1:55 pm

Re: IP shared in SPAM - Multiples domains

Post by Christovam »

Hi!

I've read that the zimbra antispam itself might be punctuating this domain as bad. Does it proceed?
By sending an email to check-auth@verifier.port25.com I received the result below.

Code: Select all


​​​​​This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com.  The service allows email senders to perform
a simple check of various sender authentication mechanisms.  It is provided
free of charge, in the hope that it is useful to the email community.  While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DKIM check:         pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mbox.domaincorp.com.br
Source IP:      177.222.222.222
mail-from:      contato@domaincorp3.com.br

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mailfrom=contato@domaincorp3.com.br

DNS record(s):
    domaincorp3.com.br. 84600 IN TXT "v=spf1 a mx ip4:177.222.222.222/29 ~all"
    domaincorp3.com.br. 84600 IN A 177.222.222.222


----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: contato@domaincorp3.com.br)
ID(s) verified: header.d=domaincorp3.com.br

Canonicalized Headers:
    date:Mon,'20'4'20'Dec'20'2017'20'11:49:34'20'-0200'20'(BRST)'0D''0A'
    from:Contato'20'<contato@domaincorp3.com.br>'0D''0A'
    to:check-auth@verifier.port25.com'0D''0A'
    message-id:<1439689715.27.1512395374444.JavaMail.zimbra@domaincorp3.com.br>'0D''0A'
    mime-version:1.0'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=domaincorp3.com.br;'20's=F20CB098-D5C6-11E7-B174-4512CF52EF43;'20't=1512395374;'20'bh=U5F+QoZOGb1tzKmuK1zKyLEzYn+Oh49MUVSNFp4=;'20'h=Date:From:To:Message-ID:MIME-Version;'20'b=

Canonicalized Body:
    --=_1861ffd8-e8-4c-bcf9-5dfd9b3f392a'0D''0A'
    Content-Type:'20'text/plain;'20'charset=utf-8'0D''0A'
    Content-Transfer-Encoding:'20'7bit'0D''0A'
    '0D''0A'
    '0D''0A'
    --=_1861ffd8-8-c-bcf9-5dfd9b3f392a'0D''0A'
    Content-Type:'20'text/html;'20'charset=utf-8'0D''0A'
    Content-Transfer-Encoding:'20'7bit'0D''0A'
    '0D''0A'
    <html><body></body></html>'0D''0A'
    --=_1861ffd8-e258-4a6c-bcf9-5dfd9b3f392a--'0D''0A'
    

DNS record(s):
    F20CB098-D5C6-11E7-B174-4512CF52EF43._domainkey.domaincorp3.com.br. 84600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQE0SMS3S0yIrkiTWclZHnjXXaeLJF8kns1yLl+ZJxgGT0BNEaHbJVUczGBAk3iwiVg25mDl30zmSZlsYujTRJeuvgIxlsxRd4K1YRJeoUjapVexpayG/cnz5Hfb85+i07eYm+nIeJSajmxCioCCWAGaC/lyll0a3HR0joO75E8hkHc/arQoi/oTgU/3rE+NM4aS739S5m55kamFckTWQTw53UwncUqcb+EVxX0bM6PlcbWcWWYWpWWr30jwUfx9wK2kWQ1EBSbVAVSRQgHTMd1C+0C3P5wIDAQAB"

Public key used for verification: F208-D5C6-11E7-B174-4512CF52EF43._domainkey.domaincorp3.com.br (2048 bits)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.1 (2015-04-28)

Result:         ham (-1.5 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 NO_DNS_FOR_FROM        DNS: Envelope sender has no MX or A DNS records
 0.0 T_SPF_TEMPERROR        SPF: test of record failed (temperror)
 0.0 T_SPF_HELO_TEMPERROR   SPF: test of HELO record failed (temperror)
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
 0.4 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
 0.0 HTML_MESSAGE           BODY: HTML included in message
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.0 TVD_SPACE_RATIO        No description available.



==============================================================
Explanation of the possible results (based on RFCs 7601, 7208)


DKIM Results
============

none:  The message was not signed.

pass:  The message was signed, the signature or signatures were
    acceptable to the ADMD, and the signature(s) passed verification
    tests.

fail:  The message was signed and the signature or signatures were
    acceptable to the ADMD, but they failed the verification test(s).

policy:  The message was signed, but some aspect of the signature or
    signatures was not acceptable to the ADMD.

neutral:  The message was signed, but the signature or signatures
    contained syntax errors or were not otherwise able to be
    processed.  This result is also used for other failures not
    covered elsewhere in this list.

temperror:  The message could not be verified due to some error that
    is likely transient in nature, such as a temporary inability to
    retrieve a public key.  A later attempt may produce a final
    result.

permerror:  The message could not be verified due to some error that
    is unrecoverable, such as a required header field being absent.  A
    later attempt is unlikely to produce a final result.


SPF Results
===========

none:  Either (a) no syntactically valid DNS domain name was extracted from
    the SMTP session that could be used as the one to be authorized, or
    (b) no SPF records were retrieved from the DNS.

neutral:  The ADMD has explicitly stated that it is not asserting whether
    the IP address is authorized.

pass:  An explicit statement that the client is authorized to inject mail
    with the given identity.

fail:  An explicit statement that the client is not authorized to use the
    domain in the given identity.

softfail:  A weak statement by the publishing ADMD that the host is probably
    not authorized.  It has not published a stronger, more definitive policy
    that results in a "fail".

temperror:  The SPF verifier encountered a transient (generally DNS) error
    while performing the check.  A later retry may succeed without further
    DNS operator action.

permerror: The domain's published records could not be correctly interpreted.
    This signals an error condition that definitely requires DNS operator
    intervention to be resolved.


"iprev" Results
===============

pass:  The DNS evaluation succeeded, i.e., the "reverse" and
    "forward" lookup results were returned and were in agreement.

fail:  The DNS evaluation failed.  In particular, the "reverse" and
    "forward" lookups each produced results, but they were not in
    agreement, or the "forward" query completed but produced no
    result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an
    RCODE of 0 (NOERROR) in a reply containing no answers, was
    returned.

temperror:  The DNS evaluation could not be completed due to some
    error that is likely transient in nature, such as a temporary DNS
    error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or
    other error condition resulted.  A later attempt may produce a
    final result.

permerror:  The DNS evaluation could not be completed because no PTR
    data are published for the connecting IP address, e.g., a DNS
    RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)
    in a reply containing no answers, was returned.  This prevented
    completion of the evaluation.  A later attempt is unlikely to
    produce a final result.




==========================================================
Original Email
==========================================================

Return-Path: <contato@domaincorp3.com.br>
Received: from mbox.domaincorp.com.br (177.222.222.222) by verifier.port25.com id h4l8lu2bkd0j for <check-auth@verifier.port25.com>; Mon, 4 Dec 2017 08:45:03 -0500 (envelope-from <contato@domaincorp3.com.br>)
Authentication-Results: verifier.port25.com; spf=pass  smtp.mailfrom=contato@domaincorp3.com.br;
 dkim=pass (matches From: contato@domaincorp3.com.br)  header.d=domaincorp3.com.br
Received: from localhost (localhost [127.0.0.1])
	by mbox.domaincorp.com.br (Postfix) with ESMTP id 98C2A62AA2C3
	for <check-auth@verifier.port25.com>; Mon,  4 Dec 2017 11:49:35 -0200 (-02)
Received: from mbox.domaincorp.com.br ([127.0.0.1])
	by localhost (mbox.domaincorp.com.br [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id fas4JuN6vKjN for <check-auth@verifier.port25.com>;
	Mon,  4 Dec 2017 11:49:35 -0200 (-02)
Received: from localhost (localhost [127.0.0.1])
	by mbox.domaincorp.com.br (Postfix) with ESMTP id E23BD62AA2DE
	for <check-auth@verifier.port25.com>; Mon,  4 Dec 2017 11:49:34 -0200 (-02)
DKIM-Filter: OpenDKIM Filter v2.10.3 mbox.domaincorp.com.br E23BD62AA2DE
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domaincorp3.com.br;
	s=F20CB098-D5C6-11E7-B174-4512CF52EF43; t=1512395374;
	bh=U5F+QoZOGb1tzKmuK1zovrgKyLEzYn+Oh49MUVSNFp4=;
	h=Date:From:To:Message-ID:MIME-Version;
	b=AV0zaHINzfyey4wQkxJAo3D/7d68TW0TaEJBA2YWG6Qv3o96uTrg9X8s+dlQKO6px
	 vKIN7SqDi5EFjNXBr5rODMsgTiAPwGWXQphA+kUteivw7Ub6/Jm5VNKnr3YB7fLfvk
	 xB+RajUKFWq+PPPt+D3uYUjkmZdpH64Dr49rpmu/YUuVoGI1tHGRWQsx3IUntNU562
	 renS5UL0DWc5WgJTYJaNu+y4eh48xmYQtssf0cGO8vc0k4yocNhPtWRfMDidxJGHN1
	 dzLB2DEJbGOevL+v7/8QItGqvg1rGSr1lWxsgfH93qsags
	 ku82eGc4+Lfug==
X-Virus-Scanned: amavisd-new at mbox.domaincorp3.com.br
Received: from mbox.domaincorp.com.br ([127.0.0.1])
	by localhost (mbox.domaincorp.com.br [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id e7IPFVONHsDu for <check-auth@verifier.port25.com>;
	Mon,  4 Dec 2017 11:49:34 -0200 (-02)
Received: from mbox.domaincorp.com.br (mbox.domaincorp.com.br [192.168.25.240])
	by mbox.domaincorp.com.br (Postfix) with ESMTP id B23EF62AA2C3
	for <check-auth@verifier.port25.com>; Mon,  4 Dec 2017 11:49:34 -0200 (-02)
Date: Mon, 4 Dec 2017 11:49:34 -0200 (BRST)
From: Contato <contato@domaincorp3.com.br>
To: check-auth@verifier.port25.com
Message-ID: <1439689715.27.1512395374444.JavaMail.zimbra@domaincorp3.com.br>
Subject: check
Christovam
Posts: 16
Joined: Thu May 14, 2015 1:55 pm

Re: IP shared in SPAM - Multiples domains

Post by Christovam »

Hi.

Any tip?

Thanks
Post Reply