How to find out what user is sending mail with from=<>

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

How to find out what user is sending mail with from=<>

Post by davidkillingsworth »

We have been getting black listed on a few RBLs and having general mail delivery issues to @yahoo and @aol domains for a few days now.

We starting implementing an inbound and outbound 3rd party anti-spam gateway service. We are using Spam Hero and so far it is reasonably priced and working well.

Since turning on the outbound smart host relay to use Spam Hero's outbound server, we are seeing alot of these types of messages in the logs.

Code: Select all

said: 550 5.7.1 Could not find a valid Account ID (0) for the given domain
I found that these messages are originating from 127.0.0.1, so I believe this to be a webmail user account.
The from address is <>

Code: Select all

Oct 16 18:31:08 zimbra postfix/dkimmilter/smtpd[11632]: connect from localhost[127.0.0.1]
Oct 16 18:31:08 zimbra postfix/dkimmilter/smtpd[11632]: D0C276212E0: client=localhost[127.0.0.1]
Oct 16 18:31:08 zimbra postfix/cleanup[11503]: D0C276212E0: message-id=<1655472678.1800.1571221868406.JavaMail.zimbra@zimbra>
Oct 16 18:31:08 zimbra postfix/dkimmilter/smtpd[11632]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 16 18:31:08 zimbra postfix/qmgr[9107]: D0C276212E0: from=<>, size=2490, nrcpt=1 (queue active)
Oct 16 18:31:08 zimbra amavis[7812]: (07812-06) ryz5gDn7jL7L FWD from <> -> <email@shootlevel.icu>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as D0C276212E0
Oct 16 18:31:08 zimbra postfix/smtpd[13916]: NOQUEUE: filter: RCPT from xxxxxxREMOVEDTOANONYMIZEXXXXXX[xxxxxxREMOVEDTOANONYMIZEXXXXXX]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<email@shootlevel.icu> proto=ESMTP helo=<xxxxxxREMOVEDTOANONYMIZEXXXXXX>
Oct 16 18:31:08 zimbra amavis[7803]: (07803-12) ESMTP :10032 /opt/zimbra/data/amavisd/tmp/amavis-20191016T182148-07803-79m86mdm: <> -> <email@shootlevel.icu> SIZE=2490 Received: from xxxxxxREMOVEDTOANONYMIZEXXXXXX ([127.0.0.1]) by localhost (xxxxxxREMOVEDTOANONYMIZEXXXXXX [xxxxxxREMOVEDTOANONYMIZEXXXXXX]) (amavisd-new, port 10032) with ESMTP for <email@shootlevel.icu>; Wed, 16 Oct 2019 18:31:08 +0800 (HKT)
Oct 16 18:31:08 zimbra amavis[7812]: (07812-06) Passed CLEAN {RelayedOutbound}, ORIGINATING/MYNETS LOCAL [xxxxxxREMOVEDTOANONYMIZEXXXXXX]:34530 <> -> <email@shootlevel.icu>, Queue-ID: B68C26212E1, Message-ID: <1655472678.1800.1571221868406.JavaMail.zimbra@zimbra>, mail_id: ryz5gDn7jL7L, Hits: -, size: 1080, queued_as: D0C276212E0, 181 ms
Oct 16 18:31:08 zimbra postfix/smtpd[13916]: E8CCE6212E4: client=xxxxxxREMOVEDTOANONYMIZEXXXXXX[xxxxxxREMOVEDTOANONYMIZEXXXXXX]
Oct 16 18:31:08 zimbra postfix/smtp[13933]: B68C26212E1: to=<email@shootlevel.icu>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.21, delays=0.02/0/0/0.18, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as D0C276212E0)
Oct 16 18:31:08 zimbra postfix/qmgr[9107]: B68C26212E1: removed
I'm seeing alot of this in the log. I would like to determine what user account is responsible for this. They are not sending a huge volume. We are only seeing a message every few minutes. The total in 24 hours is only 228.

Code: Select all

top 50 Senders by message count
-------------------------------
   228   from=<>

I would like to find out which user account is responsible. I don't want to just block all from=<> right away because we might have an internal system that legitimately sends automated emails.

Thanks for any suggestions.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: How to find out what user is sending mail with from=<>

Post by davidkillingsworth »

An addendum to this is that I just noticed that if a user has an auto-reply or out of office reply turned on, then when someone sends an email to them, the auto-reply shows up in the zimbra logs as being from <>.

These messages are actually delivered via our outbound mail gateway, so this is a partial explanation of why there are so many from=<> every day.

I still do think that there are some malicious from=<> messages however.

But this creates a new problem. If we block all outbound messages from <>, then will auto-replies work after that?

Thanks,
David
Post Reply