Help with this Spam issue
Posted: Thu Nov 07, 2019 3:52 pm
Hello,
We've recently started receiving weird spam and I have not been able to find a solution against it. I've searched through this forum, and google, and applied some of the suggested fixes, but nothing seems to work.
So basically we're getting emails that show a fake source email address.
In the mailbox we see it as for this example:
When I look at the original, it is this:
And the Zimbra log for the same message is the following:
Some additional information:
If anyone has any idea, suggestion or anything that could help to solve this, PLEASE let me know. Please ask for any additional information you might need. I'm happy to provide anything needed.
Thank you very much in advance. I hope to be able to solve this with the help of more expert users on this forum.
Kind Regards,
Kevin
We've recently started receiving weird spam and I have not been able to find a solution against it. I've searched through this forum, and google, and applied some of the suggested fixes, but nothing seems to work.
So basically we're getting emails that show a fake source email address.
In the mailbox we see it as for this example:
Code: Select all
From: "COLDSYSTEMS <info@coldsystems.es>" <leonardo.rosario@francoelevadores.com.br>
Code: Select all
Return-Path: <leonardo.rosario@francoelevadores.com.br>
Received: from mail.ourdomain.com (LHLO
mail.ourdomain.com) (192.168.1.3) by
mail.ourdomain.com with LMTP; Tue, 5 Nov 2019 13:06:54 +0000
(GMT)
Received: from localhost (localhost [127.0.0.1])
by mail.ourdomain.com (Postfix) with ESMTP id A2A2ADA039A
for <info@ourdomain.com>; Tue, 5 Nov 2019 13:06:54 +0000 (GMT)
X-Virus-Scanned: amavisd-new at ourdomain.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 required=6.6 tests=[BAYES_00=-1.9,
DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01,
URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: mail.ourdomain.com (amavisd-new);
dkim=fail (2048-bit key) reason="fail (message has been altered)"
header.d=francoelevadores.com.br
Received: from mail.ourdomain.com ([127.0.0.1])
by localhost (mail.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id sgmlJz-3ZpLT for <info@ourdomain.com>;
Tue, 5 Nov 2019 13:06:51 +0000 (GMT)
Received: from ns24.servidorprotegido.net (ns24.servidorprotegido.net [177.85.100.181])
by mail.ourdomain.com (Postfix) with ESMTPS id 9BE92DA0396
for <info@ourdomain.com>; Tue, 5 Nov 2019 13:06:51 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=francoelevadores.com.br; s=default; h=Content-Type:MIME-Version:Subject:To:
From:Date:Sender:Reply-To:Message-ID:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=qyhGaMrN5n0rmBw2BAJ92d8WnNpVwbUVr1DP0KgdJac=; b=lH89pWsf0sFDVbvyWGs6iFKAhP
MvgJ5wjaVgFT7pHKGdHo/QA3aT4P1UJV+fmwvbo3jkkm1436bE9Ko9fhRK///gYK/5NOQxK6Sa/TS
0+swBQzPfRMC32GwIQPfCvhFpXLyP4yvQZ/97grZWRE7jgkHIoZ/Rqy5lrpuuqdr6HteM+jQaaR/U
coDx/IWFdTzEZhBcqNNLBMrdibvNaisrrgoO6Bg46jzoGmIwwueQhwQHRvdZ4eb/c1bjSF3ERikZ8
Nv/hLKU5+86jWHfABx/JZk2gC7gLfHFyPU/XEcIfJxN/5f4wBzIYru4mulXTr6rG0NMX62Z3FRqZD
E37lK/MQ==;
Received: from [79.8.246.44] (port=52623)
by h18.servidorhh.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92)
(envelope-from <leonardo.rosario@francoelevadores.com.br>)
id 1iRyGU-000763-Pe
for info@ourdomain.com; Tue, 05 Nov 2019 09:48:55 -0300
Date: Tue, 05 Nov 2019 13:49:14 +0100
From: "COLDSYSTEMS <info@coldsystems.es>" <leonardo.rosario@francoelevadores.com.br>
To: <info@ourdomain.com>
Subject: privacidad
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_41276_3664861523.16901508094225703888"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - h18.servidorhh.com
X-AntiAbuse: Original Domain - ourdomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - francoelevadores.com.br
X-Get-Message-Sender-Via: h18.servidorhh.com: authenticated_id: leonardo.rosario@francoelevadores.com.br
X-Authenticated-Sender: h18.servidorhh.com: leonardo.rosario@francoelevadores.com.br
X-Source:
X-Source-Args:
X-Source-Dir:
Message-Id: <20191105130651.9BE92DA0396@mail.ourdomain.com>
------=_Part_41276_3664861523.16901508094225703888
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
CONTENT HERE....
Code: Select all
Nov 5 13:06:45 mail postfix/postscreen[8475]: CONNECT from [177.85.100.181]:58634 to [192.168.1.3]:25
Nov 5 13:06:51 mail postfix/postscreen[8475]: PASS NEW [177.85.100.181]:58634
Nov 5 13:06:51 mail postfix/smtpd[8479]: connect from ns24.servidorprotegido.net[177.85.100.181]
Nov 5 13:06:51 mail postfix/smtpd[8479]: Anonymous TLS connection established from ns24.servidorprotegido.net[177.85.100.181]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 5 13:06:51 mail postfix/smtpd[8479]: NOQUEUE: filter: RCPT from ns24.servidorprotegido.net[177.85.100.181]: <leonardo.rosario@francoelevadores.com.br>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<leonardo.rosario@francoelevadores.com.br> to=<info@ourdomain.com> proto=ESMTP helo=<ns24.servidorprotegido.net>
Nov 5 13:06:51 mail postfix/smtpd[8479]: NOQUEUE: filter: RCPT from ns24.servidorprotegido.net[177.85.100.181]: <leonardo.rosario@francoelevadores.com.br>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<leonardo.rosario@francoelevadores.com.br> to=<info@ourdomain.com> proto=ESMTP helo=<ns24.servidorprotegido.net>
Nov 5 13:06:51 mail postfix/smtpd[8479]: 9BE92DA0396: client=ns24.servidorprotegido.net[177.85.100.181]
Nov 5 13:06:51 mail postfix/cleanup[8482]: 9BE92DA0396: message-id=<20191105130651.9BE92DA0396@mail.ourdomain.com>
Nov 5 13:06:51 mail postfix/qmgr[11650]: 9BE92DA0396: from=<leonardo.rosario@francoelevadores.com.br>, size=372065, nrcpt=1 (queue active)
Nov 5 13:06:51 mail amavis[10673]: (10673-14) ESMTP [127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20191105T072415-10673-Zag6qe1n: <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com> SIZE=372065 Received: from mail.mallorcaqualitycenter.com ([127.0.0.1]) by localhost (mail.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <info@ourdomain.com>; Tue, 5 Nov 2019 13:06:51 +0000 (GMT)
Nov 5 13:06:51 mail postfix/smtpd[8479]: disconnect from ns24.servidorprotegido.net[177.85.100.181] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 5 13:06:52 mail amavis[10673]: (10673-14) Checking: sgmlJz-3ZpLT [177.85.100.181] <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>
Nov 5 13:06:54 mail postfix/amavisd/smtpd[8485]: connect from localhost[127.0.0.1]
Nov 5 13:06:54 mail postfix/amavisd/smtpd[8485]: A2A2ADA039A: client=localhost[127.0.0.1]
Nov 5 13:06:54 mail postfix/cleanup[8482]: A2A2ADA039A: message-id=<20191105130651.9BE92DA0396@mail.ourdomain.com>
Nov 5 13:06:54 mail postfix/amavisd/smtpd[8485]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 5 13:06:54 mail postfix/qmgr[11650]: A2A2ADA039A: from=<leonardo.rosario@francoelevadores.com.br>, size=372986, nrcpt=1 (queue active)
Nov 5 13:06:54 mail amavis[10673]: (10673-14) sgmlJz-3ZpLT FWD from <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A2A2ADA039A
Nov 5 13:06:54 mail amavis[10673]: (10673-14) Passed CLEAN {RelayedInbound}, [177.85.100.181]:58634 [79.8.246.44] <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>, Queue-ID: 9BE92DA0396, Message-ID: <20191105130651.9BE92DA0396@mail.mallorcaqualitycenter.com>, mail_id: sgmlJz-3ZpLT, Hits: -1.79, size: 372065, queued_as: A2A2ADA039A, 2815 ms
Nov 5 13:06:54 mail postfix/smtp[8483]: 9BE92DA0396: to=<info@ourdomain.com>, orig_to=<info@ourdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.33/0.01/0/2.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A2A2ADA039A)
Nov 5 13:06:54 mail postfix/qmgr[11650]: 9BE92DA0396: removed
Nov 5 13:06:54 mail postfix/lmtp[8486]: A2A2ADA039A: to=<info@ourdomain.com>, relay=mail.ourdomain.com[192.168.1.3]:7025, delay=0.23, delays=0.05/0.01/0.09/0.09, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Nov 5 13:06:54 mail postfix/qmgr[11650]: A2A2ADA039A: removed
- "COLDSYSTEMS <info@coldsystems.es>" is used in most of these cases.
- "<leonardo.rosario@francoelevadores.com.br>" changes with every spam mail.
- Sometimes the from appears as if sent from us: "Our Company Name <info@ourdomain.com>" <some.account@some.other.domain.com>;
- All emails come with an attachment which I have instructed to NEVER open.
If anyone has any idea, suggestion or anything that could help to solve this, PLEASE let me know. Please ask for any additional information you might need. I'm happy to provide anything needed.
Thank you very much in advance. I hope to be able to solve this with the help of more expert users on this forum.
Kind Regards,
Kevin