Page 1 of 1

Help with this Spam issue

Posted: Thu Nov 07, 2019 3:52 pm
by Kevin Maschke
Hello,

We've recently started receiving weird spam and I have not been able to find a solution against it. I've searched through this forum, and google, and applied some of the suggested fixes, but nothing seems to work.
So basically we're getting emails that show a fake source email address.

In the mailbox we see it as for this example:

Code: Select all

From: "COLDSYSTEMS <info@coldsystems.es>" <leonardo.rosario@francoelevadores.com.br>
When I look at the original, it is this:

Code: Select all

Return-Path: <leonardo.rosario@francoelevadores.com.br>
Received: from mail.ourdomain.com (LHLO
 mail.ourdomain.com) (192.168.1.3) by
 mail.ourdomain.com with LMTP; Tue, 5 Nov 2019 13:06:54 +0000
 (GMT)
Received: from localhost (localhost [127.0.0.1])
	by mail.ourdomain.com (Postfix) with ESMTP id A2A2ADA039A
	for <info@ourdomain.com>; Tue,  5 Nov 2019 13:06:54 +0000 (GMT)
X-Virus-Scanned: amavisd-new at ourdomain.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 required=6.6 tests=[BAYES_00=-1.9,
	DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01,
	URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: mail.ourdomain.com (amavisd-new);
	dkim=fail (2048-bit key) reason="fail (message has been altered)"
	header.d=francoelevadores.com.br
Received: from mail.ourdomain.com ([127.0.0.1])
	by localhost (mail.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id sgmlJz-3ZpLT for <info@ourdomain.com>;
	Tue,  5 Nov 2019 13:06:51 +0000 (GMT)
Received: from ns24.servidorprotegido.net (ns24.servidorprotegido.net [177.85.100.181])
	by mail.ourdomain.com (Postfix) with ESMTPS id 9BE92DA0396
	for <info@ourdomain.com>; Tue,  5 Nov 2019 13:06:51 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=francoelevadores.com.br; s=default; h=Content-Type:MIME-Version:Subject:To:
	From:Date:Sender:Reply-To:Message-ID:Cc:Content-Transfer-Encoding:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=qyhGaMrN5n0rmBw2BAJ92d8WnNpVwbUVr1DP0KgdJac=; b=lH89pWsf0sFDVbvyWGs6iFKAhP
	MvgJ5wjaVgFT7pHKGdHo/QA3aT4P1UJV+fmwvbo3jkkm1436bE9Ko9fhRK///gYK/5NOQxK6Sa/TS
	0+swBQzPfRMC32GwIQPfCvhFpXLyP4yvQZ/97grZWRE7jgkHIoZ/Rqy5lrpuuqdr6HteM+jQaaR/U
	coDx/IWFdTzEZhBcqNNLBMrdibvNaisrrgoO6Bg46jzoGmIwwueQhwQHRvdZ4eb/c1bjSF3ERikZ8
	Nv/hLKU5+86jWHfABx/JZk2gC7gLfHFyPU/XEcIfJxN/5f4wBzIYru4mulXTr6rG0NMX62Z3FRqZD
	E37lK/MQ==;
Received: from [79.8.246.44] (port=52623)
	by h18.servidorhh.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.92)
	(envelope-from <leonardo.rosario@francoelevadores.com.br>)
	id 1iRyGU-000763-Pe
	for info@ourdomain.com; Tue, 05 Nov 2019 09:48:55 -0300
Date: Tue, 05 Nov 2019 13:49:14 +0100
From: "COLDSYSTEMS <info@coldsystems.es>" <leonardo.rosario@francoelevadores.com.br>
To: <info@ourdomain.com>
Subject: privacidad
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_41276_3664861523.16901508094225703888"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - h18.servidorhh.com
X-AntiAbuse: Original Domain - ourdomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - francoelevadores.com.br
X-Get-Message-Sender-Via: h18.servidorhh.com: authenticated_id: leonardo.rosario@francoelevadores.com.br
X-Authenticated-Sender: h18.servidorhh.com: leonardo.rosario@francoelevadores.com.br
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Message-Id: <20191105130651.9BE92DA0396@mail.ourdomain.com>

------=_Part_41276_3664861523.16901508094225703888
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

CONTENT HERE....
And the Zimbra log for the same message is the following:

Code: Select all

Nov  5 13:06:45 mail postfix/postscreen[8475]: CONNECT from [177.85.100.181]:58634 to [192.168.1.3]:25
Nov  5 13:06:51 mail postfix/postscreen[8475]: PASS NEW [177.85.100.181]:58634
Nov  5 13:06:51 mail postfix/smtpd[8479]: connect from ns24.servidorprotegido.net[177.85.100.181]
Nov  5 13:06:51 mail postfix/smtpd[8479]: Anonymous TLS connection established from ns24.servidorprotegido.net[177.85.100.181]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov  5 13:06:51 mail postfix/smtpd[8479]: NOQUEUE: filter: RCPT from ns24.servidorprotegido.net[177.85.100.181]: <leonardo.rosario@francoelevadores.com.br>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<leonardo.rosario@francoelevadores.com.br> to=<info@ourdomain.com> proto=ESMTP helo=<ns24.servidorprotegido.net>
Nov  5 13:06:51 mail postfix/smtpd[8479]: NOQUEUE: filter: RCPT from ns24.servidorprotegido.net[177.85.100.181]: <leonardo.rosario@francoelevadores.com.br>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<leonardo.rosario@francoelevadores.com.br> to=<info@ourdomain.com> proto=ESMTP helo=<ns24.servidorprotegido.net>
Nov  5 13:06:51 mail postfix/smtpd[8479]: 9BE92DA0396: client=ns24.servidorprotegido.net[177.85.100.181]
Nov  5 13:06:51 mail postfix/cleanup[8482]: 9BE92DA0396: message-id=<20191105130651.9BE92DA0396@mail.ourdomain.com>
Nov  5 13:06:51 mail postfix/qmgr[11650]: 9BE92DA0396: from=<leonardo.rosario@francoelevadores.com.br>, size=372065, nrcpt=1 (queue active)
Nov  5 13:06:51 mail amavis[10673]: (10673-14) ESMTP [127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20191105T072415-10673-Zag6qe1n: <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com> SIZE=372065 Received: from mail.mallorcaqualitycenter.com ([127.0.0.1]) by localhost (mail.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <info@ourdomain.com>; Tue,  5 Nov 2019 13:06:51 +0000 (GMT)
Nov  5 13:06:51 mail postfix/smtpd[8479]: disconnect from ns24.servidorprotegido.net[177.85.100.181] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov  5 13:06:52 mail amavis[10673]: (10673-14) Checking: sgmlJz-3ZpLT [177.85.100.181] <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>
Nov  5 13:06:54 mail postfix/amavisd/smtpd[8485]: connect from localhost[127.0.0.1]
Nov  5 13:06:54 mail postfix/amavisd/smtpd[8485]: A2A2ADA039A: client=localhost[127.0.0.1]
Nov  5 13:06:54 mail postfix/cleanup[8482]: A2A2ADA039A: message-id=<20191105130651.9BE92DA0396@mail.ourdomain.com>
Nov  5 13:06:54 mail postfix/amavisd/smtpd[8485]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov  5 13:06:54 mail postfix/qmgr[11650]: A2A2ADA039A: from=<leonardo.rosario@francoelevadores.com.br>, size=372986, nrcpt=1 (queue active)
Nov  5 13:06:54 mail amavis[10673]: (10673-14) sgmlJz-3ZpLT FWD from <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A2A2ADA039A
Nov  5 13:06:54 mail amavis[10673]: (10673-14) Passed CLEAN {RelayedInbound}, [177.85.100.181]:58634 [79.8.246.44] <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>, Queue-ID: 9BE92DA0396, Message-ID: <20191105130651.9BE92DA0396@mail.mallorcaqualitycenter.com>, mail_id: sgmlJz-3ZpLT, Hits: -1.79, size: 372065, queued_as: A2A2ADA039A, 2815 ms
Nov  5 13:06:54 mail postfix/smtp[8483]: 9BE92DA0396: to=<info@ourdomain.com>, orig_to=<info@ourdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.33/0.01/0/2.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A2A2ADA039A)
Nov  5 13:06:54 mail postfix/qmgr[11650]: 9BE92DA0396: removed
Nov  5 13:06:54 mail postfix/lmtp[8486]: A2A2ADA039A: to=<info@ourdomain.com>, relay=mail.ourdomain.com[192.168.1.3]:7025, delay=0.23, delays=0.05/0.01/0.09/0.09, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Nov  5 13:06:54 mail postfix/qmgr[11650]: A2A2ADA039A: removed
Some additional information:
  • "COLDSYSTEMS <info@coldsystems.es>" is used in most of these cases.
  • "<leonardo.rosario@francoelevadores.com.br>" changes with every spam mail.
  • Sometimes the from appears as if sent from us: "Our Company Name <info@ourdomain.com>" <some.account@some.other.domain.com>;
  • All emails come with an attachment which I have instructed to NEVER open.
I have not found any way of avoiding this type of spam, and we are getting this on a daily basis, which is very annoying and frustrating.
If anyone has any idea, suggestion or anything that could help to solve this, PLEASE let me know. Please ask for any additional information you might need. I'm happy to provide anything needed.

Thank you very much in advance. I hope to be able to solve this with the help of more expert users on this forum.

Kind Regards,
Kevin

Re: Help with this Spam issue

Posted: Sun Nov 10, 2019 2:12 am
by Kevin Maschke
Hello,

Is anyobody able to help or at least give some ideas on how to solve this?

Thanks!

Re: Help with this Spam issue

Posted: Sun Nov 10, 2019 5:29 am
by zimico