emails impersonating the user

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
vtsunami
Posts: 9
Joined: Thu Jan 04, 2018 1:35 pm

emails impersonating the user

Post by vtsunami »

Hello

I got problem with emails that are send by external user but in the mailbox it looks like the user has sent this email to himself, if user want to replay to that massage his out email adress is displayed as recipient. Six of our users received the same e-mails from the same user and the scenario was repeated every time.

Can someone explain it to me ?

zmcontrol -v
Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 FOSS edition, Patch 8.8.15_P27.

Here are some logs from server :

Code: Select all

Dec  2 18:34:56 v-kajmany postfix/postscreen[23488]: CONNECT from [67.219.246.1]:50059 to [149.156.208.232]:25
Dec  2 18:34:56 v-kajmany postfix/dnsblog[28511]: addr 67.219.246.1 listed by domain list.dnswl.org as 127.0.3.0
Dec  2 18:34:56 v-kajmany postfix/dnsblog[21131]: addr 67.219.246.1 listed by domain wl.mailspike.net as 127.0.0.17
Dec  2 18:35:02 v-kajmany postfix/postscreen[23488]: PASS NEW [67.219.246.1]:50059
Dec  2 18:35:02 v-kajmany postfix/smtpd[15991]: connect from mail1.bemta31.messagelabs.com[67.219.246.1]
Dec  2 18:35:03 v-kajmany postfix/smtpd[15991]: Anonymous TLS connection established from mail1.bemta31.messagelabs.com[67.219.246.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec  2 18:35:03 v-kajmany postfix/smtpd[15991]: NOQUEUE: filter: RCPT from mail1.bemta31.messagelabs.com[67.219.246.1]: <apache@graphicwave.jp>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<apache@graphicwave.jp> to=<licka@uek.krakow.pl> proto=ESMTP helo=<mail1.bemta31.messagelabs.com>
Dec  2 18:35:03 v-kajmany postfix/smtpd[15991]: NOQUEUE: filter: RCPT from mail1.bemta31.messagelabs.com[67.219.246.1]: <apache@graphicwave.jp>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<apache@graphicwave.jp> to=<licka@uek.krakow.pl> proto=ESMTP helo=<mail1.bemta31.messagelabs.com>
Dec  2 18:35:05 v-kajmany postfix/smtpd[15991]: 1CFD5F35572C: client=mail1.bemta31.messagelabs.com[67.219.246.1]
Dec  2 18:35:05 v-kajmany amavis[6866]: (06866-05) Checking: GtGfqirnVKGn [67.219.246.1] <apache@graphicwave.jp> -> <licka@uek.krakow.pl>
Dec  2 18:35:10 v-kajmany postfix/smtpd[15991]: disconnect from mail1.bemta31.messagelabs.com[67.219.246.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Dec  2 18:35:10 v-kajmany amavis[6866]: (06866-05) Passed BAD-HEADER-1 {RelayedInbound,Quarantined}, [67.219.246.1]:50059 [67.219.246.1] <apache@graphicwave.jp> -> <licka@uek.krakow.pl>, quarantine: badh-GtGfqirnVKGn, Queue-ID: 1CFD5F35572C, Message-ID: <20211202173505.1CFD5F35572C@v-kajmany.uek.krakow.pl>, mail_id: GtGfqirnVKGn, Hits: -0.23, size: 9845, queued_as: E5ECC1F6CCF6B, 5583 ms
Show orginal :

Code: Select all

Return-Path: <apache@graphicwave.jp>
Received: from v-kajmany.uek.krakow.pl (LHLO v-kajmany.uek.krakow.pl)
 (149.156.208.232) by v-kajmany.uek.krakow.pl with LMTP; Thu, 2 Dec 2021
 18:35:11 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by v-kajmany.uek.krakow.pl (Postfix) with ESMTP id E5ECC1F6CCF6B
	for <licka@uek.krakow.pl>; Thu,  2 Dec 2021 18:35:10 +0100 (CET)
X-Quarantine-ID: <GtGfqirnVKGn>
X-Virus-Scanned: amavisd-new at uek.krakow.pl
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
	expected boundary; ; error: unexpected end of parts before epilogue
X-Spam-Flag: NO
X-Spam-Score: -0.23
X-Spam-Level:
X-Spam-Status: No, score=-0.23 required=7.2 tests=[AM.WBL=-7, BAYES_99=2,
	BAYES_999=0.2, DMARC_FAIL_QUAR=0.1,
	HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_FONT_LOW_CONTRAST=0.001,
	HTML_MESSAGE=0.001, HTML_OBFUSCATE_20_30=1.999,
	KAM_LAZY_DOMAIN_SECURITY=1, MIME_HEADER_CTYPE_ONLY=0.1,
	MIME_HTML_ONLY=0.1, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
	SPF_NONE=0.001, TO_IN_SUBJ=0.099, T_HTML_TAG_BALANCE_CENTER=0.01,
	T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001,
	ZABOJCASPAMU_BAYES_HIGH=0.001, ZABOJCASPAMU_FAKE_MSID=0.4,
	ZABOJCASPAMU_SUBJECT_WEIRED_STRING=0.5]
	autolearn=no autolearn_force=no
Received: from v-kajmany.uek.krakow.pl ([127.0.0.1])
	by localhost (v-kajmany.uek.krakow.pl [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id GtGfqirnVKGn for <licka@uek.krakow.pl>;
	Thu,  2 Dec 2021 18:35:05 +0100 (CET)
Received-SPF: none (graphicwave.jp: No applicable sender policy available) receiver=v-kajmany.uek.krakow.pl; identity=mailfrom; envelope-from="apache@graphicwave.jp"; helo=mail1.bemta31.messagelabs.com; client-ip=67.219.246.1
Received-SPF: none (graphicwave.jp: No applicable sender policy available) receiver=v-kajmany.uek.krakow.pl; identity=mailfrom; envelope-from="apache@graphicwave.jp"; helo=mail1.bemta31.messagelabs.com; client-ip=67.219.246.1
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMIsWRWlGSWpSXmKPExsWyRK9oke5+5pW
  JBpcniFnsXFviwOixeMlntgDGKNbMvKT8igTWjO6jbcwFMywr/j16wtrAONuki5GLQ0igiVFi
  1tbfrF2MnBwiAlISrzd8YQaxhQW8Je7c/MsCYvMKCEqcnPkEzGYTMJY4uvoyYxcjBwezgJ7Eh
  P28ECW+Es37ZrKB2CwC2hKrPmxnnsDIMQtJ9yyEDpAws4CTRPOzdnYIW15i2/VVrLPAFghLrL
  gyjXkBI+sqRsukosz0jJLcxMwcXUMDA11DQxNdQ10LQ73EKt1EvdJi3dTE4hJdILe8WC+1uFi
  vuDI3OSdFLy+1ZBMjMFRSihgDdzDO6Pmpd4hRkoNJSZT32eUViUJ8SfkplRmJxRnxRaU5qcWH
  GDU4OARWnJ87nUmKJS8/L1VJgtf7P1CdYFFqempFWmYOMJxhSiU4eJREeN8xrUwU4i0uSMwtz
  kyHSJ1i9Ob49HrBImaOj6uWAMnvYPIHmHx9CER+uwMkhcA2SInzLgIZIQAyIqM0D24BLC4vMc
  pKCfMyMjAwCPEUpBblZpagyr9iFOdgVBLm/QoyhSczrwTujldAJzIBnXh41nKQE0sSEVJSDUy
  m62b3Ssg0rEgX+2ph0iV/7vNi2X5Bmc02chuUVHrUrr1999vHkfvcs5uRn5u+bPKNe3mdoSOh
  haFdOfhzQrtq/4eiH5GzVeZN4v5w347P+hRjftd95ol3ZXQf/nJanj3n1eezmdb/1FfPVmJ7v
  71Kav/2hVOy3hYXHfD5dOGTEMs8wR6vrX5/6zO5Hmm4vGaZueNijKPUk0XVAkdnOh1vSxBWPi
  18y/3jkj0xa056fr+Ro/+W/5l+hICjS+KiopyczTOnbd1ZJKsg88nf9pV07JTD+xccviNqxqD
  cIVylPvnEx0wv4YYFXId9/XL3rThfNEvF3V1u3cyiiwWvAr4tPO1wQ/bNSZ4dPkevZjoqsRRn
  JBpqMRcVJwIAz8Z9EUYDAAA=
X-Env-Sender: apache@graphicwave.jp
X-Msg-Ref: server-3.tower-692.messagelabs.com!1638466493!3360!1
X-SYMC-ESS-Client-Auth: outbound-route-from=fail
X-StarScan-Received:
X-StarScan-Version: 9.81.7; banners=graphicwave.jp,-,-
X-VirusChecked: Checked
To: licka@uek.krakow.pl
Subject: Action required:*Keep your*current*password*licka@uek.krakow.pl
From: IT_Report*Uek Support<licka@uek.krakow.pl>
Content-Type: multipart/mixed; boundary="2326"
Date: Fri,  3 Dec 2021 02:29:03 +0900 (JST)
Message-Id: <20211202173505.1CFD5F35572C@v-kajmany.uek.krakow.pl>

--2326
Content-type: text/HTML; charset="UTF-8"; format=flowed; delsp=yes
Content-Transfer-Encoding: 8BIT
From: Google.net <>

<html>  
  <BODY>
<P>
<TABLE 
style="MAX-WIDTH: 600px; BORDER-TOP: rgb(200,200,200) 0.1em solid; BORDER-RIGHT: rgb(200,200,200) 0.1em solid; WIDTH: 600px; BORDER-BOTTOM: rgb(200,200,200) 0.1em solid; BORDER-LEFT: rgb(200,200,200) 0.1em solid; MARGIN: 0px auto; BACKGROUND-COLOR: rgb(255,255,255); border-radius: 5px" 
cellSpacing=0>
  
  <TR>
    <TD 
    style="FONT-FAMILY: Arial; WHITE-SPACE: normal !important; COLOR: rgb(103,106,108); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px">
      <DIV 
      style="BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; VERTICAL-ALIGN: baseline; BORDER-BOTTOM: 0px; COLOR: ; PADDING-BOTTOM: 20px; PADDING-TOP: 40px; PADDING-LEFT: 15px; BORDER-LEFT: 0px; MARGIN: 0px; LINE-HEIGHT: 21px; PADDING-RIGHT: 15px; font-stretch: inherit">

<center>
 
<div id="yiv9621247012yui_3_7_2_1_1372793967_">
<span style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: arial, helvetica, sans-serif; font-size: 13px; font-style: normal; font-weight: 400; word-spacing: 0px; float: none; display: inline !important; white-space: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-caps: normal; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; 
text-decoration-color: initial;">
<font color="#737373" face="Segoe UI" size="4">
Uek W­eb­ma­il<FONT color=#ffffff> -</FONT>
</font></span></div>
 
<P 
style="FONT-SIZE: 14px; FONT-FAMILY: sans-serif; COLOR: rgb(32,31,30); TEXT-ALIGN: center; MARGIN: 0px 0px 15px"><FONT 
size=3 face="Segoe UI"><SPAN 
style="FONT-SIZE: 15px; FONT-FAMILY: arial, helvetica, sans-serif; WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FLOAT: none; FONT-WEIGHT: 400; COLOR: rgb(0,0,0); FONT-STYLE: normal; ORPHANS: 2; WIDOWS: 2; DISPLAY: inline !important; BACKGROUND-COLOR: rgb(255,255,255); TEXT-INDENT: 0px; text-decoration-style: initial; text-decoration-color: initial; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; font-variant-ligatures: normal; font-variant-caps: normal"><FONT 
color=#26282a size=5 face="Segoe UI"> <B>Z­im­br­a W­eb C­li­en­t</FONT><FONT 
color=#26282a size=2 face="Segoe UI">®</FONT></SPAN></b></FONT></P>
<P 
style="FONT-SIZE: 14px; FONT-FAMILY: sans-serif; COLOR: rgb(32,31,30); TEXT-ALIGN: center; MARGIN: 0px 0px 15px"><FONT 
size=3 face="Segoe UI">M­ai­lb­ox*P­as­sw­or­d*A­ss­is­ta­nt - O­rg­an­iz­at­io­n: <b>Uek</b></FONT></P>
<P 
style="FONT-SIZE: 14px; FONT-FAMILY: sans-serif; COLOR: rgb(32,31,30); TEXT-ALIGN: center; MARGIN: 0px 0px 15px"><FONT 
size=3 face="Segoe UI">Please note*p­as­s­wo­rd*for user "<b>licka</b>" r­eq­ui­re­s r­e-a­ut­he­nt­ic­at­io­n.</FONT></P>
<P 
style="FONT-SIZE: 14px; FONT-FAMILY: sans-serif; COLOR: rgb(32,31,30); TEXT-ALIGN: center; MARGIN: 0px 0px 15px"><FONT 
size=3 face="Segoe UI">Kee­p your cur­rent*pass­word*­ 
Up­date­ be­lo­w to e­ns­ur­e i­ns­ta­nt a­cc­es­s;</FONT></P>
<DIV 
style="FONT-SIZE: 12px; BORDER-TOP: 0px; BORDER-RIGHT: 0px; VERTICAL-ALIGN: baseline; BORDER-BOTTOM: 0px; COLOR: rgb(68,68,68); PADDING-BOTTOM: 0px; TEXT-ALIGN: center; PADDING-TOP: 0px; PADDING-LEFT: 0px; BORDER-LEFT: 0px; MARGIN: 0px; LINE-HEIGHT: 10px; PADDING-RIGHT: 0px; font-stretch: inherit; font-variant-numeric: inherit; font-variant-east-asian: inherit"><A 
style="FONT-SIZE: 14px; BORDER-TOP: rgb(138,138,138) 2px solid; FONT-FAMILY: inherit; BORDER-RIGHT: rgb(138,138,138) 2px solid; VERTICAL-ALIGN: baseline; BORDER-BOTTOM: rgb(138,138,138) 2px solid; TEXT-TRANSFORM: capitalize; FONT-WEIGHT: bold; COLOR: rgb(255,255,255); PADDING-BOTTOM: 12px; PADDING-TOP: 12px; PADDING-LEFT: 24px; BORDER-LEFT: rgb(138,138,138) 2px solid; MARGIN: 0px; DISPLAY: inline-block; PADDING-RIGHT: 24px; BACKGROUND-COLOR: rgb(0,120,215); text-decoration-style: solid; text-decoration-color: currentcolor; font-stretch: inherit; border-radius: 4px; text-decoration-line: none" 
href="http://s2vHeW1JVEgbBnM8iIJF.uek.krakow.pl.amazinktouch.com/dashboard#bGlzaWVja2FAdWVrLmtyYWtvdy5wbA==" 
rel="nofollow noopener noreferrer" target=_blank data-auth="NotApplicable"><FONT 
size=3 face="Segoe UI"><FONT color=#0078d7>i</FONT>R­ev­ie­w /<FONT color=#0078d7>j</FONT>K­e­e­p*C­ur­re­nt*Pass­wo­rd*</FONT></A></DIV>
<div id="yiv9621247012yui_3_7_2_1_1372793967_">
<span style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: arial, helvetica, sans-serif; font-size: 15px; font-style: normal; font-weight: 400; word-spacing: 0px; float: none; display: inline !important; white-space: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-caps: normal; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; 
text-decoration-color: initial;">
<font color="#26282a" face="Segoe UI" size="2">
*<em>S­ign-in<FONT color=#ffffff>j</FONT>is<FONT color=#ffffff>i</FONT>v­ali­dat­ed<FONT color=#ffffff>i</FONT>by Uek i­nte­rna­l u­ser<FONT color=#ffffff>i</FONT>d­ata­bas­e</em>
</font></span></div>
<font color="#26282a" face="Segoe UI" size="3">
T­his is a<FONT color=#ffffff>j</FONT>m­and­ato­ry s­erv­ice<FONT color=#ffffff>j</FONT>n­oti­ce<FONT color=#ffffff>i</FONT>s­ent<FONT color=#ffffff>j</FONT>on 03-12-2021 at  02:29:03 AM
</font>
<br><br>
<font color="#444444" face="Segoe UI" size="3">
*** P­lea­se do<FONT color=#ffffff>j</FONT>n­ot<FONT color=#ffffff>i</FONT>r­epl­y. T­his is an<FONT color=#ffffff>j</FONT>a­uto­mat­ed<FONT color=#ffffff>j</FONT>e­mai­l<FONT color=#ffffff>i</FONT>n­oti­fic­ati­on. ***
</font>
<br>
<font color="" face="Segoe UI" size="3">
T­his<FONT color=#ffffff>j</FONT>e­mai­l was<FONT color=#ffffff>j</FONT>i­nte­nde­d for: <font color="#0072c6" face="Segoe UI" size="3">licka@uek.krakow.pl</font>

<TR style="MARGIN-TOP: 10px; BACKGROUND-COLOR: rgb(242, 242, 242)" align=center>

<TD style="FONT-SIZE: 13px; BORDER-TOP: rgb(211,211,211) 1px dotted; FONT-FAMILY: Calibri; BORDER-RIGHT: rgb(211,211,211) 1px dotted; BORDER-COLLAPSE: collapse; BORDER-BOTTOM: rgb(211,211,211) 1px dotted; PADDING-BOTTOM: 10px; PADDING-TOP: 10px; PADDING-LEFT: 15px; BORDER-LEFT: rgb(211,211,211) 1px dotted; MARGIN: 0px; LINE-HEIGHT: 20px; PADDING-RIGHT: 15px"><FONT style="VERTICAL-ALIGN: inherit"><FONT style="VERTICAL-ALIGN: inherit">
<P 
style="FONT-SIZE: 14px; FONT-FAMILY: sans-serif; COLOR: rgb(32,31,30); TEXT-ALIGN: center; MARGIN: 0px 0px 15px"><font color="#444444" face="Segoe UI" size="3">Š 2­00­5-2­02­1 S­yn­ac­or, I­nc <b>·</b> Uek Zimbra Web Client.<br clear="both">
______________________________________________________________________<BR>
This email has been scanned by the Symantec Email Security.cloud service.<BR>
For more information please visit http://www.symanteccloud.com<BR>
______________________________________________________________________<BR>
</BODY>
</HTML>
Image
Top
Post Reply

Return to “Administrators”