Hi Folks,
The system is notifying me thousands of emails like this (below), I've done everything, best practices zimbra, dkim, dmarc, blocking several IP in FW known as spammers etc ...
Actually I have doubt if it is normal behavior of Zimbra and (or) is a problem, of type, there is some breach in security, or lack thereof, or even error.
My Version: Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition.
Content type: Spam
Internal reference code for the message is 22280-12/uM71fvHeiV3j
First upstream SMTP client IP address: [127.0.0.1]:60758 localhost
Received trace: ESMTP://[127.0.0.1]:60758 < ESMTP://127.0.0.1 <
SMTP://10.4.1.1 < 136.103.156.29
Return-Path: <tyxoujk@gmail.com>
From: "??????" <qnkqlb@ms41.hinet.net>
Message-ID: <KRUYPNGDJJISLUZDNILJ@ms46.hinet.net>
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
Subject: ????????,??????????????
Not quarantined.
The message WAS NOT relayed to:
<samvmas@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvov@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvs5566@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvsdodo@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvsjames@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvsjean@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvsjes2003@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvsop@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvstom@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvv720529@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samvvrwinds@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw0201@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw04886@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw125@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw18tw@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw22000@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw228@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw325@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw333@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw5127@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw540@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw71156@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw861359@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samw93@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samwa5435@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samwa731029@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samwaeigame@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samwafer2000@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samwalila@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
<samwallace99@yahoo.com.tw>:
250 2.7.0 ok, discarded, id=22280-12 - spam
Spam scanner report:
O filtro de spam do servidor "zimbra001.mydomain.com" identificou este
e-mail como um spam. A mensagem original está anexa a este
este e-mail para que possa ser visualizada (caso não seja
um spam) ou para que emails futuros similares a este sejam
marcados como spam também. Caso tenha alguma dúvida, entre
em contato no email @@CONTACT_ADDRESS@@ para mais detalhes.
Visualização de um trecho: MyPublicIP æ?¥æ?¬è?¤ç´ çµ¦ä½ æ? ä¹?ç??æ?°é¬¥å?? æ?¥æ?¬è?¤ç´ çµ¦ä½ æ? ä¹?ç??æ?°é¬¥å??ï¼?ä¿ è¬?æ??æ??ç?¡æ??é??è²»ï¼
[...]
Detalhes da análise: (23.5 pontos, mínimo de 5.0)
pts regra descrição
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/Dns ... nsbl-block
for more information.
[URIs: ppt.cc]
0.0 URIBL_DBL_ABUSE_REDIR Contains an abused redirector URL listed in the
DBL blocklist
[URIs: ppt.cc]
-4.0 ALL_TRUSTED Mensagem passou via SMTP apenas por hosts confiáveis
2.9 BAYES_99 BODY: Probabilidade de ser spam entre 99 to 100%
[score: 1.0000]
1.0 HK_RANDOM_FROM From username looks random
3.1 MSGID_SPAM_CAPS Message-Id conhecido como spam (caps variant)
1.4 MIME_BOUND_DD_DIGITS Padrão de spam conhecido em MIME boundary
2.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
0.0 FREEMAIL_FROM Remetente utiliza um email gratuito
(ozgbfoak[at]ms49.hinet.net)
(qnkqlb[at]ms41.hinet.net)
2.0 MIME_HTML_ONLY BODY: Mensagem somente possui formato text/html
2.0 HTML_FONT_LOW_CONTRAST BODY: Há textos com cores similares à cor de
fundo
0.4 HTML_MESSAGE BODY: HTML incluso na mensagem
0.8 MPART_ALT_DIFF BODY: Versão HTML e versão Texto da mensagem são
diferentes
3.8 BAYES_999 BODY: Probabilidade de ser spam entre 99.9 to 100%
[score: 1.0000]
0.0 MIME_HTML_ONLY_MULTI Mensagem diz ser multipart mas só possui formato
text/html
1.9 MISSING_MIMEOLE Mensagem possui X-MSMail-Priority mas não possui
X-MimeOLE
0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom
freemail headers are different
1.5 FORGED_OUTLOOK_HTML Outlook não consegue enviar mensagens apenas HTML
1.8 RCVD_DOUBLE_IP_SPAM Spam conhecido (double IP)
1.0 FREEMAIL_REPLYTO Reply-To/From ou Reply-To/body usam diferentes
emails gratuitos
0.0 TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed
1.9 FORGED_MUA_OUTLOOK Email fingindo ser enviado pelo MS Outlook
0.0 TVD_SPACE_RATIO_MINFP Space ratio
TKS a Lot
Rubens J Rodrigues
Normal behavior or it´s a fail!?
-
vavai
- Advanced member
- Posts: 174
- Joined: Thu Nov 14, 2013 2:41 pm
- Location: Indonesia
- ZCS/ZD Version: 0
- Contact:
Re: Normal behavior or it´s a fail!?
Hi,
According to from and to address, the problem came from incorrect settings on network and trusted network. Your mail server seems to be an open relay. Can you paste a relevant log from /var/log/zimbra.log and also check what is your trusted network settings on Zimbra Admin | Configure | Server | MTA | MTA Trusted Network?
According to from and to address, the problem came from incorrect settings on network and trusted network. Your mail server seems to be an open relay. Can you paste a relevant log from /var/log/zimbra.log and also check what is your trusted network settings on Zimbra Admin | Configure | Server | MTA | MTA Trusted Network?
-
rjorodrigues
- Posts: 7
- Joined: Thu Feb 02, 2017 1:50 pm
Re: Normal behavior or it´s a fail!?
Thanks for the feedback.
This MTA server is behind an FW (IPTables) that only redirect ports 25, 465, 587, and 995.
My trusted networks: 127.0.0.0/8 [:: 1] / 128 10.4.0.0/16
Zimbra.Log
...
http://pastebin.com/Wdht79aD
This MTA server is behind an FW (IPTables) that only redirect ports 25, 465, 587, and 995.
My trusted networks: 127.0.0.0/8 [:: 1] / 128 10.4.0.0/16
Zimbra.Log
...
http://pastebin.com/Wdht79aD
-
vavai
- Advanced member
- Posts: 174
- Joined: Thu Nov 14, 2013 2:41 pm
- Location: Indonesia
- ZCS/ZD Version: 0
- Contact:
Re: Normal behavior or it´s a fail!?
Your trusted network are quite large as it will become your source of problem. If you have wrong configuration on your router and incorrect setting on DNAT makes all of external incoming mail will be wrongly identified as private IP of router, then your mail server will be end up as open relay. And it was proof by following error log :rjorodrigues wrote:Thanks for the feedback.
This MTA server is behind an FW (IPTables) that only redirect ports 25, 465, 587, and 995.
My trusted networks: 127.0.0.0/8 [:: 1] / 128 10.4.0.0/16
Zimbra.Log
...
http://pastebin.com/Wdht79aD
All incoming mails wrongly identified as coming from 10.4.1.1 and I assumes that it was your router's private IPFeb 8 19:19:19 batmx01 postfix/smtpd[4758]: 2A8C8583F7E: filter: RCPT from unknown[10.4.1.1]: <grubd@ms35.hinet.net>: Sender address
Solution :
1. Check dan repair your DNAT configuration, don't make it as masquerade all but use specific DNAT for port 25 so all external/outside email will be identify as their public IP, not your router private IP instead.
2. Modify your trusted network, I would prefer to only list 127.0.0.0/8 and your Zimbra IP/32 and set all user to use smtp-auth and SSL for security consideration
-
rjorodrigues
- Posts: 7
- Joined: Thu Feb 02, 2017 1:50 pm
Re: Normal behavior or it´s a fail!?
Yes, 10.4.1.1 it´s out private ip router.Your trusted network are quite large as it will become your source of problem. If you have wrong configuration on your router and incorrect setting on DNAT makes all of external incoming mail will be wrongly identified as private IP of router, then your mail server will be end up as open relay. And it was proof by following error log :
All incoming mails wrongly identified as coming from 10.4.1.1 and I assumes that it was your router's private IPFeb 8 19:19:19 batmx01 postfix/smtpd[4758]: 2A8C8583F7E: filter: RCPT from unknown[10.4.1.1]: <grubd@ms35.hinet.net>: Sender address
This is the firewall rules. Is there anything I can do to improve !?Solution :
1. Check dan repair your DNAT configuration, don't make it as masquerade all but use specific DNAT for port 25 so all external/outside email will be identify as their public IP, not your router private IP instead.
$IPT -A FORWARD -p tcp --dport 25 -j LOG --log-prefix "Log_Zimbra_25: " --log-level debug
$IPT -A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
$IPT -A OUTPUT -p tcp -s "MyPublicIP" --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPT -A PREROUTING -t nat -p tcp --dport 25 -d "MyPublicIP" -j DNAT --to-destination 10.4.2.47:25 <=== Zimbra Server Lan Address
$IPT -A POSTROUTING -t nat -p tcp --dport 25 -d 10.4.2.47 -j MASQUERADE
Done!2. Modify your trusted network, I would prefer to only list 127.0.0.0/8 and your Zimbra IP/32 and set all user to use smtp-auth and SSL for security consideration
Trusted Newtorwork 127.0.0.0/8
If I put the address "Zimbra IP / 32", ZCS displays an error message, so I left only the local address (127.0.0.1/8).
All my users, just use smtp-auth and SSL.