Help with this Spam issue

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Kevin Maschke
Posts: 3
Joined: Sat Aug 27, 2016 12:17 pm

Help with this Spam issue

Postby Kevin Maschke » Thu Nov 07, 2019 3:52 pm

Hello,

We've recently started receiving weird spam and I have not been able to find a solution against it. I've searched through this forum, and google, and applied some of the suggested fixes, but nothing seems to work.
So basically we're getting emails that show a fake source email address.

In the mailbox we see it as for this example:

Code: Select all

From: "COLDSYSTEMS <info@coldsystems.es>" <leonardo.rosario@francoelevadores.com.br>


When I look at the original, it is this:

Code: Select all

Return-Path: <leonardo.rosario@francoelevadores.com.br>
Received: from mail.ourdomain.com (LHLO
 mail.ourdomain.com) (192.168.1.3) by
 mail.ourdomain.com with LMTP; Tue, 5 Nov 2019 13:06:54 +0000
 (GMT)
Received: from localhost (localhost [127.0.0.1])
   by mail.ourdomain.com (Postfix) with ESMTP id A2A2ADA039A
   for <info@ourdomain.com>; Tue,  5 Nov 2019 13:06:54 +0000 (GMT)
X-Virus-Scanned: amavisd-new at ourdomain.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 required=6.6 tests=[BAYES_00=-1.9,
   DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01,
   URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: mail.ourdomain.com (amavisd-new);
   dkim=fail (2048-bit key) reason="fail (message has been altered)"
   header.d=francoelevadores.com.br
Received: from mail.ourdomain.com ([127.0.0.1])
   by localhost (mail.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024)
   with ESMTP id sgmlJz-3ZpLT for <info@ourdomain.com>;
   Tue,  5 Nov 2019 13:06:51 +0000 (GMT)
Received: from ns24.servidorprotegido.net (ns24.servidorprotegido.net [177.85.100.181])
   by mail.ourdomain.com (Postfix) with ESMTPS id 9BE92DA0396
   for <info@ourdomain.com>; Tue,  5 Nov 2019 13:06:51 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
   d=francoelevadores.com.br; s=default; h=Content-Type:MIME-Version:Subject:To:
   From:Date:Sender:Reply-To:Message-ID:Cc:Content-Transfer-Encoding:Content-ID:
   Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
   :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
   List-Subscribe:List-Post:List-Owner:List-Archive;
   bh=qyhGaMrN5n0rmBw2BAJ92d8WnNpVwbUVr1DP0KgdJac=; b=lH89pWsf0sFDVbvyWGs6iFKAhP
   MvgJ5wjaVgFT7pHKGdHo/QA3aT4P1UJV+fmwvbo3jkkm1436bE9Ko9fhRK///gYK/5NOQxK6Sa/TS
   0+swBQzPfRMC32GwIQPfCvhFpXLyP4yvQZ/97grZWRE7jgkHIoZ/Rqy5lrpuuqdr6HteM+jQaaR/U
   coDx/IWFdTzEZhBcqNNLBMrdibvNaisrrgoO6Bg46jzoGmIwwueQhwQHRvdZ4eb/c1bjSF3ERikZ8
   Nv/hLKU5+86jWHfABx/JZk2gC7gLfHFyPU/XEcIfJxN/5f4wBzIYru4mulXTr6rG0NMX62Z3FRqZD
   E37lK/MQ==;
Received: from [79.8.246.44] (port=52623)
   by h18.servidorhh.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
   (Exim 4.92)
   (envelope-from <leonardo.rosario@francoelevadores.com.br>)
   id 1iRyGU-000763-Pe
   for info@ourdomain.com; Tue, 05 Nov 2019 09:48:55 -0300
Date: Tue, 05 Nov 2019 13:49:14 +0100
From: "COLDSYSTEMS <info@coldsystems.es>" <leonardo.rosario@francoelevadores.com.br>
To: <info@ourdomain.com>
Subject: privacidad
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_41276_3664861523.16901508094225703888"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - h18.servidorhh.com
X-AntiAbuse: Original Domain - ourdomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - francoelevadores.com.br
X-Get-Message-Sender-Via: h18.servidorhh.com: authenticated_id: leonardo.rosario@francoelevadores.com.br
X-Authenticated-Sender: h18.servidorhh.com: leonardo.rosario@francoelevadores.com.br
X-Source:
X-Source-Args:
X-Source-Dir:
Message-Id: <20191105130651.9BE92DA0396@mail.ourdomain.com>

------=_Part_41276_3664861523.16901508094225703888
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

CONTENT HERE....


And the Zimbra log for the same message is the following:

Code: Select all

Nov  5 13:06:45 mail postfix/postscreen[8475]: CONNECT from [177.85.100.181]:58634 to [192.168.1.3]:25
Nov  5 13:06:51 mail postfix/postscreen[8475]: PASS NEW [177.85.100.181]:58634
Nov  5 13:06:51 mail postfix/smtpd[8479]: connect from ns24.servidorprotegido.net[177.85.100.181]
Nov  5 13:06:51 mail postfix/smtpd[8479]: Anonymous TLS connection established from ns24.servidorprotegido.net[177.85.100.181]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov  5 13:06:51 mail postfix/smtpd[8479]: NOQUEUE: filter: RCPT from ns24.servidorprotegido.net[177.85.100.181]: <leonardo.rosario@francoelevadores.com.br>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<leonardo.rosario@francoelevadores.com.br> to=<info@ourdomain.com> proto=ESMTP helo=<ns24.servidorprotegido.net>
Nov  5 13:06:51 mail postfix/smtpd[8479]: NOQUEUE: filter: RCPT from ns24.servidorprotegido.net[177.85.100.181]: <leonardo.rosario@francoelevadores.com.br>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<leonardo.rosario@francoelevadores.com.br> to=<info@ourdomain.com> proto=ESMTP helo=<ns24.servidorprotegido.net>
Nov  5 13:06:51 mail postfix/smtpd[8479]: 9BE92DA0396: client=ns24.servidorprotegido.net[177.85.100.181]
Nov  5 13:06:51 mail postfix/cleanup[8482]: 9BE92DA0396: message-id=<20191105130651.9BE92DA0396@mail.ourdomain.com>
Nov  5 13:06:51 mail postfix/qmgr[11650]: 9BE92DA0396: from=<leonardo.rosario@francoelevadores.com.br>, size=372065, nrcpt=1 (queue active)
Nov  5 13:06:51 mail amavis[10673]: (10673-14) ESMTP [127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20191105T072415-10673-Zag6qe1n: <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com> SIZE=372065 Received: from mail.mallorcaqualitycenter.com ([127.0.0.1]) by localhost (mail.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <info@ourdomain.com>; Tue,  5 Nov 2019 13:06:51 +0000 (GMT)
Nov  5 13:06:51 mail postfix/smtpd[8479]: disconnect from ns24.servidorprotegido.net[177.85.100.181] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov  5 13:06:52 mail amavis[10673]: (10673-14) Checking: sgmlJz-3ZpLT [177.85.100.181] <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>
Nov  5 13:06:54 mail postfix/amavisd/smtpd[8485]: connect from localhost[127.0.0.1]
Nov  5 13:06:54 mail postfix/amavisd/smtpd[8485]: A2A2ADA039A: client=localhost[127.0.0.1]
Nov  5 13:06:54 mail postfix/cleanup[8482]: A2A2ADA039A: message-id=<20191105130651.9BE92DA0396@mail.ourdomain.com>
Nov  5 13:06:54 mail postfix/amavisd/smtpd[8485]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov  5 13:06:54 mail postfix/qmgr[11650]: A2A2ADA039A: from=<leonardo.rosario@francoelevadores.com.br>, size=372986, nrcpt=1 (queue active)
Nov  5 13:06:54 mail amavis[10673]: (10673-14) sgmlJz-3ZpLT FWD from <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A2A2ADA039A
Nov  5 13:06:54 mail amavis[10673]: (10673-14) Passed CLEAN {RelayedInbound}, [177.85.100.181]:58634 [79.8.246.44] <leonardo.rosario@francoelevadores.com.br> -> <info@ourdomain.com>, Queue-ID: 9BE92DA0396, Message-ID: <20191105130651.9BE92DA0396@mail.mallorcaqualitycenter.com>, mail_id: sgmlJz-3ZpLT, Hits: -1.79, size: 372065, queued_as: A2A2ADA039A, 2815 ms
Nov  5 13:06:54 mail postfix/smtp[8483]: 9BE92DA0396: to=<info@ourdomain.com>, orig_to=<info@ourdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.33/0.01/0/2.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A2A2ADA039A)
Nov  5 13:06:54 mail postfix/qmgr[11650]: 9BE92DA0396: removed
Nov  5 13:06:54 mail postfix/lmtp[8486]: A2A2ADA039A: to=<info@ourdomain.com>, relay=mail.ourdomain.com[192.168.1.3]:7025, delay=0.23, delays=0.05/0.01/0.09/0.09, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Nov  5 13:06:54 mail postfix/qmgr[11650]: A2A2ADA039A: removed


Some additional information:

  • "COLDSYSTEMS <info@coldsystems.es>" is used in most of these cases.
  • "<leonardo.rosario@francoelevadores.com.br>" changes with every spam mail.
  • Sometimes the from appears as if sent from us: "Our Company Name <info@ourdomain.com>" <some.account@some.other.domain.com>;
  • All emails come with an attachment which I have instructed to NEVER open.

I have not found any way of avoiding this type of spam, and we are getting this on a daily basis, which is very annoying and frustrating.
If anyone has any idea, suggestion or anything that could help to solve this, PLEASE let me know. Please ask for any additional information you might need. I'm happy to provide anything needed.

Thank you very much in advance. I hope to be able to solve this with the help of more expert users on this forum.

Kind Regards,
Kevin


Kevin Maschke
Posts: 3
Joined: Sat Aug 27, 2016 12:17 pm

Re: Help with this Spam issue

Postby Kevin Maschke » Sun Nov 10, 2019 2:12 am

Hello,

Is anyobody able to help or at least give some ideas on how to solve this?

Thanks!
User avatar
zimico
Advanced member
Advanced member
Posts: 194
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Help with this Spam issue

Postby zimico » Sun Nov 10, 2019 5:29 am


Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 14 guests