SPAM Mail from admin to admin email with a fake address.

[aavvll]

I have a Zimbra 10.1.16 server.
I started receiving ransomware messages sent to my admin@domain.com email address from admin@domain.com.
The "mail from" field is clearly fake.
I checked via Telnet, and it is indeed sending an email with a fake address.

telnet mail.domain.com 25
helo yandex.ru
mail from:<admin@domain.com>
rcpt to:<admin@domain.com>
data
Test
.
quit

How can I block this?

[BradC]

It's really, really common to see those messages. We've been getting them for years now. You can try and filter them, but then do you want to risk missing genuine admin messages due to an over-zealous spam filter?

I just delete them and move on.

[aavvll]

I found a solution to my problem, maybe it will be useful to someone

nano /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

After the permit_mynetworks line, add reject_sender_login_mismatch (either one line below or separated by a comma).
It should look like this:

%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
reject_sender_login_mismatch
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%

Log in as the zimbra user:

su zimbra
zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
zmcontrol restart