Posted by Recently, my client got spam e-mail originating from their domain. Although, I have improved by implementing the sasl / sender must login. From this guide : how-to-improvement-sender-must-loginenforcing-a-match-between-from-address-and-sasl-username.
Examples of spam as below
I tried to open the full header and get this
Date: Mon, 29 Apr 2019 04:57:10 +0200 Abuse-Reports-To: abuse@streamteam.de Subject: kingkin Message-ID: <rn1b4dr2n7pvb28bhspaeizvyhk@w6nipklkwnrsspf9rcjzjdk31w1rp7j1v5i7wi72xxxxxxx> Organization: Wmdqljwplgkmyxw To: kingkin@example.com List-Subscribe: <mailto:MEMBERS-subscribe-request@streamteam.de> X-Complaints-To: <abuse@mailer.streamteam.de> From: <kingkin@example.com> Content-Type: multipart/related; boundary="iygwtagdm-C8A1B21FFDF" MIME-Version: 1.0 X-aid: 1887484633
From the header, email seems to come from the domain of our clients. However, when I check the return-path, email comes from another domain
Return-Path: tftomsun@streamteam.de Received: from 172.xx.xx.xx(LHLO emailserver.example.com) (172.xx.xx.xx) by
Aaah. That’s why the improvement sender must log in did not work.
To block this spam, I tried to block it from Antispam. So. This is what I did
Open /opt/zimbra/conf/salocal.cf.in. Please add these line at the bottom
score HEADER_FROM_DIFFERENT_DOMAINS 10.0 header __FROM_DOMAIN From =~ /\@example.com/i header __RETURN_PATH Return-Path =~ /\@example.com/i meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN describe SPAM_DOMAIN From and return-path did not match our domain score SPAM_DOMAIN 10.0
Note: Adjust example.com with your domain.
The configuration above will give a score of 10.0 if the domain and return path do not match. And will give a score of 10.0 if the header is from a different domain. You can give another value like 20.0 to discard the email.
Make sure your antispam service has been enabled
zmprov ms `zmhostname` +zimbraServiceEnabled antispam
zmcontrol restart
Testing
Download sample email
curl -k https://raw.githubusercontent.com/imanudin11/lainlain/master/contoh.email > /tmp/contoh.email
Open sample email and adjust with your domain
Received: from server.example.com (unknown [172.173.174.175])
by mail.example.com (Postfix) with ESMTPSA id D256C3E4109
for <user2@example.com>; Fri, 24 May 2019 13:31:28 +0700 (WIB)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Testing fake from
From: user2@example.com
To: user2@example.com
Message-Id: <20190524063128.D256C3E4109@mail.example.com>
Date: Fri, 24 May 2019 13:31:28 +0700 (WIB)
Test improvement from and return-path did not match
Save and testing sending email.
/opt/zimbra/common/sbin/sendmail -f user1@outsidedomain.com user2@example.com < /tmp/contoh.email
Open zimbra.log and you will get a log like this
May 24 13:48:47 mail amavis[28571]: (28571-03) Blocked SPAM {DiscardedInbound}, [127.0.0.1] [172.173.174.175] <user1@outsidedomain.com> -> <user2@example.com>, Message-ID: <20190524063128.D256C3E4108@mail.example.com>, mail_id: 3ITthV1GrFsI, Hits: 19.379, size: 665, 10071 ms
May 24 13:48:47 mail postfix/smtp[2978]: 148DB3E4133: to=<user2@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=10, delays=0.01/0/0/10, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=28571-03 - spam)
The spam email discard because having hits 19.379 (Add score that configured on salocal.cf.in)
If you want to test again, please open file /tmp/contoh.email and change Message-Id to avoid duplicate email
Good Luck 🙂
Thanks om.. it will solves recent phising attack
You’re welcome om. Hope this helps
Thank you so much for this blocking!
Semoga semakin berkah ya mas imanuddin atas sharing tutorialnya..
Hi !
THANKS You very much for this tutorial how to block these type of spam in zimbra.
I test it works.
I want ask one more question how will be correct syntax if there are multiple domains on host to
@example.com, @example1.com @example2.com
header __RETURN_PATH Return-Path =~ /\@example.com/i /\@example1.com/i /\@example2.com/i ?
Hello,
You can make another name. As an example :
untuk from nya bagaimana mas? dirubah juga tidak seperti ini?
header __FROM_DOMAIN1 From =~ /\@example1.com/i
header __FROM_DOMAIN2 From =~ /\@example2.com/i
header __RETURN_PATH1 Return-Path =~ /\@example1.com/i
header __RETURN_PATH1 Return-Path =~ /\@example2.com/i
Iya mas. Bisa disesuaikan
Terima kasih mas.
Oiya tidak buat tutorial untuk installasi razor, pyzor dan dcc mas?
Hi mas,
Kebetulan saya jarang pakai. Pakainya external antispam seperti PMG
PMG ini sudah bagus ya mas tanpa improvement?kalau pake PMG ini mx record nya di arah kan ke IP PMG nya mas?atau settingan dns nya seperti ketika kita pakai relay mail?
Hi,
How to remove duplicate email from Zimbra user account.
Hello,
You can use this awesome tools:https://github.com/quentinsf/IMAPdedup
Maaf mas mengganggu
Apa bisa di terapkan ke zimbra 8.8.10
Mohon info nya
Terima kasih
Sukses buat mas iman
Hi mas Topan,
Sangat bisa mas. Pastikan saja service antispamnya running
di server mail kita ada 3 domain jadi kita buat 3 sscript ya mas dengan nama domain masing2
score HEADER_FROM_DIFFERENT_DOMAINS 10.0
header __FROM_DOMAIN From =~ /\@domain1/i
header __RETURN_PATH Return-Path =~ /\@domain1/i
meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN
describe SPAM_DOMAIN From and return-path did not match our domain
score SPAM_DOMAIN 10.0
score HEADER_FROM_DIFFERENT_DOMAINS 10.0
header __FROM_DOMAIN From =~ /\@domain2/i
header __RETURN_PATH Return-Path =~ /\@domain2/i
meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN
describe SPAM_DOMAIN From and return-path did not match our domain
score SPAM_DOMAIN 10.0
score HEADER_FROM_DIFFERENT_DOMAINS 10.0
header __FROM_DOMAIN From =~ /\@domain3/i
header __RETURN_PATH Return-Path =~ /\@domain3/i
meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN
describe SPAM_DOMAIN From and return-path did not match our domain
score SPAM_DOMAIN 10.0
saya implementasikan ini di zimbra.log nya fatal system mail is down
tidak bisa kirim dan terima email
mohon info dan petunjuk
Hi mas,
Silakan cek di comment yang ini untuk petunjuknya: https://imanudin.net/2019/05/23/zimbra-tips-how-to-block-email-from-and-return-path-did-not-match/#comment-43509
mas , klo berdasarkan subject / body email gimana cara block nya.
Bisa ikuti panduan yang ini mas: https://imanudin.net/2015/02/13/zimbra-tips-blacklist-email-based-on-body-email/
Mas Iman,
mau tanya, script ini tambahkannya di : /opt/zimbra/conf/salocal.cf.in
kalo saya mau menambahkan script ini mas :
# Do not want to receive message when there is no my domain in To field:
header __DOMAIN_IN_TO To =~ /example\.com/i
meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
score DOMAIN_NOT_IN_TO 10.0
ini bisa di tambahkan di : /opt/zimbra/conf/salocal.cf.in
atau harus di sini mas : /opt/zimbra/data/spamassasin/localrules/sauser.cf
mohon bantuan dan informasinya yah mas Iman,
Terimakasih sebelumnya
Hi mas,
Bisa di salocal.cf.in. Saya biasa menambahkannya disana
Malam mas,
Kalau di zimbra multi server sesuai buku panduan mas yg di google playbook
Harus di set di server mana mas
Mta atau yang lain
.mohon bantuannya
. terimakasih
Hi mas Topan,
Di set pada server MTA mas