Zimbra

Zimbra Tips : How To Block Email From and Return-Path did not Match

Recently, my client got spam e-mail originating from their domain. Although, I have improved by implementing the sasl / sender must login. From this guide : how-to-improvement-sender-must-loginenforcing-a-match-between-from-address-and-sasl-username.

Examples of spam as below

I tried to open the full header and get this

Date: Mon, 29 Apr 2019 04:57:10 +0200
Abuse-Reports-To: abuse@streamteam.de
Subject: kingkin
Message-ID:
 <rn1b4dr2n7pvb28bhspaeizvyhk@w6nipklkwnrsspf9rcjzjdk31w1rp7j1v5i7wi72xxxxxxx>
Organization: Wmdqljwplgkmyxw
To: kingkin@example.com
List-Subscribe: <mailto:MEMBERS-subscribe-request@streamteam.de>
X-Complaints-To: <abuse@mailer.streamteam.de>
From: <kingkin@example.com>
Content-Type: multipart/related;
 boundary="iygwtagdm-C8A1B21FFDF"
MIME-Version: 1.0
X-aid: 1887484633

From the header, email seems to come from the domain of our clients. However, when I check the return-path, email comes from another domain

Return-Path: tftomsun@streamteam.de
Received: from 172.xx.xx.xx(LHLO emailserver.example.com) (172.xx.xx.xx) by

Aaah. That’s why the improvement sender must log in did not work.

To block this spam, I tried to block it from Antispam. So. This is what I did

Open /opt/zimbra/conf/salocal.cf.in. Please add these line at the bottom

score HEADER_FROM_DIFFERENT_DOMAINS 10.0

header __FROM_DOMAIN  From =~ /\@example.com/i
header __RETURN_PATH  Return-Path =~ /\@example.com/i
meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN
describe SPAM_DOMAIN From and return-path did not match our domain
score SPAM_DOMAIN 10.0

Note: Adjust example.com with your domain.

The configuration above will give a score of 10.0 if the domain and return path do not match. And will give a score of 10.0 if the header is from a different domain. You can give another value like 20.0 to discard the email.

Make sure your antispam service has been enabled

zmprov ms `zmhostname` +zimbraServiceEnabled antispam
zmcontrol restart

Testing

Download sample email

curl -k https://raw.githubusercontent.com/imanudin11/lainlain/master/contoh.email > /tmp/contoh.email

Open sample email and adjust with your domain

Received: from server.example.com (unknown [172.173.174.175])
        by mail.example.com (Postfix) with ESMTPSA id D256C3E4109
        for <user2@example.com>; Fri, 24 May 2019 13:31:28 +0700 (WIB)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Testing fake from
From: user2@example.com
To: user2@example.com
Message-Id: <20190524063128.D256C3E4109@mail.example.com>
Date: Fri, 24 May 2019 13:31:28 +0700 (WIB)

Test improvement from and return-path did not match

Save and testing sending email.

/opt/zimbra/common/sbin/sendmail -f user1@outsidedomain.com user2@example.com < /tmp/contoh.email

Open zimbra.log and you will get a log like this

May 24 13:48:47 mail amavis[28571]: (28571-03) Blocked SPAM {DiscardedInbound}, [127.0.0.1] [172.173.174.175] <user1@outsidedomain.com> -> <user2@example.com>, Message-ID: <20190524063128.D256C3E4108@mail.example.com>, mail_id: 3ITthV1GrFsI, Hits: 19.379, size: 665, 10071 ms
May 24 13:48:47 mail postfix/smtp[2978]: 148DB3E4133: to=<user2@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=10, delays=0.01/0/0/10, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=28571-03 - spam)

The spam email discard because having hits 19.379 (Add score that configured on salocal.cf.in)

If you want to test again, please open file /tmp/contoh.email and change Message-Id to avoid duplicate email

Good Luck 🙂

5 comments

  1. Hi !

    THANKS You very much for this tutorial how to block these type of spam in zimbra.
    I test it works.

    I want ask one more question how will be correct syntax if there are multiple domains on host to
    @example.com, @example1.com @example2.com

    header __RETURN_PATH Return-Path =~ /\@example.com/i /\@example1.com/i /\@example2.com/i ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.