Zimbra Tips : How To Block Email From and Return-Path did not Match

Posted by

Recently, my client got spam e-mail originating from their domain. Although, I have improved by implementing the sasl / sender must login. From this guide : how-to-improvement-sender-must-loginenforcing-a-match-between-from-address-and-sasl-username.

Examples of spam as below

I tried to open the full header and get this

Date: Mon, 29 Apr 2019 04:57:10 +0200
Abuse-Reports-To: abuse@streamteam.de
Subject: kingkin
Message-ID:
 <rn1b4dr2n7pvb28bhspaeizvyhk@w6nipklkwnrsspf9rcjzjdk31w1rp7j1v5i7wi72xxxxxxx>
Organization: Wmdqljwplgkmyxw
To: kingkin@example.com
List-Subscribe: <mailto:MEMBERS-subscribe-request@streamteam.de>
X-Complaints-To: <abuse@mailer.streamteam.de>
From: <kingkin@example.com>
Content-Type: multipart/related;
 boundary="iygwtagdm-C8A1B21FFDF"
MIME-Version: 1.0
X-aid: 1887484633

From the header, email seems to come from the domain of our clients. However, when I check the return-path, email comes from another domain

Return-Path: tftomsun@streamteam.de
Received: from 172.xx.xx.xx(LHLO emailserver.example.com) (172.xx.xx.xx) by

Aaah. That’s why the improvement sender must log in did not work.

To block this spam, I tried to block it from Antispam. So. This is what I did

Open /opt/zimbra/conf/salocal.cf.in. Please add these line at the bottom

score HEADER_FROM_DIFFERENT_DOMAINS 10.0

header __FROM_DOMAIN  From =~ /\@example.com/i
header __RETURN_PATH  Return-Path =~ /\@example.com/i
meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN
describe SPAM_DOMAIN From and return-path did not match our domain
score SPAM_DOMAIN 10.0

Note: Adjust example.com with your domain.

The configuration above will give a score of 10.0 if the domain and return path do not match. And will give a score of 10.0 if the header is from a different domain. You can give another value like 20.0 to discard the email.

Make sure your antispam service has been enabled

zmprov ms `zmhostname` +zimbraServiceEnabled antispam
zmcontrol restart

Testing

Download sample email

curl -k https://raw.githubusercontent.com/imanudin11/lainlain/master/contoh.email > /tmp/contoh.email

Open sample email and adjust with your domain

Received: from server.example.com (unknown [172.173.174.175])
        by mail.example.com (Postfix) with ESMTPSA id D256C3E4109
        for <user2@example.com>; Fri, 24 May 2019 13:31:28 +0700 (WIB)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Testing fake from
From: user2@example.com
To: user2@example.com
Message-Id: <20190524063128.D256C3E4109@mail.example.com>
Date: Fri, 24 May 2019 13:31:28 +0700 (WIB)

Test improvement from and return-path did not match

Save and testing sending email.

/opt/zimbra/common/sbin/sendmail -f user1@outsidedomain.com user2@example.com < /tmp/contoh.email

Open zimbra.log and you will get a log like this

May 24 13:48:47 mail amavis[28571]: (28571-03) Blocked SPAM {DiscardedInbound}, [127.0.0.1] [172.173.174.175] <user1@outsidedomain.com> -> <user2@example.com>, Message-ID: <20190524063128.D256C3E4108@mail.example.com>, mail_id: 3ITthV1GrFsI, Hits: 19.379, size: 665, 10071 ms
May 24 13:48:47 mail postfix/smtp[2978]: 148DB3E4133: to=<user2@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=10, delays=0.01/0/0/10, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=28571-03 - spam)

The spam email discard because having hits 19.379 (Add score that configured on salocal.cf.in)

If you want to test again, please open file /tmp/contoh.email and change Message-Id to avoid duplicate email

Good Luck 🙂

23 comments

  1. Hi !

    THANKS You very much for this tutorial how to block these type of spam in zimbra.
    I test it works.

    I want ask one more question how will be correct syntax if there are multiple domains on host to
    @example.com, @example1.com @example2.com

    header __RETURN_PATH Return-Path =~ /\@example.com/i /\@example1.com/i /\@example2.com/i ?

      1. untuk from nya bagaimana mas? dirubah juga tidak seperti ini?

        header __FROM_DOMAIN1 From =~ /\@example1.com/i
        header __FROM_DOMAIN2 From =~ /\@example2.com/i
        header __RETURN_PATH1 Return-Path =~ /\@example1.com/i
        header __RETURN_PATH1 Return-Path =~ /\@example2.com/i

          1. PMG ini sudah bagus ya mas tanpa improvement?kalau pake PMG ini mx record nya di arah kan ke IP PMG nya mas?atau settingan dns nya seperti ketika kita pakai relay mail?

      1. score HEADER_FROM_DIFFERENT_DOMAINS 10.0

        header __FROM_DOMAIN From =~ /\@domain1/i
        header __RETURN_PATH Return-Path =~ /\@domain1/i
        meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN
        describe SPAM_DOMAIN From and return-path did not match our domain
        score SPAM_DOMAIN 10.0

        score HEADER_FROM_DIFFERENT_DOMAINS 10.0

        header __FROM_DOMAIN From =~ /\@domain2/i
        header __RETURN_PATH Return-Path =~ /\@domain2/i
        meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN
        describe SPAM_DOMAIN From and return-path did not match our domain
        score SPAM_DOMAIN 10.0

        score HEADER_FROM_DIFFERENT_DOMAINS 10.0

        header __FROM_DOMAIN From =~ /\@domain3/i
        header __RETURN_PATH Return-Path =~ /\@domain3/i
        meta SPAM_DOMAIN !(__RETURN_PATH) && __FROM_DOMAIN
        describe SPAM_DOMAIN From and return-path did not match our domain
        score SPAM_DOMAIN 10.0

        saya implementasikan ini di zimbra.log nya fatal system mail is down

        tidak bisa kirim dan terima email

        mohon info dan petunjuk

  2. Mas Iman,

    mau tanya, script ini tambahkannya di : /opt/zimbra/conf/salocal.cf.in
    kalo saya mau menambahkan script ini mas :

    # Do not want to receive message when there is no my domain in To field:
    header __DOMAIN_IN_TO To =~ /example\.com/i
    meta DOMAIN_NOT_IN_TO !__DOMAIN_IN_TO
    score DOMAIN_NOT_IN_TO 10.0

    ini bisa di tambahkan di : /opt/zimbra/conf/salocal.cf.in

    atau harus di sini mas : /opt/zimbra/data/spamassasin/localrules/sauser.cf

    mohon bantuan dan informasinya yah mas Iman,

    Terimakasih sebelumnya

  3. Malam mas,
    Kalau di zimbra multi server sesuai buku panduan mas yg di google playbook

    Harus di set di server mana mas

    Mta atau yang lain
    .mohon bantuannya
    . terimakasih

Leave a Reply to Ronald Gautama Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.