3

I have recently been receiving spam that has been listed as my own email address. I remember doing a few telenet emails back in school and know there are some ways to send looking like they are coming from a different place but wanted to ask others opinions on this. The server is a Zimbra 6.06 server running on Debian lenny. Does anyone think there is possibly something wrong with the setup here or is this just some spoofing going on? I can see that the email is coming from outside of the network of course.

Return-Path: 0-ka@ps.ge.com
Received: from zimbra.example.com (LHLO zimbra.example.com) (10.0.0.1) by
 zimbra.example.com with LMTP; Tue, 10 May 2011 06:00:40 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1])
    by zimbra.example.com (Postfix) with ESMTP id D2B9759FC5
    for <grant@example.com>; Tue, 10 May 2011 06:00:40 -0500 (CDT)
X-Virus-Scanned: amavisd-new at zimbra.example.com
X-Spam-Flag: YES
X-Spam-Score: 8.593
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.593 tagged_above=-10 required=6.6
    tests=[BAYES_99=3.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_XBL=3.033,
    RDNS_NONE=0.1] autolearn=no
Received: from zimbra.example.com ([127.0.0.1])
    by localhost (zimbra.example.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 5Be4Ob1KSuhu for <grant@example.com>;
    Tue, 10 May 2011 06:00:39 -0500 (CDT)
Received: from [81.211.11.134] (unknown [81.211.11.134])
    by zimbra.example.com (Postfix) with ESMTP id 44CBC59D4F
    for <grant@example.com>; Tue, 10 May 2011 06:00:39 -0500 (CDT)
Received: from 81.211.11.134(helo=example.com)
    by example.com with esmtpa (Exim 4.69)
    (envelope-from )
    id 1MMKY8-2034hf-28
grantk
  • 157
  • 1
  • 4
  • I use Postini as my anti-spam gateway and have rules to drop any mail received from mydomains.com as anything internal would never see the outside. – gravyface May 10 '11 at 13:16

2 Answers2

6

Having a properly configured SPF record can alleviate a little bit of that pain.

It will prevent someone from sending email claiming it is from your domain.

Alex
  • 3,079
  • 20
  • 28
  • 1
    Well, it will if in addition to publishing a well-configured SPF record you also configure your MTA to check SPF records on incoming email. But I agree, this is well-worth doing. – MadHatter May 10 '11 at 13:15
  • I followed the instructions here for SPF, pyzor, and razor and am still seeing some spoofing going on. I do not see anything indicating that my MTA should check the SFP records. Anyone know how to force that on zimbra? http://wiki.zimbra.com/index.php?title=Improving_Anti-spam_system#Spamassassin_Config – grantk May 10 '11 at 17:25
1

You can write anything in the "From" header field of an email. Try it with standard mail command on any Linux box:

$ mail -a "From: rms@gnu.org" -s "Richard Stallman here!" <your_email_address>
MasterM
  • 1,031
  • 2
  • 11
  • 18
  • heh, I did not know he knew my email address! I was just curios as to whether or not there was anything I was possibly doing wrong on the server side. But I assume not, although I am curious how they got the emails, spoofed an awful lot of them, as well as some alias used internally mostly, but if this one was answered that would probably be a very rich man then. – grantk May 10 '11 at 13:12
  • They don't need to know your email address. Normally they will try ten of thousands of possible combinations (or maybe much more), most of which will not get delivered, but a handful of them will be valid addresses and so do get delivered. Unless you have a catchall address, you must likely don't know anything about all the others. – sgmoore May 10 '11 at 13:35