1

Topic: Spf and spam from same domain

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====

Hello,
i have two problems on iredmail server, the first is the spam and second is SPF check ( i guess they are related ).

The customer receives a lot of spam from his own address, the following log on the server and the header of the message

Oct 21 18:44:35 posta postfix/smtpd[5677]: connect from unknown[181.66.167.61]
Oct 21 18:44:46 posta policyd: rcpt=58436, module=bypass, host=181.66.167.61 (unknown), from=roughestgv3@google.com, to=info@mydomain.it, size=0
Oct 21 18:44:46 posta postfix/smtpd[5677]: EDD635C0E24: client=unknown[181.66.167.61]
Oct 21 18:44:52 posta amavis[5786]: (05786-02) ESMTP< XFORWARD NAME=unknown ADDR=181.66.167.61 PORT=38619\r\n
Oct 21 18:44:52 posta amavis[5786]: (05786-02) lookup_ip_acl: key="181.66.167.61", no match
Oct 21 18:44:52 posta amavis[5786]: (05786-02) Checking: 4XFRxLRCWmzH [181.66.167.61] <roughestgv3@google.com> -> <info@mydomain.it>
Oct 21 18:45:16 posta postfix/smtpd[5677]: disconnect from unknown[181.66.167.61]



Return-Path: <roughestgv3@google.com>
Delivered-To: info@mydomain.it
Received: from localhost (localhost [127.0.0.1])
        by posta.serverIred.xx (Postfix) with ESMTP id 31D695C1ACF
        for <info@mydomain.it>; Mon, 21 Oct 2013 18:44:53 +0200 (CEST)
X-Virus-Scanned: amavisd-new at posta.serverIred.xx
Received: from posta.serverIred.xx ([127.0.0.1])
        by localhost (posta.serverIred.xx [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 4XFRxLRCWmzH for <info@mydomain.it>;
        Mon, 21 Oct 2013 18:44:52 +0200 (CEST)
Received: from [190.233.12.44] (unknown [181.66.167.61])
        by posta.serverIred.xx (Postfix) with ESMTP id EDD635C0E24
        for <info@mydomain.it>; Mon, 21 Oct 2013 18:44:46 +0200 (CEST)
Date: Mon, 21 Oct 2013 11:44:45 -0500
From: <info@mydomain.it>
To: <info@mydomain.it>

The messages of this type are many, such as connections from "unknown". In none of the incoming message appears  the classic SPF check.

Is possible check the problem ?

2

Re: Spf and spam from same domain

Please always show us basic info of your iRedMail server:

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====

*) Please show us output of command "postconf -n"? iRedMail has Postfix parameter "smtpd_sender_login_maps" enabled, it should prevent this kind of spam.

*) Did you try to fight this kind of spam with zen.spamhaus.org?

You can use RBL list in Postfix with below steps:

*) Edit /etc/postfix/main.cf, find parameter "smtpd_recipient_restrictions".
*) Append 'reject_rbl_client zen.spamhaus.org' after 'reject_unauth_destination'.
*) Reload Postfix service.

3

Re: Spf and spam from same domain

Hello,

iRedAdmin    v0.2 (MySQL)
Linux posta.emailperte.it 2.6.32-358.2.1.el6.x86_64
Configuration attached.
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

I have add spamhaus to main.cf

Post's attachments

postconf.txt 4.23 kb, 5 downloads since 2013-10-22 

You don't have the permssions to download the attachments of this post.

4

Re: Spf and spam from same domain

zeliko79 wrote:

Oct 21 18:44:46 posta policyd: rcpt=58436, module=bypass, host=181.66.167.61 (unknown), from=roughestgv3@google.com, to=info@mydomain.it, size=0

Looks like Policyd whitelisted this IP address, please remove it from Policyd database first.

I'm sorry that i made mistake about zen.spamhaus.org, it cannot detect this kind of spam if its IP address is not listed in spamhaus.org. You can remove zen.spamhaus.org related stuff in Postfix main.cf.

I have the same question, why Amavid was not invoked for spam scanning and DKIM/SPF checking. Could you please show me Amavisd config file (/etc/amavisd/amavisd.conf), and SpamAssassin config file (/etc/mail/spamassassin/local.cf)? Replace passwords in those files before pasting here.

5

Re: Spf and spam from same domain

Hello,
181.66.167.61 is not in whitelist, the problem is that i have much connections of this type:

connect from unknown[190.90.189.50]
connect from unknown[27.110.244.181]
connect from unknown[5.52.72.25]

I have post amavis.conf amavis and local.cf.

Thanks

Post's attachments

amavis.txt 53.5 kb, 1 downloads since 2013-10-24 

local.cf.TXT 1.71 kb, 3 downloads since 2013-10-24 

You don't have the permssions to download the attachments of this post.

6

Re: Spf and spam from same domain

Postfix is running under chroot, seems it cannot resolve hostname under chroot. So "connect from unknown[xx.xx.xx.xx]" is normal.

7

Re: Spf and spam from same domain

However it seems that these connections are not legal, the ip actually does not have a reverse DNS configured:

[root@linux ~]# host 190.90.189.50
Host 50.189.90.190.in-addr.arpa. not found: 3(NXDOMAIN)

The problem is not the DNS but the fact that it continues to see connections without authentication,  and from this connections send spam.

8

Re: Spf and spam from same domain

zeliko79 wrote:

The problem is not the DNS but the fact that it continues to see connections without authentication,  and from this connections send spam.

Sent mail without authentication? Could you please post full log of this smtp session to help troubleshoot?

9

Re: Spf and spam from same domain

Hello,
the connection is :

Oct 21 18:44:35 posta postfix/smtpd[5677]: connect from unknown[181.66.167.61]
Oct 21 18:44:46 posta policyd: rcpt=58436, module=bypass, host=181.66.167.61 (unknown), from=roughestgv3@google.com, to=info@mydomain.it, size=0
Oct 21 18:44:46 posta postfix/smtpd[5677]: EDD635C0E24: client=unknown[181.66.167.61]
Oct 21 18:44:52 posta amavis[5786]: (05786-02) ESMTP< XFORWARD NAME=unknown ADDR=181.66.167.61 PORT=38619\r\n
Oct 21 18:44:52 posta amavis[5786]: (05786-02) lookup_ip_acl: key="181.66.167.61", no match
Oct 21 18:44:52 posta amavis[5786]: (05786-02) Checking: 4XFRxLRCWmzH [181.66.167.61] <roughestgv3@google.com> -> <info@mydomain.it>
Oct 21 18:45:16 posta postfix/smtpd[5677]: disconnect from unknown[181.66.167.61]

10

Re: Spf and spam from same domain

zeliko79 wrote:

Oct 21 18:44:35
Oct 21 18:44:46
Oct 21 18:44:46
Oct 21 18:44:52
Oct 21 18:44:52
Oct 21 18:44:52
Oct 21 18:45:16

No related log between 18:44:35 and 18:44:46? 18:44:46 - 18:44:52? 18:44:52 - 18:45:16?
Please paste FULL log, not just the one you extracted.

11

Re: Spf and spam from same domain

Hello,
i attached the log in txt file , thanks .

Post's attachments

strange_log.TXT 732 b, 4 downloads since 2013-10-29 

You don't have the permssions to download the attachments of this post.

12

Re: Spf and spam from same domain

I have no idea at all.
And the log doesn't look right, it lacks of Postfix related log.