1 (edited by posa68 2014-01-18 00:36:36)

Topic: Blacklist/Block source spam

==== Required information ====
- iRedMail version: Latest
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 5.6
- Related log if you're reporting an issue:
====

Hi,

Today I have a user with a trojan that send hundreds of spam mail from his account.

I try in order:

- Blacklist his IP from IredAdmin and for some reason NOT work
- Then I blacklist the sender and NOT work
- Then I suspend whole domain and again NOT work

Finally, I suspend only the USER and the unsolicited mail stopped.

Why the previously action not work?

Thanks...

2

Re: Blacklist/Block source spam

Could you please show us output of below commands to help troubleshoot?

# postconf smtpd_recipient_restrictions
# postconf smtpd_end_of_data_restrictions

And, please show us steps how you did below block:

- Blacklist his IP from IredAdmin and for some reason NOT work
- Then I blacklist the sender and NOT work
- Then I suspend whole domain and again NOT work

3

Re: Blacklist/Block source spam

ZhangHuangbin wrote:

Could you please show us output of below commands to help troubleshoot?

# postconf smtpd_recipient_restrictions
# postconf smtpd_end_of_data_restrictions

And, please show us steps how you did below block:

- Blacklist his IP from IredAdmin and for some reason NOT work
- Then I blacklist the sender and NOT work
- Then I suspend whole domain and again NOT work

# postconf smtpd_recipient_restrictions

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031

# postconf smtpd_end_of_data_restrictions

smtpd_end_of_data_restrictions = 

This is the action I try before suspend the offending account:

- Blacklist his IP from IredAdmin:

From Dashboard: Add Blacklist -> Backlist record -> Ip Address of sender.

- Then I blacklist the sender:

From Dashboard: Add Blacklist -> Backlist record -> Mail Address of sender

- Then I suspend whole domain

From Dashboard: List all domain -> select the domain wich spammer account belong to -> Action: disable

4

Re: Blacklist/Block source spam

Blacklisting is provided by Policyd, and it's placed after 'permit_sasl_authenticated' in Postfix parameter 'smtpd_recipient_restrictions':

smtpd_recipient_restrictions = .., permit_sasl_authenticated, ..., check_policy_service inet:127.0.0.1:10031

So mail sent by authenticated user will be passed before applying blacklist provided by Policyd.

posa68 wrote:

- Then I suspend whole domain
From Dashboard: List all domain -> select the domain wich spammer account belong to -> Action: disable

Could you please show me file content of /etc/postfix/mysql/sender_login_maps.cf? Please remove/hide password before posting.

5

Re: Blacklist/Block source spam

ZhangHuangbin wrote:

Blacklisting is provided by Policyd, and it's placed after 'permit_sasl_authenticated' in Postfix parameter 'smtpd_recipient_restrictions':

smtpd_recipient_restrictions = .., permit_sasl_authenticated, ..., check_policy_service inet:127.0.0.1:10031

So mail sent by authenticated user will be passed before applying blacklist provided by Policyd.

Ok...

posa68 wrote:

- Then I suspend whole domain
From Dashboard: List all domain -> select the domain wich spammer account belong to -> Action: disable

Could you please show me file content of /etc/postfix/mysql/sender_login_maps.cf? Please remove/hide password before posting.

user        = vmail
password    = ***********
hosts       = 127.0.0.1
port        = 3306
dbname      = vmail
query       = SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.backupmx=0 AND domain.active=1

6

Re: Blacklist/Block source spam

posa68 wrote:

query       = SELECT ... AND domain.active=1

As you can see, it checks domain status before allowing sender login.

And i cannot reproduce this issue with iRedAdmin-Pro-MySQL: mail user cannot login to webmail after domain was disabled.