1 Topic by candidate10

  • candidate10
  • Member
  • Offline
  • Registered: 2015-06-19
  • Posts: 9

Topic: Issue with black/whitelisting from quarantine

==== Required information ====
- iRedMail version: iRedMail-0.9.2 / iRedAdmin-Pro-LDAP-2.3.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Linux/BSD distribution name and version: Ubuntu 14.04
- Related log if you're reporting an issue:
====

Hello! I'm catching a good amount of spam in our quarantine, and have recurring issues with certain mailing lists being accidentally caught for "bad header" as well as recurring spam emails from the same spammers. I'm white/blacklisting these with the given functionality, and seeing these in the audit log. Spam example:
Add blacklists for @.: news1545498002@sixtytwosevendynamiccontacts.com, news1545398384@sixtytwosevendynamiccontacts.com, news1545398384@sixtytwoeightsatisfyingwinners.com, news1545498002@thirtyonefourclearopportunities.com, news1545498002@sixtytwoeightsat

However, this doesn't seem to work. The same mailing lists keep appearing in quarantine, and the same spammers get through. I can't seem to find any of these rules in the global, or user specific white/blacklist pages, they all still appear to be empty.

How can I debug this issue? Where can I check to see if these rules have been added?

Thanks!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Issue with black/whitelisting from quarantine

Try to blacklist the enter domain name (@sixtytwo....com) instead of single email address.

3 Reply by candidate10

  • candidate10
  • Member
  • Offline
  • Registered: 2015-06-19
  • Posts: 9

Re: Issue with black/whitelisting from quarantine

ZhangHuangbin wrote:

Try to blacklist the enter domain name (@sixtytwo....com) instead of single email address.

Sorry, that was a bad example from me, that was just a test to see if they'd appear in any whitelists. But my other attempts have always been blacklisting the entire domain, like:

Add blacklists for @.: @sixsixthoughtfulchances.com, @sixtynineoneassortedwinners.com.

They don't seem to make any difference, and don't appear in any of the white or blacklists where ever I look, and don't seem to have an effect.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Issue with black/whitelisting from quarantine

Could you please enable debug mode in iRedAPD, restart iredapd service, then paste me full log in /var/log/iredapd.log related to email sent from blacklisted sender? i need this log for troubleshooting.

Also, please show me output of command:

# grep 'plugins' /opt/iredapd/settings.py

5 Reply by candidate10

  • candidate10
  • Member
  • Offline
  • Registered: 2015-06-19
  • Posts: 9

Re: Issue with black/whitelisting from quarantine

ZhangHuangbin wrote:

Could you please enable debug mode in iRedAPD, restart iredapd service, then paste me full log in /var/log/iredapd.log related to email sent from blacklisted sender? i need this log for troubleshooting.

Also, please show me output of command:

# grep 'plugins' /opt/iredapd/settings.py

Hi Zhang, apologies for the delay, given that this is a production mailserver I haven't been able to work on it regularly. I will attempt to debug it further over the weekend. But for the timebeing here is the relevant output from the plugins config:

plugins = ["reject_null_sender", "amavisd_message_size_limit", "amavisd_wblist", "ldap_recipient_restrictions", "ldap_maillist_access_policy"]

6 Reply by candidate10

  • candidate10
  • Member
  • Offline
  • Registered: 2015-06-19
  • Posts: 9

Re: Issue with black/whitelisting from quarantine

With a little further research I've discovered something related to my incoming emails:
http://mailing.unix.amavis-user.narkive … en-blocked

I have discovered the correct whitelist in the webui and see that my whitelisting IS functional, and I've tested some email sending to confirm that they are marked as whitelisted. However, the problem seems to be that the whitelists are only used for spam, not the bad header checks that I am having problems with. Do you have a preferred solution for whitelisting for bad header problems?

I think that my incoming emails were being blacklisted properly and that the issue is slightly different domain names being used by spammers. I will continue monitoring this.