1 Topic by aka_vyrus (edited by aka_vyrus 2016-04-08 20:41:02)

  • aka_vyrus
  • Member
  • Offline
  • Registered: 2014-09-15
  • Posts: 5

Topic: Spam null sender

============ Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Linux/BSD distribution name and version: Debian 7.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?: Yes
- Related log if you're reporting an issue:
====
Good day.
regularly receive spam, we need your help.
He added IP blacklisted senders, but it does not help.
portion of the log and the properties e-mail of the letter is attached.

 Apr  7 10:24:56 xxxxxxx postfix/smtpd[63379]: connect from mx.17ros-seminar.ru[178.21.14.219]
Apr  7 10:24:56 xxxxxxx postfix/smtpd[63379]: B1173480997: client=mx.17ros-seminar.ru[178.21.14.219]
Apr  7 10:24:56 xxxxxxx postfix/cleanup[64431]: B1173480997: message-id=<cbb109dac1f8180e3f1ab9c1353f85675f7dd5f3@17ros-seminar.ru>
Apr  7 10:24:57 xxxxxxx postfix/qmgr[30616]: B1173480997: from=<>, size=1014355, nrcpt=2 (queue active)
Apr  7 10:24:57 xxxxxxx postfix/smtpd[63379]: disconnect from mx.17ros-seminar.ru[178.21.14.219]
Apr  7 10:24:59 xxxxxxx postfix/smtpd[64531]: connect from xxxxxxx.mydomain.com[127.0.0.1]
Apr  7 10:24:59 xxxxxxx postfix/smtpd[64588]: 04DF7480AE2: client=xxxxxxx.mydomain.com[127.0.0.1]
Apr  7 10:24:59 xxxxxxx postfix/cleanup[64431]: 04DF7480AE2: message-id=<cbb109dac1f8180e3f1ab9c1353f85675f7dd5f3@17ros-seminar.ru>
Apr  7 10:24:59 xxxxxxx postfix/smtpd[64531]: 0D515480C0B: client=xxxxxxx.mydomain.com[127.0.0.1]
Apr  7 10:24:59 xxxxxxx postfix/cleanup[64689]: 0D515480C0B: message-id=<cbb109dac1f8180e3f1ab9c1353f85675f7dd5f3@17ros-seminar.ru>
Apr  7 10:24:59 xxxxxxx postfix/qmgr[30616]: 04DF7480AE2: from=<>, size=1015152, nrcpt=1 (queue active)
Apr  7 10:24:59 xxxxxxx postfix/smtpd[64588]: disconnect from xxxxxxx.mydomain.com[127.0.0.1]
Apr  7 10:24:59 xxxxxxx postfix/qmgr[30616]: 0D515480C0B: from=<>, size=1015162, nrcpt=1 (queue active)
Apr  7 10:24:59 xxxxxxx postfix/smtpd[64531]: disconnect from xxxxxxx.mydomain.com[127.0.0.1]
Apr  7 10:24:59 xxxxxxx amavis[63389]: (63389-19) Passed CLEAN {RelayedInternal}, LOCAL [178.21.14.219]:53576 [178.21.14.219] <> -> <info@mydomain.com>, Queue-ID: B1173480997, Message-ID: <cbb109dac1f8180e3f1ab9c1353f85675f7dd5f3@17ros-seminar.ru>, mail_id: IlE34ZqQBxvS, Hits: 2.201, size: 1014333, queued_as: 04DF7480AE2, dkim_sd=mail:17ros-seminar.ru, 2070 ms
Apr  7 10:24:59 xxxxxxx postfix/smtp[64567]: B1173480997: to=<info@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.4, delays=0.35/0/0.01/2.1, dsn=2.0.0, status=sent (250 2.0.0 from xxxxxxx(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 04DF7480AE2)
Apr  7 10:24:59 xxxxxxx postfix/qmgr[30616]: B1173480997: removed

properties e-mail:

Return-Path: <MAILER-DAEMON>
Delivered-To: info@mydomain.com
Received: from localhost (xxxxxx.mydomain.com [127.0.0.1])
    by xxxxxx.mydomain.com (Postfix) with ESMTP id 04DF7480AE2
    for <info@mydomain.com>; Thu,  7 Apr 2016 10:24:59 +0300 (MSK)
X-Virus-Scanned: Debian amavisd-new at xxxxxx.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 2.201
X-Spam-Level: **
X-Spam-Status: No, score=2.201 tagged_above=2 required=6.31
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, URIBL_BLACK=1.7,
    URIBL_DBL_SPAM=2.5] autolearn=no
Authentication-Results: xxxxxx.mydomain.com (amavisd-new); dkim=pass (1024-bit key)
    header.d=17ros-seminar.ru
Received: from xxxxxx.mydomain.com ([127.0.0.1])
    by localhost (xxxxxx.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id IlE34ZqQBxvS for <info@mydomain.com>;
    Thu,  7 Apr 2016 10:24:57 +0300 (MSK)
Received: from mx.17ros-seminar.ru (mx.17ros-seminar.ru [178.21.14.219])
    by xxxxxx.mydomain.com (Postfix) with ESMTPS id B1173480997
    for <info@mydomain.com>; Thu,  7 Apr 2016 10:24:56 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=17ros-seminar.ru; s=mail;
    h=To:From:Sender:Subject:Content-Type:MIME-Version:List-Unsubscribe:Message-ID:Date; bh=ZsiEmEOdey9AWDw0s3UhPWppHqKQj73Bv7P7PTSrtZo=;
    b=i04gR4ltYXRm+npaA80oGMBGnTXQg7yZ6yIyKPiy+UirYoGwNVA0+bpyckGg2ojC4/bJtGj16lmDN2KbBwmt7wG//Mt0GbLWmtfTPeX/r6Ly8lBwuwRaaOV6+ZZtKPHbMw9R0d1q9So6nDqxrkb4PcChqQwHIqvJTXvlBBX1QkQ=;
Date: Thu, 07 Apr 2016 10:24:50 +0300

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spam null sender

*) Do you have plugin "reject_null_sender" enabled in /opt/iredapd/settings.py?
*) Could you please run the script shipped in iRedMail-0.9.4 to get top sasl usernames? any top sasl usernames are not expected to send so many emails?

cd iRedMail-0.9.4/tools/
bash find_top_sasl_usernames.sh /var/log/mail.log

3 Reply by aka_vyrus (edited by aka_vyrus 2016-04-08 23:54:10)

  • aka_vyrus
  • Member
  • Offline
  • Registered: 2014-09-15
  • Posts: 5

Re: Spam null sender

ZhangHuangbin wrote:

*) Do you have plugin "reject_null_sender" enabled in /opt/iredapd/settings.py?
*) Could you please run the script shipped in iRedMail-0.9.4 to get top sasl usernames? any top sasl usernames are not expected to send so many emails?

cd iRedMail-0.9.4/tools/
bash find_top_sasl_usernames.sh /var/log/mail.log

1) Plugin Enabled

plugins = ["amavisd_wblist", "ldap_maillist_access_policy", "reject_null_sender", "throttle"]

2) Yes I can running this I can run this script, the user is sent only 1 message.
in the web admin panel system is displayed as:

Post's attachments

iredmailpro_null.jpg
iredmailpro_null.jpg 10.94 kb, 2 downloads since 2016-04-08 

You don't have the permssions to download the attachments of this post.

4 Reply by aka_vyrus

  • aka_vyrus
  • Member
  • Offline
  • Registered: 2014-09-15
  • Posts: 5

Re: Spam null sender

maybe I did not understand you correctly?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spam null sender

aka_vyrus wrote:

Apr  7 10:24:59 xxxxxxx amavis[63389]: (63389-19) Passed CLEAN {RelayedInternal}, LOCAL [178.21.14.219]:53576 [178.21.14.219] <> -> <info@mydomain.com>, Queue-ID: B1173480997, Message-ID: <cbb109dac1f8180e3f1ab9c1353f85675f7dd5f3@17ros-seminar.ru>, mail_id: IlE34ZqQBxvS, Hits: 2.201, size: 1014333, queued_as: 04DF7480AE2, dkim_sd=mail:17ros-seminar.ru, 2070 ms

Do you mean this null sender from 178.21.14.219 is spam?

With only one email, we cannot figure out the rule to detect similar spams...

6 Reply by aka_vyrus

  • aka_vyrus
  • Member
  • Offline
  • Registered: 2014-09-15
  • Posts: 5

Re: Spam null sender

ZhangHuangbin wrote:

Do you mean this null sender from 178.21.14.219 is spam?

Yes.
I brought only one example of such a message.
such reports come one or two times a day, every day from different servers.
Note that the properties of the email: "Return-Path: <MAILER-DAEMON>"
Maybe I'm mistaken by defining a "null sender," maybe it's just a spammer.
You may need more statistics?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spam null sender

You need to check mail headers of received spams, analyze related log of these spams, to figure out how to block (some of) them.

<MAILER-DAEMON>, a.k.a. null sender, usually means this email is sent by MTA. but some spammers may forge the spam email with this null sender. If you think this is a back-scatter mail, please try this tutorial:
http://www.postfix.org/BACKSCATTER_README.html