1 Topic by itu

  • itu
  • Member
  • Offline
  • Registered: 2016-07-12
  • Posts: 3

Topic: How to stop this spam

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: CentOS Linux release 7.2.1511
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
Hi,
after updating to 0.9.5 on the box gets a spam:
(I do not know whether the update has anything to do or is it just a coincidence)

Return-Path: <hvszjorr@itran.comm.com>
Delivered-To: itu@...
Received: from mitu.... (localhost [127.0.0.1])
    by mitu... (Postfix) with ESMTP id A6C745C0286
    for <itu@...>; Tue, 12 Jul 2016 12:16:40 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mitu...
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not UTF-8)
    (char F3 hex): Subject: Tw\x{F3}j klucz do sukcesu
X-Spam-Flag: YES
X-Spam-Score: 10.108
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.108 tagged_above=2 required=6.2
    tests=[BAYES_99=3.5, BAYES_999=0.2, BODY_URI_ONLY=0.001,
    HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001,
    HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
    RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,
    RAZOR2_CHECK=0.922, TO_NO_BRKTS_HTML_ONLY=1.997]
    autolearn=no autolearn_force=no
Received: from mitu...l ([127.0.0.1])
    by mitu... (mitu... [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 5HryCS2-xcLb for <itu@7x.pl>;
    Tue, 12 Jul 2016 12:16:39 +0200 (CEST)
Received: from 256.hostserv.eu (256.hostserv.eu [82.220.34.82])
    by mitu...(Postfix) with SMTP id 579C85C027F;
    Tue, 12 Jul 2016 12:16:36 +0200 (CEST)
Message-ID: <7944554819022-AYQGVOVSTNJJLRWWPKBX@kmqlys.hillbros.com>
From: "Susanna Pagan" <Pagan13@hillbros.com>
Subject: ***Spam*** =?UTF-8?Q?Tw=C3=B3j?= klucz do sukcesu
To: ania@...
Date: Tue, 12 Jul 2016 04:11:16 -0700
Mime-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7Bit

All spam e-mails are: To: ania@mydomain (ania@... one of our accounts)  and different "Delivered-To: "

please help

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: How to stop this spam

Please enable iRedAPD plugin 'reject_sender_login_mismatch' in /opt/iredapd/settings.py, restart iredapd service and try again.

3 Reply by itu (edited by itu 2016-07-14 20:32:37)

  • itu
  • Member
  • Offline
  • Registered: 2016-07-12
  • Posts: 3

Re: How to stop this spam

Sorry it does not work, or I'm doing something wrong

2016-07-13 21:07:43 DEBUG [SQL] query result: None
2016-07-13 21:07:43 DEBUG Recipient domain is not an alias domain.
2016-07-13 21:07:43 DEBUG <-- Result: DUNNO (Not a mail alias account)
2016-07-13 21:07:43 DEBUG --> Apply plugin: amavisd_wblist
2016-07-13 21:07:43 DEBUG Possible policy senders: ['@.', 'vhjigocbhc@akademianet.com', '@akademianet.com', '@.akademianet.com', '@com', '@.com', 'vhjigocbhc@*', '95.211.58.47', '95.211.58.*', '95.*.58.47', '95.211.*.47', '95.211.*.*', '95.*.*.*', '*.*.58.47', '*.*.*.47', '*.211.58.47', '95.*.*.47', '*.*.*.*']
2016-07-13 21:07:43 DEBUG Possible policy recipients: ['@.', 'ania@xxx.pl', '@xxx.pl', '@.xxx.pl', '@pl', '@.pl']
2016-07-13 21:07:43 DEBUG Apply wblist for inbound message.
2016-07-13 21:07:43 DEBUG [SQL] Query local addresses: 
SELECT id, email
               FROM users
              WHERE email IN ('@.', 'ania@xxx.pl', '@xxx.pl', '@.xxx.pl', '@pl', '@.pl')
           ORDER BY priority DESC
2016-07-13 21:07:43 DEBUG Local addresses (in `users`): [(1L, '@.')]
2016-07-13 21:07:43 DEBUG [SQL] Query external addresses: 
SELECT id, email
               FROM mailaddr
              WHERE email IN ('@.', 'vhjigocbhc@akademianet.com', '@akademianet.com', '@.akademianet.com', '@com', '@.com', 'vhjigocbhc@*', '95.211.58.47', '95.211.58.*', '95.*.58.47', '95.211.*.47', '95.211.*.*', '95.*.*.*', '*.*.58.47', '*.*.*.47', '*.211.58.47', '95.*.*.47', '*.*.*.*')
           ORDER BY priority DESC
2016-07-13 21:07:43 DEBUG No record found in SQL database.
2016-07-13 21:07:43 DEBUG No valid sender id or recipient id.
2016-07-13 21:07:43 DEBUG <-- Result: DUNNO
2016-07-13 21:07:43 DEBUG Session ended
2016-07-13 21:07:43 INFO [95.211.58.47] RCPT, vhjigocbhc@akademianet.com -> ania@xxx.pl, DUNNO
2016-07-13 21:07:43 DEBUG smtp session: request=smtpd_access_policy
2016-07-13 21:07:43 DEBUG smtp session: protocol_state=RCPT
2016-07-13 21:07:43 DEBUG smtp session: protocol_name=SMTP
2016-07-13 21:07:43 DEBUG smtp session: client_address=95.211.58.47
2016-07-13 21:07:43 DEBUG smtp session: client_name=strip-poker.com
2016-07-13 21:07:43 DEBUG smtp session: reverse_client_name=strip-poker.com
2016-07-13 21:07:43 DEBUG smtp session: helo_name=strip-poker.com
2016-07-13 21:07:43 DEBUG smtp session: sender=vhjigocbhc@akademianet.com
2016-07-13 21:07:43 DEBUG smtp session: recipient=bs@xxx.pl
2016-07-13 21:07:43 DEBUG smtp session: recipient_count=0
2016-07-13 21:07:43 DEBUG smtp session: queue_id=080F15C0181
2016-07-13 21:07:43 DEBUG smtp session: instance=37fa.5786917e.7cbe1.0
2016-07-13 21:07:43 DEBUG smtp session: size=0
2016-07-13 21:07:43 DEBUG smtp session: etrn_domain=
2016-07-13 21:07:43 DEBUG smtp session: stress=
2016-07-13 21:07:43 DEBUG smtp session: sasl_method=
2016-07-13 21:07:43 DEBUG smtp session: sasl_username=
2016-07-13 21:07:43 DEBUG smtp session: sasl_sender=
2016-07-13 21:07:43 DEBUG smtp session: ccert_subject=
2016-07-13 21:07:43 DEBUG smtp session: ccert_issuer=
2016-07-13 21:07:43 DEBUG smtp session: ccert_fingerprint=
2016-07-13 21:07:43 DEBUG smtp session: ccert_pubkey_fingerprint=
2016-07-13 21:07:43 DEBUG smtp session: encryption_protocol=
2016-07-13 21:07:43 DEBUG smtp session: encryption_cipher=
2016-07-13 21:07:43 DEBUG smtp session: encryption_keysize=0
2016-07-13 21:07:43 DEBUG --> Apply plugin: reject_null_sender
2016-07-13 21:07:43 DEBUG <-- Result: DUNNO
2016-07-13 21:07:43 DEBUG --> Apply plugin: reject_sender_login_mismatch
2016-07-13 21:07:43 DEBUG Not an authenticated sender (no sasl_username).
2016-07-13 21:07:43 DEBUG [SQL] query alias domains: 
SELECT alias_domain
                               FROM alias_domain
                              WHERE alias_domain='akademianet.com' OR target_domain='akademianet.com'
                              LIMIT 1
2016-07-13 21:07:43 DEBUG SQL query result: None
2016-07-13 21:07:43 DEBUG Sender domain is not hosted locally.
2016-07-13 21:07:43 DEBUG <-- Result: DUNNO
2016-07-13 21:07:43 DEBUG --> Apply plugin: throttle
2016-07-13 21:07:43 DEBUG Bypass sender throttling (No sasl_username).
2016-07-13 21:07:43 DEBUG Check recipient throttling.
2016-07-13 21:07:43 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('95.211.58.47', '@ip', '@.', 'bs@xxx.pl', '@xxx.pl', '@.xxx.pl', '@pl', '@.pl', '95.211.58.*', '95.*.58.47', '95.211.*.47', '95.211.*.*', '95.*.*.*', '*.*.58.47', '*.*.*.47', '*.211.58.47', '95.*.*.47', '*.*.*.*')
         ORDER BY priority DESC

Something I check? What are the next action? smile

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: How to stop this spam

Seems i misunderstood your question in first post, sorry about wasting your time.

In first post, the mail header shows your server caught the spam:

itu wrote:

X-Spam-Flag: YES
X-Spam-Score: 10.108
X-Spam-Level: **********
X-Spam-Status: Yes,

Valid addresses in sender, from, to, return-path, deliver-to. You have to rely on SpamAssassin and DNSBL services.

5 Reply by itu

  • itu
  • Member
  • Offline
  • Registered: 2016-07-12
  • Posts: 3

Re: How to stop this spam

Of course, the flag is in order. Fatigue, mental shortcuts = wrong question.
I apologize for the problems. At first I thought that something was spoiled when updating, all the time messages were correctly marked as spam.

I just want to messages caught by the "reject_sender_login_mismatch" were blocked. (Not-supplied to mailboxes) Rest of spam only determined and transmitted.
amavisd.conf:
$ Final_spam_destiny = D_PASS;

Maybe somewhere you can block specific Spam-Score or Spam-Level?
It is possible?

Maybe too much I scheming? messages mislabeled happen occasionally ...

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: How to stop this spam

itu wrote:

$ Final_spam_destiny = D_PASS;

With '$final_spam_destiny = D_PASS;', detected spam will be delivered to user's mailbox as clean message.
To discard the detected spam, set it to 'D_DISCARD'. If you have iRedAdmin-Pro, you may want to quarantine detected spam to SQL database for further management. Check our tutorial here:
http://www.iredmail.org/docs/quarantining.html

itu wrote:

Maybe somewhere you can block specific Spam-Score or Spam-Level?

Sure. In amavisd config file:

$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level