1

Topic: Blacklisting Issue

==== Required information ====
- iRedMail version (check /etc/iredmail-release): v0.9.5-1
- Linux/BSD distribution name and version: Ubuntu 12.04.5 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): v2.4.1 (MySQL)
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue: Attached below
====

Hi ,

I have added "@personalsupport.co" to the blacklist section of iRedAdmin.
However spam from these from/sender addresses is still making it through.
Only thing I note is postfix sees a different sender.
Below example is actually being sent to an alias however there are others which are sent to normal user.



Dec  6 05:03:51 mx postfix/smtpd[4527]: connect from comstarpostfix5-1.spd.co.il[62.128.51.120]
Dec  6 05:03:54 mx postfix/smtpd[4527]: NOQUEUE: reject: RCPT from comstarpostfix5-1.spd.co.il[62.128.51.120]: 450 4.1.8 <noreply@newsletterim.net>: Sender address rejected: Domain not found; from=<noreply@newsletterim.net> to=<alias@domaim1.com> proto=ESMTP helo=<comstarpostfix5-1.spd.co.il>
Dec  6 05:03:54 mx postfix/smtpd[4527]: disconnect from comstarpostfix5-1.spd.co.il[62.128.51.120]

Dec  6 05:19:00 mx postfix/smtpd[6338]: connect from comstarpostfix5-1.spd.co.il[62.128.51.120]
Dec  6 05:19:03 mx postfix/smtpd[6338]: 46A9838009A: client=comstarpostfix5-1.spd.co.il[62.128.51.120]
Dec  6 05:19:04 mx postfix/smtpd[6338]: disconnect from comstarpostfix5-1.spd.co.il[62.128.51.120]
Dec  6 05:19:05 mx amavis[13606]: (13606-18) Passed CLEAN {},  [62.128.51.120] <noreply@newsletterim.net> -> <user@domain2.com>, Message-ID: , mail_id: lAen2A04xcNO, Hits: -0.198, size: 9925, queued_as: 51FE4381946, 1389 ms, Tests: [BAYES_00=-1.9,FOUND_YOU=0.001,HTML_MESSAGE=0.001,SPF_PASS=-0.001,UNPARSEABLE_RELAY=0.001,URIBL_BLACK=1.7]



Return-Path: <noreply@newsletterim.net>
Delivered-To: user@domain2.com
Received: from localhost (localhost [127.0.0.1])
    by mx.domain2.com (Postfix) with ESMTP id 51FE4381946
    for <user@domain2.com>; Tue,  6 Dec 2016 05:19:05 +1300 (NZDT)
X-Virus-Scanned: Debian amavisd-new at mx.eol.co.nz
Received: from mx.domain2.com ([127.0.0.1])
    by localhost (mx.domain2.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id lAen2A04xcNO for <user@domain2.com>;
    Tue,  6 Dec 2016 05:19:03 +1300 (NZDT)
Received: from comstarpostfix5-1.spd.co.il (comstarpostfix5-1.spd.co.il [62.128.51.120])
    by mx.domain2.com (Postfix) with ESMTPS id 46A9838009A
    for <alias@domain1.com>; Tue,  6 Dec 2016 05:19:03 +1300 (NZDT)
Received: from comstarpostfix5.spd.co.il
From: "personalsupport.co" <adam@personalsupport.co>
To: "alias@domain1.com" <alias@domain1.com>
Reply-To: adam@personalsupport.co
Sender: personalsupport.co<adam@personalsupport.co>
Date: Mon, 05 Dec 2016 18:19:15 +0200
Subject: You're 9 clicks away...
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="_=aspNetEmail=_40e105f056644edaad5cabc4bc680174"
X-MyMessageID: 10678--6522364
List-Unsubscribe: <mailto:feedbackloop+1445178_6522364@isender.co>
Precedence: bulk
Feedback-ID: 1445178145585610678:10678:promotion:newsletterim.net
Message-ID: <SENDMSG3af82e4cd087449097324d7da79cd25d@sendmsg>

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Blacklisting Issue

cre8r wrote:

Dec  6 05:19:05 mx amavis[13606]: (13606-18) Passed CLEAN {},  [62.128.51.120] <noreply@newsletterim.net> -> <user@domain2.com>, Message-ID: , mail_id: lAen2A04xcNO, Hits: -0.198, size: 9925, queued_as: 51FE4381946, 1389 ms, Tests: [BAYES_00=-1.9,FOUND_YOU=0.001,HTML_MESSAGE=0.001,SPF_PASS=-0.001,UNPARSEABLE_RELAY=0.001,URIBL_BLACK=1.7]

Amavisd finds sender is "noreply@newsletterim.net", but you didn't paste log related to Postfix program, i believe it's "noreply@newsletterim.net" too.

In this case, you should blacklist "@newsletterim.net" instead.

3

Re: Blacklisting Issue

Is there anyway I can block these spams?
Issue is they just change the sender every time, but its the same from address?
So even if I block @newsletterim.net - It will just come through again as a separate sender.

IE: Can I train amavis to block these?

4

Re: Blacklisting Issue

cre8r wrote:

Issue is they just change the sender every time, but its the same from address?

You can block it with Postfix 'header_checks':
http://www.postfix.org/header_checks.5.html

Add a rule to match the 'From:' header and reject it.

5

Re: Blacklisting Issue

Thank you for the tip, Works great.