1

Topic: iredapd header checks

I'm looking to improve my spam blocking with an own iredapd plugin, but I need to access the mail headers.

So far I found the flowing key/values that are available for an iredapd plugin.
Is it possible to get more mail header details in iredapd like "To:, From:, ..." to do some more testings in iredapd?

smtp session: request=
smtp session: protocol_state=
smtp session: protocol_name=
smtp session: client_address=
smtp session: client_name=
smtp session: reverse_client_name=
smtp session: helo_name=
smtp session: sender=
smtp session: recipient=
smtp session: recipient_count=
smtp session: queue_id=
smtp session: instance=
smtp session: size=
smtp session: etrn_domain=
smtp session: stress=
smtp session: sasl_method=
smtp session: sasl_username=
smtp session: sasl_sender=
mtp session: ccert_subject=
smtp session: ccert_issuer=
smtp session: ccert_fingerprint=
smtp session: ccert_pubkey_fingerprint=
smtp session: encryption_protocol=
smtp session: encryption_cipher=
smtp session: encryption_keysize=


I know that I can use the postfix cleanup header_checks, but the regex is not that flexible.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iredapd header checks

You won't get mail header or body with iredapd, because it's a policy server, not a milter or content filter.

Iredapd uses this doc: http://www.postfix.org/SMTPD_POLICY_README.html

You need a milter to get full mail message.

3

Re: iredapd header checks

Hmm, ok.

The thing is, I receive a lot of spam that passes my RBLs and other checks.
Most of the spam is using my real mail address but the header "To:" differs.
My goal is to reject all messages with a header "To:" is not part of my hosted domains.

That works with postfix header_checks partly, but I can't set different header_checks for out/incoming mails.

if /^To:/
!/(^To:.*mydomain\.de|^To:.*mydomain\.com)/ REJECT Recipient address rejected: Header To: Domain unknown. 
endif

As a workaround I've disabled header_checks for the submission port, so outgoing mail has to go through submission.

…
submission inet n       -       n       -       -       smtpd
…
  -o receive_override_options=no_header_body_checks

An issue is SOGo, there is no option to configure submission, the option sendmail isn't working either.
That's why I'm looking for an alternative way.

Any ideas or suggestion how to solve this and not breaking the current iRedMail filter/mail path configuration?

4

Re: iredapd header checks

iRedAPD plugin "reject_sender_login_mismatch" is what you're looking for - reject forged senders.

5 (edited by sherwood 2017-02-15 21:16:48)

Re: iredapd header checks

This plugin is installed and configured as default.

# Enabled plugins.
plugins = ["reject_null_sender", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "ldap_maillist_access_policy", "reject_to_hostname", "whitelist_outbound_recipient"]

The spammer is addressing the correct local mail address but the header "To:" has a different one.

Return-Path: <info@toyomag.biz.ua>
Delivered-To: info@mydomain.com
Received: from mail.mydomain.com (localhost [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 76CB1557B
    for <info@mydomain.com>; Tue, 14 Feb 2017 05:16:00 +0100 (CET)
X-Virus-Scanned: amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 5.05
X-Spam-Level: *****
X-Spam-Status: No, score=5.05 tagged_above=2 required=6.2
    tests=[FROM_EXCESS_BASE64=0.105, HTML_IMAGE_ONLY_32=0.001,
    HTML_MESSAGE=0.001, MPART_ALT_DIFF=0.724, RCVD_IN_MSPIKE_BL=0.01,
    RCVD_IN_MSPIKE_L3=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001, TVD_SPACE_RATIO=0.001, T_OBFU_PDF_ATTACH=0.01,
    URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
Received: from mail.mydomain.com ([127.0.0.1])
    by mail.mydomain.com (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id sLkbGk2r2-b8 for <info@mydomain.com>;
    Tue, 14 Feb 2017 05:15:58 +0100 (CET)
Received: from toyomag.biz.ua (m3.toyomag.biz.ua [89.163.150.139])
    by mail.mydomain.com (Postfix) with ESMTP id B0FB916B2
    for <info@mydomain.com >; Tue, 14 Feb 2017 05:15:57 +0100 (CET)
Received: from toyomag.biz.ua (m1.toyomag.biz.ua [89.163.255.182])
    by toyomag.biz.ua (Postfix) with ESMTPA id C3DB634CD3D;
    Tue, 14 Feb 2017 01:10:46 +0200 (EET)
Message-ID: <14d301d28667$92c62ba0$a87fdc76@info>
Reply-To: "=?windows-1251?B?UGlsbGVudmVyc2FuZA==?=" <info@toyomag.biz.ua>
From: "=?windows-1251?B?UGlsbGVudmVyc2FuZA==?=" <info@toyomag.biz.ua>
To: <harald.hotop@sanktgertrud-wattenscheid.de>
Subject: =?windows-1251?B?UmU6IEdlbmVyaWthIFBvdGVuem1pdHRlbA==?=
Date: Tue, 14 Feb 2017 02:10:54 +0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0006_01D28667.212D0E00"
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416

Instead of moving the mail to the junk folder, I'd like to reject them.
I've been receiving much more others mails with a lower spam-scores, but the "To:" is always differnt to my local mail addresses.

6

Re: iredapd header checks

Could you please turn on debug mode in iRedAPD, to generate detailed log about spam email like this? We need debug log to understand why iRedAPD plugin doesn't (correctly recognize it and) reject it.

7 (edited by sherwood 2019-05-27 19:57:54)

Re: iredapd header checks

Here is a similar (anonymized) mail header and corresponding iredapd debug log.

Return-Path: <imzidqt@woodmebel.co.ua>
Delivered-To: user@mydomain.com
Received: from mail.mydomain.com (localhost [127.0.0.1])
    by mail.mydomain.com (Postfix) with ESMTP id 40BD520EA
    for <user@mydomain.com>; Mon, 13 Feb 2017 01:28:41 +0100 (CET)
X-Virus-Scanned: amavisd-new at mail.mydomain.com
X-Spam-Flag: YES
X-Spam-Score: 10.065
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.065 tagged_above=2 required=6.2
    tests=[FUZZY_ERECT=1.306, HTML_IMAGE_ONLY_12=1.629,
    HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_2=0.259, MPART_ALT_DIFF=0.724,
    RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
    TVD_SPACE_RATIO=0.001, URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7,
    URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
Received: from mail.mydomain.com ([127.0.0.1])
    by mail.mydomain.com (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id ByfzbRYBd0EF for <user@mydomain.com>;
    Mon, 13 Feb 2017 01:28:38 +0100 (CET)
Received: from woodmebel.co.ua (woodmebel.co.ua [89.163.225.26])
    by mail.mydomain.com (Postfix) with ESMTP id D568616B2
    for <; Mon, 13 Feb 2017 01:28:37 +0100 (CET)
Received: from woodmebel.co.ua (woodmebel.co.ua [89.163.225.26])
    by woodmebel.co.ua (Postfix) with ESMTPA id 32E241C220F3;
    Mon, 13 Feb 2017 02:03:11 +0200 (EET)
Message-ID: <6e9501d2859d$6b2963c0$1105fdfd@imzidqt>
Reply-To: "Versandapotheke" <imzidqt@woodmebel.co.ua>
From: "Versandapotheke" <imzidqt@woodmebel.co.ua>
To: <balou@saupacker-vom-erzgebirgsblick.de>
Subject: ***Spam*** Arzneimittel zur Erektionsdysfunktion
Date: Mon, 13 Feb 2017 02:03:50 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_0018_01D2859D.512D2B00"
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416

iredapd 2.0, iredmail 0.9.6 (upgraded from a clean 0.9.5-1 install) on CentOS 7.3.1611, LDAP backend

2017-02-13 01:28:37 DEBUG Connect from 127.0.0.1, port 36294.
2017-02-13 01:28:37 DEBUG smtp session: request=smtpd_access_policy
2017-02-13 01:28:37 DEBUG smtp session: protocol_state=RCPT
2017-02-13 01:28:37 DEBUG smtp session: protocol_name=ESMTP
2017-02-13 01:28:37 DEBUG smtp session: client_address=89.163.225.26
2017-02-13 01:28:37 DEBUG smtp session: client_name=woodmebel.co.ua
2017-02-13 01:28:37 DEBUG smtp session: reverse_client_name=woodmebel.co.ua
2017-02-13 01:28:37 DEBUG smtp session: helo_name=woodmebel.co.ua
2017-02-13 01:28:37 DEBUG smtp session: sender=imzidqt@woodmebel.co.ua
2017-02-13 01:28:37 DEBUG smtp session: recipient=user@mydomain.com
2017-02-13 01:28:37 DEBUG smtp session: recipient_count=0
2017-02-13 01:28:37 DEBUG smtp session: queue_id=
2017-02-13 01:28:37 DEBUG smtp session: instance=6459.58a0fdb5.89308.0
2017-02-13 01:28:37 DEBUG smtp session: size=836836
2017-02-13 01:28:37 DEBUG smtp session: etrn_domain=
2017-02-13 01:28:37 DEBUG smtp session: stress=
2017-02-13 01:28:37 DEBUG smtp session: sasl_method=
2017-02-13 01:28:37 DEBUG smtp session: sasl_username=
2017-02-13 01:28:37 DEBUG smtp session: sasl_sender=
2017-02-13 01:28:37 DEBUG smtp session: ccert_subject=
2017-02-13 01:28:37 DEBUG smtp session: ccert_issuer=
2017-02-13 01:28:37 DEBUG smtp session: ccert_fingerprint=
2017-02-13 01:28:37 DEBUG smtp session: ccert_pubkey_fingerprint=
2017-02-13 01:28:37 DEBUG smtp session: encryption_protocol=
2017-02-13 01:28:37 DEBUG smtp session: encryption_cipher=
2017-02-13 01:28:37 DEBUG smtp session: encryption_keysize=0
2017-02-13 01:28:37 DEBUG LDAP connection initialied success.
2017-02-13 01:28:37 DEBUG LDAP bind success.
2017-02-13 01:28:37 DEBUG --> Apply plugin: reject_to_hostname
2017-02-13 01:28:37 DEBUG <-- Result: DUNNO
2017-02-13 01:28:37 DEBUG --> Apply plugin: reject_null_sender
2017-02-13 01:28:37 DEBUG <-- Result: DUNNO
2017-02-13 01:28:37 DEBUG --> Apply plugin: reject_sender_login_mismatch
2017-02-13 01:28:37 DEBUG Not an authenticated sender (no sasl_username).
2017-02-13 01:28:37 DEBUG Sender domain is not hosted locally.
2017-02-13 01:28:37 DEBUG <-- Result: DUNNO
2017-02-13 01:28:37 DEBUG --> Apply plugin: greylisting
2017-02-13 01:28:37 DEBUG [SQL] Query greylisting whitelists: 
SELECT id, sender, comment
               FROM greylisting_whitelists
              WHERE account IN ('user@mydomain.com', '@mydomain.com', '@.')
2017-02-13 01:28:37 DEBUG No whitelist found.
2017-02-13 01:28:37 DEBUG [SQL] query greylisting settings: 
SELECT id, account, sender, sender_priority, active
               FROM greylisting
              WHERE account IN ('user@mydomain.com', '@mydomain.com', '@.')
              ORDER BY priority DESC, sender_priority DESC
2017-02-13 01:28:37 DEBUG [SQL] query result: [(1L, '@.', '@.', 0, 1)]
2017-02-13 01:28:37 DEBUG Greylisting should be applied according to SQL record: (id=1, account='@.', sender='@.')
2017-02-13 01:28:37 DEBUG [SQL] check whether client address (89.163.225.26) passed greylisting: 
SELECT id
               FROM greylisting_tracking
              WHERE client_address='89.163.225.26'
                    AND passed=1
              LIMIT 1
2017-02-13 01:28:37 DEBUG Client address (89.163.225.26) passed greylisting.
2017-02-13 01:28:37 DEBUG <-- Result: DUNNO
2017-02-13 01:28:37 DEBUG --> Apply plugin: throttle
2017-02-13 01:28:37 DEBUG Check sender throttling.
2017-02-13 01:28:37 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='external' AND account IN ('89.163.225.26', '@ip', '@.', 'imzidqt@woodmebel.co.ua', '@woodmebel.co.ua', '@.woodmebel.co.ua', '@co.ua', '@.co.ua', '@ua', '@.ua', '89.163.225.*', '89.163.*.26')
         ORDER BY priority DESC
         
2017-02-13 01:28:37 DEBUG [SQL] Query result:
[]
2017-02-13 01:28:37 DEBUG No sender throttle setting.
2017-02-13 01:28:37 DEBUG Check recipient throttling.
2017-02-13 01:28:37 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('89.163.225.26', '@ip', '@.', 'user@mydomain.com', '@mydomain.com', ‘@.mydomain.com’, ‘@com’, '@.de', '89.163.225.*', '89.163.*.26')
         ORDER BY priority DESC
         
2017-02-13 01:28:37 DEBUG [SQL] Query result:
[]
2017-02-13 01:28:37 DEBUG No recipient throttle setting.
2017-02-13 01:28:37 DEBUG <-- Result: DUNNO
2017-02-13 01:28:37 DEBUG [+] Getting LDIF data of account: user@mydomain.com
2017-02-13 01:28:37 DEBUG search base dn: o=domains,dc=mydomain,dc=de
2017-02-13 01:28:37 DEBUG search scope: SUBTREE
2017-02-13 01:28:37 DEBUG search filter: (&(|(mail=user@mydomain.com)(shadowAddress=user@mydomain.com))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2017-02-13 01:28:37 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy']
2017-02-13 01:28:37 DEBUG result: [('mail=user@mydomain.de,ou=Users,domainName=mydomain.de,o=domains,dc=mydomain,dc=de', {'objectClass': ['inetOrgPerson', 'mailUser', 'shadowAccount', 'amavisAccount']})]
2017-02-13 01:28:37 DEBUG --> Apply plugin: ldap_maillist_access_policy
2017-02-13 01:28:37 DEBUG <-- Result: DUNNO (Recipient is not a mailing list account)
2017-02-13 01:28:37 DEBUG --> Apply plugin: amavisd_wblist
2017-02-13 01:28:37 DEBUG Possible policy senders: ['@.', 'imzidqt@woodmebel.co.ua', '@woodmebel.co.ua', '@.woodmebel.co.ua', '@co.ua', '@.co.ua', '@ua', '@.ua', 'imzidqt@*', '89.163.225.26', '89.163.225.*', '89.163.*.26']
2017-02-13 01:28:37 DEBUG Possible policy recipients: ['@.', 'user@mydomain.com', '@mydomain.com', '@.mydomain.com', '@com', '@.de']
2017-02-13 01:28:37 DEBUG Apply wblist for inbound message.
2017-02-13 01:28:37 DEBUG [SQL] Query local addresses: 
SELECT id, email
               FROM users
              WHERE email IN ('@.', 'user@mydomain.com', '@mydomain.com', '@.mydomain.com', '@com', '@.de')
           ORDER BY priority DESC
2017-02-13 01:28:37 DEBUG Local addresses (in `users`): [(1L, '@.')]
2017-02-13 01:28:37 DEBUG [SQL] Query external addresses: 
SELECT id, email
               FROM mailaddr
              WHERE email IN ('@.', 'imzidqt@woodmebel.co.ua', '@woodmebel.co.ua', '@.woodmebel.co.ua', '@co.ua', '@.co.ua', '@ua', '@.ua', 'imzidqt@*', '89.163.225.26', '89.163.225.*', '89.163.*.26')
           ORDER BY priority DESC
2017-02-13 01:28:37 DEBUG No record found in SQL database.
2017-02-13 01:28:37 DEBUG No valid sender id or recipient id.
2017-02-13 01:28:37 DEBUG <-- Result: DUNNO
2017-02-13 01:28:37 DEBUG Skip plugin: whitelist_outbound_recipient (protocol_state != RCPT)
2017-02-13 01:28:37 DEBUG Session ended.
2017-02-13 01:28:37 INFO 89.163.225.26 RCPT, imzidqt@woodmebel.co.ua -> user@mydomain.com, DUNNO [0.0992s]
2017-02-13 01:28:37 DEBUG Close LDAP connection.
2017-02-13 01:28:38 DEBUG smtp session: request=smtpd_access_policy
2017-02-13 01:28:38 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2017-02-13 01:28:38 DEBUG smtp session: protocol_name=ESMTP
2017-02-13 01:28:38 DEBUG smtp session: client_address=89.163.225.26
2017-02-13 01:28:38 DEBUG smtp session: client_name=woodmebel.co.ua
2017-02-13 01:28:38 DEBUG smtp session: reverse_client_name=woodmebel.co.ua
2017-02-13 01:28:38 DEBUG smtp session: helo_name=woodmebel.co.ua
2017-02-13 01:28:38 DEBUG smtp session: sender=imzidqt@woodmebel.co.ua
2017-02-13 01:28:38 DEBUG smtp session: recipient=user@mydomain.com
2017-02-13 01:28:38 DEBUG smtp session: recipient_count=1
2017-02-13 01:28:38 DEBUG smtp session: queue_id=D568616B2
2017-02-13 01:28:38 DEBUG smtp session: instance=6459.58a0fdb5.89308.0
2017-02-13 01:28:38 DEBUG smtp session: size=836836
2017-02-13 01:28:38 DEBUG smtp session: etrn_domain=
2017-02-13 01:28:38 DEBUG smtp session: stress=
2017-02-13 01:28:38 DEBUG smtp session: sasl_method=
2017-02-13 01:28:38 DEBUG smtp session: sasl_username=
2017-02-13 01:28:38 DEBUG smtp session: sasl_sender=
2017-02-13 01:28:38 DEBUG smtp session: ccert_subject=
2017-02-13 01:28:38 DEBUG smtp session: ccert_issuer=
2017-02-13 01:28:38 DEBUG smtp session: ccert_fingerprint=
2017-02-13 01:28:38 DEBUG smtp session: ccert_pubkey_fingerprint=
2017-02-13 01:28:38 DEBUG smtp session: encryption_protocol=
2017-02-13 01:28:38 DEBUG smtp session: encryption_cipher=
2017-02-13 01:28:38 DEBUG smtp session: encryption_keysize=0
2017-02-13 01:28:38 DEBUG LDAP connection initialied success.
2017-02-13 01:28:38 DEBUG LDAP bind success.
2017-02-13 01:28:38 DEBUG Skip plugin: reject_to_hostname (protocol_state != END-OF-MESSAGE)
2017-02-13 01:28:38 DEBUG Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
2017-02-13 01:28:38 DEBUG Skip plugin: reject_sender_login_mismatch (protocol_state != END-OF-MESSAGE)
2017-02-13 01:28:38 DEBUG Skip plugin: greylisting (protocol_state != END-OF-MESSAGE)
2017-02-13 01:28:38 DEBUG --> Apply plugin: throttle
2017-02-13 01:28:38 DEBUG Check sender throttling.
2017-02-13 01:28:38 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='external' AND account IN ('89.163.225.26', '@ip', '@.', 'imzidqt@woodmebel.co.ua', '@woodmebel.co.ua', '@.woodmebel.co.ua', '@co.ua', '@.co.ua', '@ua', '@.ua', '89.163.225.*', '89.163.*.26')
         ORDER BY priority DESC
         
2017-02-13 01:28:38 DEBUG [SQL] Query result:
[]
2017-02-13 01:28:38 DEBUG No sender throttle setting.
2017-02-13 01:28:38 DEBUG Check recipient throttling.
2017-02-13 01:28:38 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('89.163.225.26', '@ip', '@.', 'user@mydomain.com', '@mydomain.com', '@.mydomain.com', '@com', '@.de', '89.163.225.*', '89.163.*.26')
         ORDER BY priority DESC
         
2017-02-13 01:28:38 DEBUG [SQL] Query result:
[]
2017-02-13 01:28:38 DEBUG No recipient throttle setting.
2017-02-13 01:28:38 DEBUG <-- Result: DUNNO
2017-02-13 01:28:38 DEBUG Skip plugin: ldap_maillist_access_policy (protocol_state != END-OF-MESSAGE)
2017-02-13 01:28:38 DEBUG Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
2017-02-13 01:28:38 DEBUG --> Apply plugin: whitelist_outbound_recipient
2017-02-13 01:28:38 DEBUG No sasl_username found, skip.
2017-02-13 01:28:38 DEBUG <-- Result: DUNNO
2017-02-13 01:28:38 DEBUG Session ended.
2017-02-13 01:28:38 INFO 89.163.225.26 END-OF-MESSAGE, imzidqt@woodmebel.co.ua -> user@mydomain.com, DUNNO [0.0062s]
2017-02-13 01:28:38 DEBUG Close LDAP connection.
2017-02-16 09:05:17 INFO Starting iRedAPD (version: 2.0, backend: ldap), listening on 127.0.0.1:7777.
2017-02-16 09:05:17 INFO Log rotate type: time, interval: W6, backup copies: 12.
2017-02-16 09:05:17 INFO Loading plugin (priority: 100): reject_to_hostname
2017-02-16 09:05:17 INFO Loading plugin (priority: 100): reject_null_sender
2017-02-16 09:05:17 INFO Loading plugin (priority: 90): reject_sender_login_mismatch
2017-02-16 09:05:17 INFO Loading plugin (priority: 80): greylisting
2017-02-16 09:05:17 INFO Loading plugin (priority: 60): throttle
2017-02-16 09:05:17 INFO Loading plugin (priority: 50): ldap_maillist_access_policy
2017-02-16 09:05:17 INFO Loading plugin (priority: 40): amavisd_wblist
2017-02-16 09:05:17 INFO Loading plugin (priority: 10): whitelist_outbound_recipient

8 (edited by sherwood 2017-02-21 00:34:42)

Re: iredapd header checks

Any updates on this? Is it a bug or just not able to filter this kind of mails?

9

Re: iredapd header checks

sherwood wrote:

2017-02-13 01:28:38 DEBUG smtp session: sender=imzidqt@woodmebel.co.ua
2017-02-13 01:28:38 DEBUG smtp session: recipient=user@mydomain.com
...
2017-02-13 01:28:37 DEBUG smtp session: sasl_method=
2017-02-13 01:28:37 DEBUG smtp session: sasl_username=
2017-02-13 01:28:37 DEBUG smtp session: sasl_sender=

This is what iRedAPD got from Postfix, according to these parameters, iRedAPD considers it as a normal incoming email.

Since iRedAPD (and all Postfix policy servers) cannot get mail headers, it cannot help reject this kind of spams with builtin plugins. If you're sure you can properly reject spams with some parameters got by iRedAPD, you're free to write your own plugin to reject it.

BTW, SpamAssassin (SA) already recognizes this is a spam, how about do the reject/block with SA?