1

Topic: Sorting and reporting spam...

Hello.

This is not exactly a technical problem, but I was just wondering: Is there a tool to sort through the /var/virusmail/ folder, display all messages, mark the spam and then report it to spamcop?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Sorting and reporting spam...

Hi Zhang,

I received a spam
something like this

Dear Account User:  ouremail@our-domain.com,

Your  ouremail@our-domain.com, has been BLACKLISTED under the Mail Network Service due to Subsequent Verification failure on your Account.



We recommend that you Update and Verify your Account below to avoid suspension:

Verify Your Email Account Now

Ignoring this message will cause your Email account to be terminated without your permission.



Account Settings for: ouremail@our-domain.com

Thank You.

Notification | Copyright © 2018

the email header:

Received: from efilter.ctgtel.net (efilter.ctgtel.net [103.25.81.2])
    by ldap.our-domain.com (Postfix) with ESMTPS id EF7C0A160100
    for <ouremail@our-domain.com>; Thu,  8 Mar 2018 07:04:59 +0800 (HKT)
Received: from ldap.our-domain.com ([127.0.0.1])
    by smtp.our-domain.com (smtp.our-domain.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id nUPXZKEJ0ZfR for <bccOurEmail@our-domain.com>;
    Thu,  8 Mar 2018 07:05:00 +0800 (HKT)
Received: from [192.168.0.101] by mail.ctgtel.net (MDaemon PRO v10.1.0)
    with ESMTP id md50000086740.msg
    for <ouremail@our-domain.com>; Wed, 07 Mar 2018 17:20:18 +0600
Received: from mail.ctgtel.net (mail.ctgtel.net [103.25.81.4])
    by efilter.ctgtel.net (Postfix) with ESMTP id B900324987
    for <ouremail@our-domain.com>; Wed,  7 Mar 2018 17:20:20 +0600 (+06)
Received: from smtp.our-domain.com (localhost [127.0.0.1])
    by ldap.our-domain.com (Postfix) with ESMTP id EA01DA160520
    for <bccouremail@our-domain.com>; Thu,  8 Mar 2018 07:05:04 +0800 (HKT)
Return-Path: <hakim@ctgtel.net>
From: "Email Notification" <hakim@ctgtel.net>
To: <ouremail@our-domain.com>
Subject: Verification failures for ouremail@our-domain.com
Date: Wed, 7 Mar 2018 19:20:14 +0800
Message-ID: <20180307230504.EA01DA160520@ldap.our-domain.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_13C5_01D3BA2B.69A41F40"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKwj2anTe91KvNlqKlNtmbyy0ePxw==

We found out that the spam come from efilter.ctgtel.net [103.25.81.2]) and this domain is registered in DNS
the mail log is as follow:

Mar  8 07:04:58 ct-openldap postfix/smtpd[19637]: connect from efilter.ctgtel.net[103.25.81.2]
Mar  8 07:04:58 ct-openldap postfix/smtpd[19637]: Anonymous TLS connection established from efilter.ctgtel.net[103.25.81.2]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar  8 07:04:59 ct-openldap postfix/smtpd[19637]: EF7C0A160100: client=efilter.ctgtel.net[103.25.81.2]
Mar  8 07:05:00 ct-openldap postfix/cleanup[19939]: EF7C0A160100: message-id=<>
Mar  8 07:05:00 ct-openldap postfix/qmgr[21350]: EF7C0A160100: from=<hakim@ctgtel.net>, size=63919, nrcpt=3 (queue active)
Mar  8 07:05:00 ct-openldap postfix/smtpd[19637]: disconnect from efilter.ctgtel.net[103.25.81.2]
Mar  8 07:05:04 ct-openldap postfix/10025/smtpd[19960]: connect from localhost[127.0.0.1]
Mar  8 07:05:04 ct-openldap postfix/10025/smtpd[19960]: D395CA160106: client=localhost[127.0.0.1]
Mar  8 07:05:04 ct-openldap postfix/cleanup[19939]: D395CA160106: message-id=<20180307230504.D395CA160106@ldap.our-domain.com>
Mar  8 07:05:04 ct-openldap postfix/10025/smtpd[19961]: connect from localhost[127.0.0.1]
Mar  8 07:05:04 ct-openldap postfix/10025/smtpd[19960]: disconnect from localhost[127.0.0.1]
Mar  8 07:05:04 ct-openldap postfix/qmgr[21350]: D395CA160106: from=<hakim@ctgtel.net>, size=64777, nrcpt=1 (queue active)
Mar  8 07:05:04 ct-openldap amavis[18413]: (18413-07) Passed CLEAN {RelayedInbound}, [103.25.81.2]:54744 [103.25.81.4] <hakim@ctgtel.net> -> <ouremail@our-domain.com>, Queue-ID: EF7C0A160100, mail_id: G7Ou99rda94H, Hits: 2.478, size: 63919, queued_as: D395CA160106, 4593 ms, Tests: [BAYES_00=-1.9,HTML_MESSAGE=0.001,MISSING_MID=0.497,TO_IN_SUBJ=0.099,TVD_PH_BODY_ACCOUNTS_PRE=0.001,URIBL_BLOCKED=0.001,URIBL_PH_SURBL=0.28,URI_WP_HACKED=3.499]
Mar  8 07:05:04 ct-openldap postfix/10025/smtpd[19961]: D5DCAA160500: client=localhost[127.0.0.1]
Mar  8 07:05:04 ct-openldap postfix/cleanup[19939]: D5DCAA160500: message-id=<20180307230504.D5DCAA160500@ldap.our-domain.com>
Mar  8 07:05:04 ct-openldap postfix/smtp-amavis/smtp[19940]: EF7C0A160100: to=<ouremail@our-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.8, delays=1.2/0/0/4.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D395CA160106)


the spam server efilter.ctgtel.net[103.25.81.2] is genuine. and i found out thru mxtoolbox

1    spamwall.ctgtel.net    216.55.102.53
Level 3 Communications, Inc. (AS3356)    24 hrs    Blacklist Check      SMTP Test
10    spamwall.ctgtel.net    216.55.102.53
Level 3 Communications, Inc. (AS3356)    24 hrs    Blacklist Check      SMTP Test
20    rnd.ctgtel.net    103.25.81.25
Progressive Tower (1st Floor) (AS58912)    24 hrs    Blacklist Check      SMTP Test

Zhang,

  how could we stop this kind of spam email which server is well registered?

P.S. i hide our domain and intended email recipient as ourmail@our-domain.com

thanks
Napoleon

3

Re: Sorting and reporting spam...

maxie_ro wrote:

Hello.

This is not exactly a technical problem, but I was just wondering: Is there a tool to sort through the /var/virusmail/ folder, display all messages, mark the spam and then report it to spamcop?

Maybe better to contact spamcop? If spamcop wants to get more spam examples, it will be better for them to offer a tool to let sysadmin submit the examples.