1 (edited by b4nsh33 2013-08-09 07:15:28)

Topic: Disable bypass of spamassing for MYUSERS bank in AMAVIS

==== Required information ====
- iRedMail version: 0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Linux/BSD distribution name and version: Debian 7
- Related log if you're reporting an issue: /var/log/iredamin /var/log/mail.log
====

Dear all, i recently installed a new server and suddenly the queue grew to 2 million of mails, i started looking around the logs and found that several accounts where compromised may be to a weak password, i know this beacuse a see a lot of connections from several ips of the same account in iredmail.log, i.e:

2013-08-08 09:46:30 INFO [220.178.91.102] limdeex@XXX -> wsqlye@sina.com, DUNNO
2013-08-08 09:46:30 INFO [60.173.14.91] limdeex@XXX -> loveshial@yahoo.com.cn, DUNNO
2013-08-08 09:46:30 INFO [60.173.14.91] limdeex@XXX -> helenhu1206@yahoo.cn, DUNNO
2013-08-08 09:46:31 INFO [220.178.91.98] limdeex@XXX -> sun3450@163.com, DUNNO
2013-08-08 09:46:31 INFO [60.173.14.78] limdeex@XXX -> thmtang@163.com, DUNNO
2013-08-08 09:46:31 INFO [183.160.13.223] limdeex@XXX -> 1978dyx@163.com, DUNNO
2013-08-08 09:46:31 INFO [220.178.91.101] limdeex@XXX -> zhangshaoyou0211@126.com, DUNNO
2013-08-08 09:46:32 INFO [218.11.176.23] limdeex@XXX -> li_sa_123@126.com, DUNNO
2013-08-08 09:46:33 INFO [60.173.11.148] limdeex@XXX -> guanyanqing@hotmail.com, DUNNO
2013-08-08 09:46:33 INFO [220.178.91.101] limdeex@XXX -> snow_189@126.com, DUNNO
2013-08-08 09:46:33 INFO [220.178.91.101] limdeex@XXX -> 1982_yxl@163.com, DUNNO
2013-08-08 09:46:34 INFO [60.173.9.104] limdeex@XXX -> nettlily@yahoo.cn, DUNNO
2013-08-08 09:46:35 INFO [60.173.11.148] limdeex@XXX -> elia4910@gmail.com, DUNNO
2013-08-08 09:46:35 INFO [220.178.91.101] limdeex@XXX -> 728047870@qq.com, DUNNO
2013-08-08 09:46:35 INFO [60.173.9.104] limdeex@XXX -> 310408492@qq.com, DUNNO
2013-08-08 09:46:36 INFO [117.64.50.26] limdeex@XXX -> 623614335@qq.com, DUNNO
2013-08-08 09:46:36 INFO [183.160.113.236] limdeex@XXX -> 1141335727@qq.com, DUNNO
2013-08-08 09:46:36 INFO [220.178.91.98] limdeex@XXX -> 175415836@163.com, DUNNO
2013-08-08 09:46:36 INFO [60.173.14.89] limdeex@XXX -> 13991317600@139.com, DUNNO
2013-08-08 09:46:37 INFO [223.240.236.212] limdeex@XXX -> yanzi630@tom.com, DUNNO
2013-08-08 09:46:37 INFO [183.160.13.223] limdeex@XXX -> davidcamelion@hotmail.com, DUNNO
2013-08-08 09:46:37 INFO [220.181.12.60]  -> limdeex@XXX, DUNNO
2013-08-08 09:46:37 INFO [60.173.9.104] limdeex@XXX -> eraser1121@hotmail.com, DUNNO
2013-08-08 09:46:37 INFO [60.173.9.104] limdeex@XXX -> zhj9188@sina.com, DUNNO
2013-08-08 09:46:38 INFO [60.173.11.148] limdeex@XXX -> xu_pingquan@want-want.com, DUNNO
2013-08-08 09:46:38 INFO [220.181.12.121]  -> limdeex@XXX, DUNNO
2013-08-08 09:46:38 INFO [60.173.9.104] limdeex@XXX -> applehomeshen@126.com, DUNNO
2013-08-08 09:46:39 INFO [218.11.176.23] limdeex@XXX -> lufeng98@21cn.com, DUNNO
2013-08-08 09:46:39 INFO [60.173.14.89] limdeex@XXX -> jinjian@hotmail.com, DUNNO
2013-08-08 09:46:40 INFO [60.173.14.81] limdeex@XXX -> fgarkool@163.com, DUNNO
2013-08-08 09:46:40 INFO [220.178.91.101] limdeex@XXX -> 576942042@qq.com, DUNNO
2013-08-08 09:46:40 INFO [220.178.91.101] limdeex@XXX -> liaohao22@yahoo.com.cn, DUNNO
2013-08-08 09:46:40 INFO [60.173.11.148] limdeex@XXX -> nancysasa@sina.cn, DUNNO^C

Clearly looks like a spambot sending mail at high rate.

After look at the mail.log file i see all those email are getting  Passed CLEAN, MYUSERS

Aug  8 17:05:12 vps01 amavis[17344]: (17344-01) Passed CLEAN, MYUSERS LOCAL [218.11.176.23] [218.11.176.23] <limdeex@XXX.net> -> <ml_451@163.com>, Message-ID: <20130809070126666530@XXX.net>, mail_id: pi0O+KwwgEpY, Hits: -11.735, size: 4666, queued_as: EF0177627CB, 437 ms
Aug  8 17:05:14 vps01 amavis[16835]: (16835-03) Passed CLEAN, MYUSERS LOCAL [218.11.176.23] [218.11.176.23] <limdeex@XXX.net> -> <lixi0707@163.com>, Message-ID: <20130809070127053330@XXX.net>, mail_id: MZwfX1aDPot3, Hits: -11.735, size: 3032, queued_as: 9A2E376283C, 280 ms
Aug  8 17:05:23 vps01 amavis[14156]: (14156-08-2) Passed CLEAN, MYUSERS LOCAL [218.11.176.23] [218.11.176.23] <limdeex@XXX.net> -> <kristy84222@163.com>, Message-ID: <20130809070136638366@XXX.net>, mail_id: ZMmS-s2BCS8u, Hits: -11.735, size: 4516, queued_as: 173727626D3, 466 ms
Aug  8 17:05:33 vps01 amavis[15950]: (15950-06-4) Passed CLEAN, MYUSERS LOCAL [218.11.176.23] [218.11.176.23] <limdeex@XXX.net> -> <lixia0419@126.com>, Message-ID: <20130809070146406586@XXX.net>, mail_id: KwoICejhWfF7, Hits: -11.735, size: 3197, queued_as: 67849762684, 323 ms

After googling around i found a lot of info on how to disable the amavis scanning of smtp-auth'ed users, i guess this is the default config in iredmail.
Now i need to do the contrary... :-)
Can you give some hints on how to achieve that?
Regards

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Disable bypass of spamassing for MYUSERS bank in AMAVIS

Find below setting in Amavisd policy_bank MYUSERS:

$policy_bank{'MYUSERS'} = {
    ...
    # don't perform spam/virus/header check.                                    
    #bypass_spam_checks_maps => [1],                                            
    #bypass_virus_checks_maps => [1],                                           
    #bypass_header_checks_maps => [1],                                          
                                                                                
    # allow sending any file names and types                                    
    #bypass_banned_checks_maps => [1],                                          
};

Uncomment them and restart Amavisd service. That's all.

P.S. You may want to change password for that cracked account immediately. Fail2ban will invoke iptables to block that client (for 2 hours) after 5 password failures.

3 (edited by b4nsh33 2013-08-10 03:55:49)

Re: Disable bypass of spamassing for MYUSERS bank in AMAVIS

Thanks zhang but i think the commented lines are for bypass the scanners which is not what i want to do.
Anyway i raised the debug in amavis and found that the emails are being scanned but im facing the known ALL_TRUSTED SA's issue. it assings to every message a score of -10 so it has to be a really bad spam message to get caught by the filter.
im investigating posible solutions to this, i have already declared

trusted_networks 192.168.150.201
internal_networks 192.168.150.201

beacuse this is a box behind a firewall/nat device, but SA still cosiders all external ips as trusted :-(

ZhangHuangbin wrote:

Find below setting in Amavisd policy_bank MYUSERS:

$policy_bank{'MYUSERS'} = {
    ...
    # don't perform spam/virus/header check.                                    
    #bypass_spam_checks_maps => [1],                                            
    #bypass_virus_checks_maps => [1],                                           
    #bypass_header_checks_maps => [1],                                          
                                                                                
    # allow sending any file names and types                                    
    #bypass_banned_checks_maps => [1],                                          
};

Uncomment them and restart Amavisd service. That's all.

P.S. You may want to change password for that cracked account immediately. Fail2ban will invoke iptables to block that client (for 2 hours) after 5 password failures.