1 Topic by platpirs

  • platpirs
  • Member
  • Offline
  • Registered: 2015-02-10
  • Posts: 59

Topic: SPAM problem

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 3.0
- Linux/BSD distribution name and version:  12.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi

I have SPAM problem.
99% i am sure problem is in postfix. I can't find source file/script.

Any suggestions ?

mailq show this ...
9346020C21B4     1858 Thu Feb 22 10:15:17  user@mydomain.xx
(delivery temporarily suspended: lost connection with mx-aol.mail.gm0.yahoodns.net[66.218.85.151] while sending RCPT TO)
                                         live2fish@aol.com

9276320C21C4     1678 Thu Feb 22 10:16:00  user@mydomain.xx
(host mta6.am0.yahoodns.net[67.195.229.59] said: 421 4.7.0 [TSS04] Messages from 80.232.208.36 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))
                                         eraklidado@yahoo.com

954AD20C219B     1864 Thu Feb 22 10:15:17  user@mydomain.xx
(delivery temporarily suspended: lost connection with mx-aol.mail.gm0.yahoodns.net[66.218.85.151] while sending RCPT TO)
                                         cathyweldon3@aol.com

305F720C2198     1840 Thu Feb 22 10:06:03  user@mydomain.xx
(delivery temporarily suspended: lost connection with mta6.am0.yahoodns.net[98.137.159.28] while sending RCPT TO)
                                         thumbnail55@yahoo.com


User user@mydomain.xx has been deleted. No change.

Arnis

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: SPAM problem

Try this:

*) Download script "find_top_sasl_usernames.sh" shipped in iRedMail:
https://bitbucket.org/zhb/iredmail/raw/ … ernames.sh

*) Run it:

bash find_top_sasl_usernames.sh

It will show you top accounts which performed most SMTP authentication. It's very possible that their passwords were cracked and used to send spams.

3 Reply by platpirs

  • platpirs
  • Member
  • Offline
  • Registered: 2015-02-10
  • Posts: 59

Re: SPAM problem

I can't enable mail.add_x_header

I open /etc/php5/cli.php.ini
add 2 lines
mail.add_x_header = On
mail.log = /var/log/phpmail.log

and create file in /var/log/phpmail.log
System restart
Nothing writes in the file

Any suggestions ?

Arnis

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: SPAM problem

Please read my first reply.

5 Reply by platpirs

  • platpirs
  • Member
  • Offline
  • Registered: 2015-02-10
  • Posts: 59

Re: SPAM problem

ZhangHuangbin wrote:

Try this:

*) Download script "find_top_sasl_usernames.sh" shipped in iRedMail:
https://bitbucket.org/zhb/iredmail/raw/ … ernames.sh

*) Run it:

bash find_top_sasl_usernames.sh

It will show you top accounts which performed most SMTP authentication. It's very possible that their passwords were cracked and used to send spams.

I run command. Max SMTP  authentication = 13. I think it's normal.
This user - user@mydomain.xx dont show in SMTP list.
All spam coming from user@mydomain.xx. (hast been replaced password, deleted user). When creat new user with old name its start SPAM.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: SPAM problem

Try to run "find_top_sasl_usernames.sh" with previous Postfix log file. for example, if old log file is /var/log/mail.log.1, run:

bash find_top_sasl_usernames.sh /var/log/mail.log.1

Check the top smtp authenticated accounts.

Also, what's the log in /var/log/iredapd/iredapd.log related to user "user@mydomain.xx"? show us few lines.

7 Reply by platpirs

  • platpirs
  • Member
  • Offline
  • Registered: 2015-02-10
  • Posts: 59

Re: SPAM problem

ZhangHuangbin wrote:

Try to run "find_top_sasl_usernames.sh" with previous Postfix log file. for example, if old log file is /var/log/mail.log.1, run:

bash find_top_sasl_usernames.sh /var/log/mail.log.1

Check the top smtp authenticated accounts.

Also, what's the log in /var/log/iredapd/iredapd.log related to user "user@mydomain.xx"? show us few lines.


/var/log/iredapd/iredapd.log for user@mydomain.xx
2018-02-12 20:07:13 INFO [186.250.115.37] RCPT, user@mydomain.xx -> unmitigated@stny.rr.com, OK wblist=(1, 987, 'W') [0.0030s]
2018-02-12 20:07:14 INFO Whitelisted: wblist=(1, 987, 'W')
2018-02-12 20:07:14 INFO [138.219.67.116] RCPT, user@mydomain.xx -> ralinag@live.com, OK wblist=(1, 987, 'W') [0.0589s]
2018-02-12 20:07:14 INFO Whitelisted: wblist=(1, 987, 'W')
2018-02-12 20:07:14 INFO [201.62.66.157] RCPT, user@mydomain.xx -> casanovanguyen@yahoo.com, OK wblist=(1, 987, 'W') [0.0074s]
2018-02-12 20:07:14 INFO Whitelisted: wblist=(1, 987, 'W')
2018-02-12 20:07:14 INFO [189.90.100.223] RCPT, user@mydomain.xx -> omggitsfyrare@aol.com, OK wblist=(1, 987, 'W') [0.0053s]
2018-02-12 20:07:14 INFO Whitelisted: wblist=(1, 987, 'W')
2018-02-12 20:07:14 INFO [37.236.186.52] RCPT, user@mydomain.xx -> imoore@netcomuk.co.uk, OK wblist=(1, 987, 'W') [0.0611s]


I check previous Postfix log file with comand  bash find_top_sasl_usernames.sh /var/log/mail.log.1
user@mydomain.xx show once in SMTP list.
I check another days when SPAM happened and  user@mydomain.xx dont show in SMTP list.

Any suggestions ?

Arnis

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: SPAM problem

platpirs wrote:

2018-02-12 20:07:14 INFO Whitelisted: wblist=(1, 987, 'W')
2018-02-12 20:07:14 INFO [37.236.186.52] RCPT, user@mydomain.xx -> imoore@netcomuk.co.uk, OK wblist=(1, 987, 'W') [0.0611s]

This sender is whitelisted, seems caused by this whitelist.

Questions:

*) Which version of iRedAPD are you running? You can check with command "ls -l /opt".
*) Could you please add below line __ABOVE__ all lines in file /opt/iredapd/plugins/amavisd_wblist.py, then restart iredapd service and check this issue again?

SMTP_PROTOCOL_STATE = ['END-OF-MESSAGE']

It's better turn on debug mode in iRedAPD to get more detailed log for troubleshooting. FYI:
https://docs.iredmail.org/debug.iredapd.html

9 Reply by platpirs

  • platpirs
  • Member
  • Offline
  • Registered: 2015-02-10
  • Posts: 59

Re: SPAM problem

Answers:

1) iRedAPD-2.1
2) Add line  SMTP_PROTOCOL_STATE = ['END-OF-MESSAGE' ]   /opt/iredAPD-2.1/plugins/amavisd_wblist.py then restart iRedAPD service.

root@mail:/home/arnis# ls -l /opt
total 28
dr-xr-xr-x 5 iredapd iredapd 4096 Mar 31  2015 iRedAPD-1.4.3
dr-xr-xr-x 6 iredapd iredapd 4096 Apr  7  2015 iRedAPD-1.4.4
dr-xr-xr-x 6 iredapd iredapd 4096 Sep 21  2015 iRedAPD-1.6.0
dr-x------ 7 root    root    4096 May  7  2016 iRedAPD-1.8.0
dr-x------ 7 root    root    4096 Mar 12  2017 iRedAPD-1.9.1
dr-x------ 8 root    root    4096 Jul 16  2017 iRedAPD-2.0
dr-x------ 9 root    root    4096 Feb 22 13:01 iRedAPD-2.1
lrwxrwxrwx 1 root    root      11 Sep 30 11:21 iredapd -> iRedAPD-2.1

3)I turn on "Debug mode".
4) Now I see in /var/log/iredapd this

2018-02-25 00:33:37 DEBUG smtp session: request=smtpd_access_policy
2018-02-25 00:33:37 DEBUG smtp session: protocol_state=RCPT
2018-02-25 00:33:37 DEBUG smtp session: protocol_name=ESMTP
2018-02-25 00:33:37 DEBUG smtp session: client_address=200.63.116.140
2018-02-25 00:33:37 DEBUG smtp session: client_name=unknown
2018-02-25 00:33:37 DEBUG smtp session: reverse_client_name=host-116-140.norfe.net.ar
2018-02-25 00:33:37 DEBUG smtp session: helo_name=[127.0.0.1]
2018-02-25 00:33:37 DEBUG smtp session: sender=user@mydomain.xx
2018-02-25 00:33:37 DEBUG smtp session: recipient=manic8@manic8.karoo.co.uk
2018-02-25 00:33:37 DEBUG smtp session: recipient_count=0
2018-02-25 00:33:37 DEBUG smtp session: queue_id=
2018-02-25 00:33:37 DEBUG smtp session: instance=5f25.5a91da30.2c0f0.0
2018-02-25 00:33:37 DEBUG smtp session: size=0
2018-02-25 00:33:37 DEBUG smtp session: etrn_domain=
2018-02-25 00:33:37 DEBUG smtp session: stress=
2018-02-25 00:33:37 DEBUG smtp session: sasl_method=
2018-02-25 00:33:37 DEBUG smtp session: sasl_username=
2018-02-25 00:33:37 DEBUG smtp session: sasl_sender=
2018-02-25 00:33:37 DEBUG smtp session: ccert_subject=
2018-02-25 00:33:37 DEBUG smtp session: ccert_issuer=
2018-02-25 00:33:37 DEBUG smtp session: ccert_fingerprint=
2018-02-25 00:33:37 DEBUG smtp session: ccert_pubkey_fingerprint=
2018-02-25 00:33:37 DEBUG smtp session: encryption_protocol=
2018-02-25 00:33:37 DEBUG smtp session: encryption_cipher=
2018-02-25 00:33:37 DEBUG smtp session: encryption_keysize=0
2018-02-25 00:33:37 DEBUG LDAP connection initialied success.
2018-02-25 00:33:37 DEBUG LDAP bind success.
2018-02-25 00:33:37 DEBUG --> Apply plugin: reject_null_sender
2018-02-25 00:33:37 DEBUG <-- Result: DUNNO
2018-02-25 00:33:37 DEBUG [+] Getting LDIF data of account: manic8@manic8.karoo.co.uk
2018-02-25 00:33:37 DEBUG search base dn: o=domains,dc=mydomain,dc=xx
2018-02-25 00:33:37 DEBUG search scope: SUBTREE
2018-02-25 00:33:37 DEBUG search filter: (&(!(domainStatus=disabled))(|(mail=manic8@manic8.karoo.co.uk)(shadowAddress=manic8@manic8.karoo.co.uk))(|(objectClass=mailUser)(objec$
2018-02-25 00:33:37 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy']
2018-02-25 00:33:37 DEBUG No such account.
2018-02-25 00:33:37 DEBUG --> Apply plugin: ldap_maillist_access_policy
2018-02-25 00:33:37 DEBUG <-- Result: DUNNO (Recipient is not a local account - no LDIF data)
2018-02-25 00:33:37 DEBUG [+] Getting LDIF data of account:
2018-02-25 00:33:37 DEBUG search base dn: o=domains,dc=mydomain,dc=xx
2018-02-25 00:33:37 DEBUG search scope: SUBTREE
2018-02-25 00:33:37 DEBUG search filter: (&(!(domainStatus=disabled))(|(mail=)(shadowAddress=))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2018-02-25 00:33:37 DEBUG search attributes: ['objectClass', 'shadowLastChange']
2018-02-25 00:33:37 DEBUG No such account.
2018-02-25 00:33:37 DEBUG --> Apply plugin: ldap_force_change_password
2018-02-25 00:33:37 DEBUG <-- Result: DUNNO Not an authenticated user (no sasl_username in smtp session)
2018-02-25 00:33:37 DEBUG Session ended.
2018-02-25 00:33:37 INFO [200.63.116.140] RCPT, user@mydomain.xx -> manic8@manic8.karoo.co.uk, DUNNO [0.0021s]
2018-02-25 00:33:37 DEBUG Close LDAP connection.

5) SPAM flow is stoped.
6)Do I have something more to do to avoid in future of the similar cases ?

Arnis


ZhangHuangbin wrote:
platpirs wrote:

2018-02-12 20:07:14 INFO Whitelisted: wblist=(1, 987, 'W')
2018-02-12 20:07:14 INFO [37.236.186.52] RCPT, user@mydomain.xx -> imoore@netcomuk.co.uk, OK wblist=(1, 987, 'W') [0.0611s]

This sender is whitelisted, seems caused by this whitelist.

Questions:

*) Which version of iRedAPD are you running? You can check with command "ls -l /opt".
*) Could you please add below line __ABOVE__ all lines in file /opt/iredapd/plugins/amavisd_wblist.py, then restart iredapd service and check this issue again?

SMTP_PROTOCOL_STATE = ['END-OF-MESSAGE']

It's better turn on debug mode in iRedAPD to get more detailed log for troubleshooting. FYI:
https://docs.iredmail.org/debug.iredapd.html

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: SPAM problem

platpirs wrote:

5) SPAM flow is stoped.

Great. This is more like an issue with iRedAPD plugin.