1 Topic by shareefbab

  • shareefbab
  • Member
  • Offline
  • Registered: 2016-12-15
  • Posts: 30

Topic: Fake Emails

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7 professional
- Linux/BSD distribution name and version: CentOS Linux 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I logged into the https://emkei.cz/
and sent an email from alshrouq@emirates.net.ae to testnew@al-babtain.com.sa

How can I block fake emails to be received.

Return-Path: <alshrouq@emirates.net.ae>
Delivered-To: testnew@al-babtain.com.sa
Received: from alb-mail.al-babtain.com.sa (alb-mail.al-babtain.com.sa [127.0.0.1])
    by alb-mail.al-babtain.com.sa (Postfix) with ESMTP id A7BB537B13
    for <testnew@al-babtain.com.sa>; Sun, 11 Mar 2018 13:44:00 +0300 (AST)
X-Virus-Scanned: amavisd-new at alb-mail.al-babtain.com.sa
Received: from alb-mail.al-babtain.com.sa ([127.0.0.1])
    by alb-mail.al-babtain.com.sa (alb-mail.al-babtain.com.sa [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id l88WBkm2SZLL for <testnew@al-babtain.com.sa>;
    Sun, 11 Mar 2018 13:43:57 +0300 (AST)
Received: from gate.forward.smtp.ord1c.emailsrvr.com (gate.forward.smtp.ord1c.emailsrvr.com [108.166.43.128])
    by alb-mail.al-babtain.com.sa (Postfix) with ESMTPS id 210A86C1CD9
    for <testnew@al-babtain.com.sa>; Sun, 11 Mar 2018 13:43:56 +0300 (AST)
X-Spam-Threshold: 95
X-Virus-Scanned: OK
X-Orig-To: testnew@al-babtain.com.sa
X-Originating-Ip: [46.167.245.205]
Authentication-Results: smtp45.gate.ord1c.rsapps.net; iprev=pass policy.iprev="46.167.245.205"; spf=fail smtp.mailfrom="alshrouq@emirates.net.ae" smtp.helo="emkei.cz"; dkim=none (message not signed) header.d=none; dmarc=none (p=nil; dis=none) header.from=emirates.net.ae
X-Classification-ID: 165eae82-2519-11e8-807c-b8ca3a63fa34-1-1
Received: from [46.167.245.205] ([46.167.245.205:35806] helo=emkei.cz)
    by smtp45.gate.ord1c.rsapps.net (envelope-from <alshrouq@emirates.net.ae>)
    (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
    id 23/84-17016-96805AA5; Sun, 11 Mar 2018 06:43:55 -0400
Received: by emkei.cz (Postfix, from userid 33)
    id DB146D585C; Sun, 11 Mar 2018 11:43:18 +0100 (CET)
To: testnew@al-babtain.com.sa
Subject: test to IR
From: "alshrouq" <alshrouq@emirates.net.ae>
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: alshrouq@emirates.net.ae
Reply-To: alshrouq@emirates.net.ae
Content-Type: text/plain; charset=utf-8
Message-Id: <20180311104349.DB146D585C@emkei.cz>
Date: Sun, 11 Mar 2018 11:43:18 +0100 (CET)
X-Suspicious-Flag: NO
X-Cyberoam-smtpxy-version: 1.0.6.3
X-Cyberoam-AV-Policy: Default Rule
X-Cyberoam-AV-Policy: Tes
X-CTCH-PVer:  0000001
X-CTCH-Spam:  Unknown
X-CTCH-VOD:  Unknown
X-CTCH-Flags:  0
X-CTCH-RefID:  str=0001.0A0C0204.5AA5086D.014C,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTCH-Score:  0.000
X-CTCH-ScoreCust:  0.000
X-CTCH-Rules:

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Fake Emails

*) What do you mean "fake" here?
*) Which domain is your domain and which one is the fake one?

If you can describe your question clearer, it will be easier for me to understand what you're asking for and definitely saving me a lot time to guess.

3 Reply by shareefbab

  • shareefbab
  • Member
  • Offline
  • Registered: 2016-12-15
  • Posts: 30

Re: Fake Emails

there is a website - https://emkei.cz/  - for Free online fake mailer with attachments, encryption,
HTML editor and advanced settings…
where any one can send an email from any email address to our mail
for eg.  - the From address  - alshrouq@emirates.net.ae
                      To address - testnew@al-babtain.com.sa
I have received the mail on testnew@al-babtain.com.sa
what is the way to keep such emails from receiving.
Hope this is little clear.
Thanks
Shareef

4 Reply by rain6966

  • rain6966
  • Member
  • Offline
  • Registered: 2012-04-13
  • Posts: 64

Re: Fake Emails

try this:

local.cf
#for " From name containing a spoofed email address "
header         __F_DM1 eval:from_domains_mismatch()
header         __F_DM2 From:addr =~/\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
meta            F_DM ( __F_DM1 && ! __F_DM2 )
describe       F_DM From:name domain mismatches From:addr domain
priority         F_DM -1
score            F_DM 6.0
#score          F_DM 5.0

and  FYI: https://github.com/fmbla/spamassassin-fromnamespoof

5 Reply by tehseensagarpk

  • tehseensagarpk
  • Member
  • Offline
  • Registered: 2018-03-22
  • Posts: 19

Re: Fake Emails

I'm having the same situation. I want to block all fake emails that comes from emkei.cz  . it is a free web based fake e mailer that you can spoofed any doamin name.

when some one send an email from that website let say. zhang@iredmail.org it will be delivered to my domain.

All I'm asking to block this emkei.cz sender.

Regards
Tehseen

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Fake Emails

Try this:

cd /opt/iredapd/tools/
python wblist_admin.py --add --blacklist '@.emkei.cz'

It will block all emails which have sender address '@emkei.cz' or any sub-domains.
You can also query DNS record to get its IP addresses, and block them like below:

python wblist_admin.py --add --blacklist 192.168.1.1 192.168.1.2

7 Reply by tehseensagarpk

  • tehseensagarpk
  • Member
  • Offline
  • Registered: 2018-03-22
  • Posts: 19

Re: Fake Emails

@ZhangHuangbin thank you for your prompt response.

I run above cmd as per your instruction and I got this message.

/usr/lib/python2.7/dist-packages/pymysql/cursors.py:158: Warning: '@@tx_isolation' is deprecated and will be removed in a future release. Please use '@@transaction_isolation' instead
  result = self._query(query)

Is it just a warning ?

Regards
Tehseen

8 Reply by tehseensagarpk (edited by tehseensagarpk 2018-04-28 03:12:31)

  • tehseensagarpk
  • Member
  • Offline
  • Registered: 2018-03-22
  • Posts: 19

Re: Fake Emails

Apr 27 14:06:33 mail postfix/postscreen[20612]: CONNECT from [46.167.245.205]:49178 to [103.31.82.29]:25
Apr 27 14:06:33 mail postfix/postscreen[20612]: PASS OLD [46.167.245.205]:49178
Apr 27 14:06:34 mail postfix/smtpd[20615]: connect from emkei.cz[46.167.245.205]
Apr 27 14:06:34 mail postfix/smtpd[20615]: Anonymous TLS connection established from emkei.cz[46.167.245.205]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 27 14:06:36 mail postfix/smtpd[20615]: 81D7B24458: client=emkei.cz[46.167.245.205]
Apr 27 14:06:36 mail postfix/cleanup[20632]: 81D7B24458: message-id=<20180427180633.2C50BD5EF1@emkei.cz>
Apr 27 14:06:36 mail postfix/qmgr[20469]: 81D7B24458: from=<ras@xxxx.edu>, size=596, nrcpt=1 (queue active)
Apr 27 14:06:36 mail postfix/smtpd[20615]: disconnect from emkei.cz[46.167.245.205] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr 27 14:06:36 mail postfix/10025/smtpd[20640]: connect from mail.xxxx.com[127.0.0.1]
Apr 27 14:06:36 mail postfix/10025/smtpd[20640]: E460A255CD: client=mail.xxxx.com[127.0.0.1]
Apr 27 14:06:36 mail postfix/cleanup[20632]: E460A255CD: message-id=<20180427180633.2C50BD5EF1@emkei.cz>
Apr 27 14:06:36 mail postfix/10025/smtpd[20640]: disconnect from mail.xxxx.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 27 14:06:36 mail postfix/qmgr[20469]: E460A255CD: from=<ras@xxxx.edu>, size=1062, nrcpt=1 (queue active)
Apr 27 14:06:36 mail amavis[20546]: (20546-01) Passed CLEAN {RelayedInbound}, [46.167.245.205]:49178 [46.167.245.205] <ras@xxxx.edu> -> <cs@xxxx.com>, Queue-ID: 81D7B24458, Message-ID: <20180427180633.2C50BD5EF1@emkei.cz>, mail_id: 785MkRPkkb5A, Hits: -, size: 596, queued_as: E460A255CD, 216 ms
Apr 27 14:06:36 mail postfix/amavis/smtp[20637]: 81D7B24458: to=<cs@xxxx.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=1.4/0.01/0.01/0.22, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E460A255CD)
Apr 27 14:06:36 mail postfix/qmgr[20469]: 81D7B24458: removed
Apr 27 14:06:37 mail postfix/pipe[20641]: E460A255CD: to=<cs@xxxx.com>, relay=dovecot, delay=0.45, delays=0.01/0.02/0/0.42, dsn=2.0.0, status=sent (delivered via dovecot service)
Apr 27 14:06:37 mail postfix/qmgr[20469]: E460A255CD: removed

Recipient: cs@xxxx.com  <== legitate address on my mail server
Sender:ras@xxxx.edu <== spoofed using emkie's webmail

After applying the rule as you said in last rely , it is not blocked? Above are the mail log .

postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mail_owner = postfix
mailq_path = /usr/bin/mailq
message_size_limit = 15728640
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = mail.xxxx.com
myhostname = mail.xxxx.com
mynetworks = 127.0.0.1
myorigin = mail.xxxx.com
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.[2..11]*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_directory = /var/spool/postfix
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_unknown_sender_domain reject_unknown_recipient_domain reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_policy_service inet:127.0.0.1:7777
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000



Regards
Tehseen

9 Reply by tehseensagarpk

  • tehseensagarpk
  • Member
  • Offline
  • Registered: 2018-03-22
  • Posts: 19

Re: Fake Emails

ZhangHuangbin wrote:

Try this:

cd /opt/iredapd/tools/
python wblist_admin.py --add --blacklist '@.emkei.cz'

It will block all emails which have sender address '@emkei.cz' or any sub-domains.
You can also query DNS record to get its IP addresses, and block them like below:

python wblist_admin.py --add --blacklist 192.168.1.1 192.168.1.2

This does not work out. I had to do it via postfix directly

Created a file in /etc/postfix/blacklist_clients

#Adding domain detilas in it

vi /etc/postfix/blacklist_clients

# exact domain
/^emkei\.cz$/        REJECT  black-listed
# everything in a domain
/emkei\.cz$/            REJECT black-listed

save the file and run

postmap hash:blacklist_clients

edit main.cf

added line blow
smtpd_recipient_restrictions =
check_client_access regexp:/etc/postfix/blacklist_clients

save and exit. Restarted ired services.

But I would like to do it via the script given by iredmail . I dont know why it is not working at all.

Regards
Tehseen

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Fake Emails

tehseensagarpk wrote:

I run above cmd as per your instruction and I got this message.
/usr/lib/python2.7/dist-packages/pymysql/cursors.py:158: Warning: '@@tx_isolation' is deprecated and will be removed in a future release. Please use '@@transaction_isolation' instead
  result = self._query(query)
Is it just a warning ?

Please show me FULL output.

11 Reply by rain6966 (edited by rain6966 2018-05-04 10:56:39)

  • rain6966
  • Member
  • Offline
  • Registered: 2012-04-13
  • Posts: 64

Re: Fake Emails

rain6966 wrote:

local.cf
#for " From name containing a spoofed email address "
header         __F_DM1 eval:from_domains_mismatch()
header         __F_DM2 From:addr =~/\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
meta            F_DM ( __F_DM1 && ! __F_DM2 )
describe       F_DM From:name domain mismatches From:addr domain
priority         F_DM -1
score            F_DM 6.0
#score          F_DM 5.0

I am sorry ,I had forgot something ; Pls. FYI this try again:
https://lists.apache.org/thread.html/2b … che.org%3E 

this my test log:
# bzcat /var/log/maillog-20180318.bz2 |grep -i6 'emkei'

Mar 14 13:39:01 mail postfix/postscreen[23843]: CONNECT from [46.167.245.205]:35108 to [10.10.10.10]:25
Mar 14 13:39:07 mail postfix/postscreen[23843]: PASS NEW [46.167.245.205]:35108
Mar 14 13:39:08 mail postfix/smtpd[23852]: connect from emkei.cz[46.167.245.205]
Mar 14 13:39:09 mail postfix/smtpd[23852]: Anonymous TLS connection established from emkei.cz[46.167.245.205]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Mar 14 13:39:12 mail postfix/cleanup[23865]: 3CE63C0000121: message-id=<20180314053912.3CE63C0000121@mail.Mydomain.com>
Mar 14 13:39:12 mail postfix/qmgr[13052]: 3CE63C0000121: from=<double-bounce@mail.Mydomain.com>, size=280, nrcpt=1 (queue active)
Mar 14 13:39:12 mail postfix/pipe[23867]: 3CE63C0000121: to=<test@Mydomain.com>, relay=dovecot, delay=0.08, delays=0.05/0.01/0/0.03, dsn=2.0.0, status=deliverable (delivers to command: /usr/libexec/dovecot/deliver)
Mar 14 13:39:12 mail postfix/qmgr[13052]: 3CE63C0000121: removed
Mar 14 13:39:18 mail policyd-spf[23870]: Pass; identity=helo; client-ip=46.167.245.205; helo=emkei.cz; envelope-from=aaa@gmail.com; receiver=test@Mydomain.com
Mar 14 13:39:18 mail policyd-spf[23870]: Softfail; identity=mailfrom; client-ip=46.167.245.205; helo=emkei.cz; envelope-from=aaa@gmail.com; receiver=test@Mydomain.com
Mar 14 13:39:18 mail postfix/smtpd[23852]: 5AAE7C0000121: client=emkei.cz[46.167.245.205]
Mar 14 13:39:18 mail postfix/cleanup[23865]: 5AAE7C0000121: message-id=<20180314053900.6FFCCD5A86@emkei.cz>
Mar 14 13:39:18 mail opendmarc[5962]: 5AAE7C0000121: SPF(mailfrom): aaa@gmail.com fail
Mar 14 13:39:18 mail opendmarc[5962]: 5AAE7C0000121: gmail.com fail
Mar 14 13:39:18 mail postfix/qmgr[13052]: 5AAE7C0000121: from=<aaa@gmail.com>, size=856, nrcpt=2 (queue active)
Mar 14 13:39:19 mail postfix/smtpd[23852]: disconnect from emkei.cz[46.167.245.205]
Mar 14 13:39:21 mail postfix/10025/smtpd[23882]: connect from mail.Mydomain.com[127.0.0.1]
Mar 14 13:39:21 mail opendmarc[5962]: ignoring connection from mail.Mydomain.com
Mar 14 13:39:21 mail postfix/10025/smtpd[23882]: 9E7EBC000013E: client=mail.Mydomain.com[127.0.0.1]
Mar 14 13:39:21 mail postfix/cleanup[23865]: 9E7EBC000013E: message-id=<20180314053900.6FFCCD5A86@emkei.cz>
Mar 14 13:39:21 mail postfix/qmgr[13052]: 9E7EBC000013E: from=<aaa@gmail.com>, size=1528, nrcpt=1 (queue active)
Mar 14 13:39:21 mail postfix/10025/smtpd[23882]: disconnect from mail.Mydomain.com[127.0.0.1]
Mar 14 13:39:21 mail postfix/smtp-amavis/smtp[23873]: 5AAE7C0000121: to=<test@Mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=11, delays=8.7/0.01/0/2.7, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=09705-02 - spam)
Mar 14 13:39:21 mail postfix/smtp-amavis/smtp[23872]: 5AAE7C0000121: to=<admin@Mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=11, delays=8.7/0.01/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9E7EBC000013E)
Mar 14 13:39:21 mail postfix/qmgr[13052]: 5AAE7C0000121: removed
Mar 14 13:39:21 mail postfix/pipe[23867]: 9E7EBC000013E: to=<admin@Mydomain.com>, relay=dovecot, delay=0.15, delays=0.04/0/0/0.1, dsn=2.0.0, status=sent (delivered via dovecot service)

# cat /var/log/amavisd.log |grep -i3 'emkei'
Mar 14 13:39:19 mail.Mydomain.com /usr/sbin/amavisd[9705]: (09705-02) Checking: sM7yzJVDZ9iA [46.167.245.205] <aaa@gmail.com> -> <test@Mydomain.com>
Mar 14 13:39:19 mail.Mydomain.com /usr/sbin/amavisd[9714]: (09714-01) Checking: Be-WdexruIYN [46.167.245.205] <aaa@gmail.com> -> <admin@Mydomain.com>
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9705]: (09705-02) delivering to sql:, SEND via SQL (DBI:mysql:database=amavisd;host=127.0.0.1;port=3306): <aaa@gmail.com> -> <test@Mydomain.com>, mail_id sM7yzJVDZ9iA
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9705]: (09705-02) Blocked SPAM {DiscardedInbound,Quarantined}, [46.167.245.205]:35108 [46.167.245.205] ESMTP/ESMTP <aaa@gmail.com> -> <test@Mydomain.com>, (ESMTPS://[46.167.245.205]:35108), quarantine: sM7yzJVDZ9iA, Queue-ID: 5AAE7C0000121, Message-ID: <20180314053900.6FFCCD5A86@emkei.cz>, mail_id: sM7yzJVDZ9iA, b: aLMp2piT4, Hits: 10.12, size: 1082, Subject: "test fake", From: <aaa@gmail.com>, helo=emkei.cz, Tests: [DKIM_ADSP_CUSTOM_MED=0.001,FREEMAIL_FROM=0.001,FROMNAME_SPOOF=1,FROMNAME_SPOOF_FREEMAIL=2,F_DM=5,NML_ADSP_CUSTOM_MED=1.2,SPF_FAIL=0.919,SPF_HELO_PASS=-0.001], shortcircuit=no, autolearn=no autolearn_force=no, autolearnscore=10.12, relaycountry=CZ, rss=244744, 2660 ms
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9705]: (09705-02) Blocked SPAM, <aaa@gmail.com> -> , Hits: 10.12, tag=-999, tag2=5, kill=6.9, L/Y/Y/Y
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9714]: (09714-01) Be-WdexruIYN FWD from <aaa@gmail.com> -> <admin@Mydomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9E7EBC000013E
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9714]: (09714-01) Passed SPAM {RelayedTaggedInbound}, [46.167.245.205]:35108 [46.167.245.205] ESMTP/ESMTP <aaa@gmail.com> -> <admin@Mydomain.com>, (ESMTPS://[46.167.245.205]:35108), Queue-ID: 5AAE7C0000121, Message-ID: <20180314053900.6FFCCD5A86@emkei.cz>, mail_id: Be-WdexruIYN, b: aLMp2piT4, Hits: 10.12, size: 1082, queued_as: 9E7EBC000013E, Subject: "test fake", From: <aaa@gmail.com>, helo=emkei.cz, Tests: [DKIM_ADSP_CUSTOM_MED=0.001,FREEMAIL_FROM=0.001,FROMNAME_SPOOF=1,
FROMNAME_SPOOF_FREEMAIL=2,F_DM=5,NML_ADSP_CUSTOM_MED=1.2,SPF_FAIL=0.919,SPF_HELO_PASS=-0.001], shortcircuit=no, autolearn=no autolearn_force=no, autolearnscore=10.12, relaycountry=CZ, rss=241548, 2702 ms
Mar 14 13:39:21 mail.Mydomain.com /usr/sbin/amavisd[9714]: (09714-01) Passed SPAM, <aaa@gmail.com> -> <admin@Mydomain.com>, Hits: 10.12, tag=-999, tag2=5, kill=6.9, queued_as: 9E7EBC000013E, L/Y/Y/Y