1 Topic by craig

  • craig
  • Member
  • Offline
  • From: Canada
  • Registered: 2013-09-04
  • Posts: 271

Topic: Spam from blacklisted sender not rejected

======== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 7.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL/MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Amazon SES has become a big source of spam, and they do not respond to requests to shut down the spammers they host. So I blacklisted one of their spammers. I would have expected that email from a sender blacklisted in iRedAdmin-Pro would be rejected during the SMTP transaction. However, it seems that it's accepted and then quarantined. Why is that?

Here is an example:

from a9-244.smtp-out.amazonses.com (a9-244.smtp-out.amazonses.com [54.240.9.244]) by MY.SERVER.net (Postfix) with ESMTPS id BB824C5A3E1 for <SPAMMED_ADDRESS>; Wed, 20 Jun 2018 19:21:07 +0000 (UTC)

Attached are screenshots showing the spam quarantined in iRedAdmin-Pro, and the spammer in the blacklist.

Spam from a blacklisted sender should be rejected during the SMTP process. It should never get onto the server at all.

Post's attachments

blacklisted_senders_20180621.png
blacklisted_senders_20180621.png 14 kb, 1 downloads since 2018-06-21 

quarantine_spam_20180620_redacted.gif 117.02 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Spam from blacklisted sender not rejected

I have to admit that this part is a little confused in mail server. sad

- iRedAPD will read the blacklists configured by iRedAdmin-Pro to reject blacklisted senders, including IP address, domain names and other policy sender addresses (like '@.' for catch-all, '@domain.com' for entire domain, '@.domain.com' for entire domain and all sub-domains), etc. The problem is, iRedAPD is a Postfix policy server, it gets some info piped from Postfix during smtp session, but it doesn't get the mail message. That means, if sender server uses address 'abc@xyz.com' as sender address during smtp session, but the mail message uses 'From: someone@gmail.com' as sender address, iRedAPD gets only 'abc@xyz.com'. This is limited by how Postfix policy server works. To get entire mail message, we need a Postfix milter program instead, but unfortunately, iRedAPD is not a milter program.

- Amavisd reads blacklists configured by iRedAdmin-Pro for content-based spam scanning. As the second screenshot shows, this email was considered as BLACKLISTED (Check the mail header 'X-Spam-Status:'), so it's quarantined by Amavisd.

3 Reply by rrosson

  • rrosson
  • Member
  • Offline
  • Registered: 2016-08-23
  • Posts: 39

Re: Spam from blacklisted sender not rejected

ZhangHuangbin wrote:

I have to admit that this part is a little confused in mail server. sad

To get entire mail message, we need a Postfix milter program instead, but unfortunately, iRedAPD is not a milter program.

Sorry to hijack this thread but this could be a vote to take a look at RSPAMD as an option over amavisd+spamassassin. RSPAMD is hooked to postfix via the filter function.

Again my apologies.
-Ron

4 Reply by craig

  • craig
  • Member
  • Offline
  • From: Canada
  • Registered: 2013-09-04
  • Posts: 271

Re: Spam from blacklisted sender not rejected

ZhangHuangbin wrote:

I have to admit that this part is a little confused in mail server. sad

- iRedAPD will read the blacklists configured by iRedAdmin-Pro to reject blacklisted senders, including IP address, domain names and other policy sender addresses (like '@.' for catch-all, '@domain.com' for entire domain, '@.domain.com' for entire domain and all sub-domains), etc. The problem is, iRedAPD is a Postfix policy server, it gets some info piped from Postfix during smtp session, but it doesn't get the mail message. That means, if sender server uses address 'abc@xyz.com' as sender address during smtp session, but the mail message uses 'From: someone@gmail.com' as sender address, iRedAPD gets only 'abc@xyz.com'. This is limited by how Postfix policy server works. To get entire mail message, we need a Postfix milter program instead, but unfortunately, iRedAPD is not a milter program.

- Amavisd reads blacklists configured by iRedAdmin-Pro for content-based spam scanning. As the second screenshot shows, this email was considered as BLACKLISTED (Check the mail header 'X-Spam-Status:'), so it's quarantined by Amavisd.

OK, I understand your explanation and I did see that the message was classified as spam. I would be in favour of more immediate feedback to the spammer -- milter-like behaviour -- in the future to reject these spammers (from Amazon SES and other spam operations) during the SMTP transaction. Something like what @rrosson seems to be suggesting.

Frankly I'd like to just block @.amazonses.com, but they shield their spammers by also hosting a lot of legitimate mailers, such that they can claim only a small percentage of their users are spammer. However, a small percentage of trillions is still a significant spam load they unload on the Internet. I really think that Spamhaus should put them in their ROKSO (Register of Known Spam Operations).

5 Reply by craig

  • craig
  • Member
  • Offline
  • From: Canada
  • Registered: 2013-09-04
  • Posts: 271

Re: Spam from blacklisted sender not rejected

One more thing I forgot to ask: What happens to spam in the quarantine? Is it silently deleted after a time, or bounced? I assume the former, meaning the spammer gets no feedback and assumes the address he' spamming is still good and the recipient wants his spam. sad

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Spam from blacklisted sender not rejected

craig wrote:

What happens to spam in the quarantine? Is it silently deleted after a time, or bounced?

Deleted.
iRedMail has a daily cron job to run "tools/cleanup_amavisd_db.py" (under iRedAdmin-Pro directory), it will remove them. Defaults to keep for 7 days, it's tunable in iRedAdmin-Pro config file:

AMAVISD_REMOVE_QUARANTINED_IN_DAYS = 7

7 Reply by craig

  • craig
  • Member
  • Offline
  • From: Canada
  • Registered: 2013-09-04
  • Posts: 271

Re: Spam from blacklisted sender not rejected

Thanks.