1 Topic by Blisk (edited by Blisk 2018-09-09 17:47:22)

  • Blisk
  • Member
  • Offline
  • Registered: 2015-05-07
  • Posts: 106

Topic: Please help me with this SPAM

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.97
- Linux/BSD distribution name and version: centos 7.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): apache
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Please help me with this SPAM, first I get one of this spam per day on my mail and that is increased day after day more and more. Now I get about 20 the same emails in my box every day. I will go mad If that continues.
I have blocked IP and host where they send from but it changes every day, don't know anymore what to do.
So please help me how to block these SPAM????

Post's attachments

2018-09-09 11_42_56-Drink (2 a day) to end obesity - Sporočilo (HTML).png 179.56 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ralph

  • ralph
  • Member
  • Offline
  • Registered: 2015-09-17
  • Posts: 17

Re: Please help me with this SPAM

Can you post message headers?

Are you using postscreen? https://docs.iredmail.org/enable.postscreen.html

Try blocking the entire subnet? I see a lot of these "botnets" that send 1 message per day from a different IP, but normally within the span of a few days they come from the same subnet.

Possibly use a more aggressive RBL. Increases chance of false positives, but higher chance of blocking 0-day spam.

Spam is like an amoeba, ever-changing and adapting. Each one can be different.

3 Reply by Blisk

  • Blisk
  • Member
  • Offline
  • Registered: 2015-05-07
  • Posts: 106

Re: Please help me with this SPAM

I have enabled postscreen.
this is headder of one mail.
Return-Path: <neighborhood.protection.kids.live.safe-damjan=myhost.com@alphistrobetos.com>
Delivered-To: damjan@myhost.com
Received: from myhost.com (myhost.com [127.0.0.1])
    by myhost.com (Postfix) with ESMTP id DA06B60910BCD
    for <damjan@myhost.com>; Mon, 10 Sep 2018 17:36:43 +0200 (CEST)
X-Virus-Scanned: amavisd-new at myhost.com
Authentication-Results: myhost.com (amavisd-new); dkim=fail (1024-bit key)
    reason="fail (body has been altered)" header.d=alphistrobetos.com;
    domainkeys=fail (1024-bit key)
    reason="fail (message has been altered)"
    header.from=neighborhood.protection.kids.live.safe@alphistrobetos.com
    header.d=alphistrobetos.com
Received: from myhost.com ([127.0.0.1])
    by myhost.com (myhost.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id OuDGJlBZH9FO for <damjan@myhost.com>;
    Mon, 10 Sep 2018 17:36:42 +0200 (CEST)
Received: from mail.alphistrobetos.com (142-4-21-124.unifiedlayer.com [142.4.21.124])
    by myhost.com (Postfix) with ESMTP id 41540608AB988
    for <damjan@myhost.com>; Mon, 10 Sep 2018 17:36:42 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=alphistrobetos.com;
h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; i=neighborhood.protection.kids.live.safe@alphistrobetos.com;
bh=ZK86W/b/V2UWA1b0SldR4oYOw2A=;
b=oRtq79GsTeBKqehsVficEXmEN/OhfoNiw2owtcv03kLKAIueONmlXLWkDpkHPmqsNcx8pFHleG6H
   Z1POjqWJy9PB8GyNLGrjClr0gwvl4OmzJrW8yoTxElGWOZy1kwM3JMWZIc4FT+17zALnQOb811+c
   4QvIwDm4rdOFoXT0FKU=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=alphistrobetos.com;
b=PnDPz1eSVkmcb9K/b9mVNhBkcNxTSewzNJDAk/3qs4klu6QTxFS+Xa9EtOOmQz0u3A4bcjiii+Nw
   lBxuuQ12hHVBLpSaXxRoXTTyzEAyKx8XhTJ+UlHM6+FlutUuSDNOo6s2cUvC8dbdz2FJDr1GFmrw
   0gj6W58LfqtWKu7AedQ=;
Received: by mail.alphistrobetos.com id hiq7ok0001g3 for <damjan@myhost.com>; Mon, 10 Sep 2018 11:33:46 -0400 (envelope-from <neighborhood.protection.kids.live.safe-damjan=myhost.com@alphistrobetos.com>)
Date: Mon, 10 Sep 2018 11:33:46 -0400
From: "Neighborhood Protection Kids Live Safe" <neighborhood.protection.kids.live.safe@alphistrobetos.com>
To:   <damjan@myhost.com>
Subject: Your area might contain active se xual predators
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_13_939847263.1536593611815"
List-Unsubscribe: <http://www.alphistrobetos.com/a7h5V23F8 … alpractice>
Message-ID: <0.0.0.1.1D4491BAA3493EE.9CFDC8@mail.alphistrobetos.com>
X-EsetId: 37303A293B5E7163637266

4 Reply by Blisk (edited by Blisk 2018-09-11 00:24:43)

  • Blisk
  • Member
  • Offline
  • Registered: 2015-05-07
  • Posts: 106

Re: Please help me with this SPAM

And second mail. I have changed my domain to myhost.com

Received: from myhost.com (myhost.com [127.0.0.1])
    by myhost.com (Postfix) with ESMTP id E0FAF6091A64C
    for <damjan@myhost.com>; Sun,  9 Sep 2018 11:34:23 +0200 (CEST)
Received: from myhost.com ([127.0.0.1])
    by myhost.com (myhost.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id Hs2oxBEEzwZo for <damjan@myhost.com>;
    Sun,  9 Sep 2018 11:34:22 +0200 (CEST)
Received: from ovkho.host (unknown [93.188.205.156])
    by myhost.com (Postfix) with ESMTP id DEEAE6085BE74
    for <hajsekdamjan@myhost.com>; Sun,  9 Sep 2018 11:34:17 +0200 (CEST)
Return-Path: <rhs@ovkho.host>
From: " Allison Mann" <rhs@ovkho.host>
To: <hajsekdamjan@myhost.com>
Subject: Drink (2 a day) to end obesity
Date: Sun, 9 Sep 2018 11:30:42 +0200
Message-ID: <KJqTtYDCNHhgFdgYfhgkN5ycitOi8YYqoOy0UHpAoE4.ckHyYZ0vvDQKDcgBiJ6P11ttG-R5le27qfqVxjHcG0I@ovkho.host>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_00F8_01D44932.FDCAB620"
X-Mailer: Microsoft Outlook 15.0
X-Virus-Scanned: amavisd-new at myhost.com
X-EsetId: 37303A293B5E7163637362
X-Spam-Flag: NO
X-Spam-Score: 2.984
X-Spam-Level: **
X-Spam-Status: No, score=2.984 tagged_above=2 required=6.2
    tests=[FROMSPACE=0.001, HTML_MESSAGE=0.001, RDNS_NONE=1.274,
    SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01,
    URIBL_BLACK=1.7] autolearn=no autolearn_force=no
Thread-Index: AQLgAwmh7rN1vMyV0nlFV4tAC3BK3g==

5 Reply by ralph

  • ralph
  • Member
  • Offline
  • Registered: 2015-09-17
  • Posts: 17

Re: Please help me with this SPAM

Just looking at those two emails, the second one is listed in b.barracudacentral.org RBL which is a default in vanilla iRedMail. You may want to check postscreen_dnsbl_sites in postfix main.cf to see which RBLs are configured.

The first mail is listed in dnsbl.sorbs.net and spam.dnsbl.sorbs.net that I saw, but no others. sorbs are some very aggressive RBLs and using them might give you some false positives (or not, it just depends on the traffic at your mail server).

Some combination of adjusting your RBLs and blacklists in iredapd might give you some good results.