Topic: Iredapd outbound limits bypassed

- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.


as you know some time email account was stolen and used for send spam. So we have setup a limit of 24 emails per day via iredapd and throttle plugins. All works fine but today we have find a spammers that was able to bypass limit and send more than 5000 emails in few hours. Here the logs:

From Postfix SMTP Auth:

Dec  6 02:14:59 smtp postfix/smtps/smtpd[26965]: 439HhM4mx1z4xGP: client=ec2-54-232-242-3.sa-east-1.compute.amazonaws.com[], sasl_method=LOGIN, sasl_username=serve@ammsegurancas35.net
Dec  6 02:15:00 smtp postfix/cleanup[9137]: 439HhM4mx1z4xGP: warning: header Subject: |-Central de Aviso.        PROTOCOLO: 03252358/9663-65 from ec2-54-232-242-3.sa-east-1.compute.amazonaws.com[]; from=<#central.bb.4873@ammsegurancas35.net> to=<adrianolfreitas@hotmail.com> proto=ESMTP helo=<WIN-QUJ6M3E7EJ1>
Dec  6 02:15:00 smtp postfix/cleanup[9137]: 439HhM4mx1z4xGP: message-id=<065420181214013086422E4B$359FD7304D@WINQUJMEEJ>
Dec  6 02:15:03 smtp opendkim[700]: 439HhM4mx1z4xGP: DKIM-Signature field added (s=qbm1812058745, d=ammsegurancas35.net)
Dec  6 02:15:03 smtp postfix/qmgr[5870]: 439HhM4mx1z4xGP: from=<#central.bb.4873@ammsegurancas35.net>, size=534647, nrcpt=1 (queue active)
Dec  6 02:15:06 smtp postfix/smtp[26978]: 439HhM4mx1z4xGP: to=<adrianolfreitas@hotmail.com>, relay=hotmail-com.olc.protection.outlook.com[]:25, delay=8.3, delays=5.3/0/0.71/2.3, dsn=2.6.0, status=sent (250 2.6.0 <065420181214013086422E4B$359FD7304D@WINQUJMEEJ> [InternalId=26959509736995, Hostname=BN3NAM01HT089.eop-nam01.prod.protection.outlook.com] 541638 bytes in 1.038, 509.165 KB/sec Queued mail for delivery -> 250 2.1.5)
Dec  6 02:15:06 smtp postfix/qmgr[5870]: 439HhM4mx1z4xGP: removed

From Iredapd logs:

2018-12-06 02:14:59 INFO RCPT, serve@ammsegurancas35.net => #central.bb.4873@ammsegurancas35.net -> adrianolfreitas@hotmail.com, REJECT Quota exceeded (number of mails in total) [0.0036s]
2018-12-06 02:15:04 INFO END-OF-MESSAGE, serve@ammsegurancas35.net => #central.bb.4873@ammsegurancas35.net -> adrianolfreitas@hotmail.com, DUNNO [0.9702s]

Iredapd understand that the limit for account has been exceeded, but Postfix not reject/deny the users.

How is possibile? Could be because the spammers open an SMTP session and use always the same for sent all emails?

Our Iredapd version is 2.0.



Re: Iredapd outbound limits bypassed

Unfortunately, iRedAPD-2.0 has a bug that it doesn't treat address leading with '#' (e.g. '#user@domain.com') as a valid email address, so it's bypassed.

iRedAPD-2.1 (and later releases) fixed this issue. So please upgrade. smile

==== UPDATE ====

Here's patch for iRedAPD-2.0 to fix it if you don't want to upgrade right now:
https://bitbucket.org/zhb/iredapd/commi … bdbb4f5b01


Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee


Re: Iredapd outbound limits bypassed

Thanks Zhang,

in the mean time I have apply the patch, in the next days I will update to iRedAPD-2.1.