1

Topic: Spam mail bot beeing filtered

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

0.9.9 MYSQL edition
Nginx
iRedAdmin-Pro management

We are having tons of email relaying from external ips (with an internal account).

---Log--
Nov  6 16:27:36 nowi amavis[16132]: (16132-07) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [external_ip]:64332 [external_ip] <user@ourdomain.com> -> <moonierwoods66@yahoo.com>, Queue-ID: F3E6D1E20126, mail_id: 1TiMft5PIGzu, Hits: -, size: 308716, queued_as: 878021E2023A, dkim_new=dkim:ourdomain.com, 176 ms
Nov  6 16:27:37 nowi postfix/submission/smtpd[6980]: 055C01E20126: client=unknown[78.188.101.83], sasl_method=PLAIN, sasl_username=user@ourdomain.com
Nov  6 16:27:38 nowi amavis[16711]: (16711-01) Passed CLEAN {RelayedInbound}, [external_ip]:59499 [external_ip] <> -> <user@ourdomain.com>, Queue-ID: DF05F1E20243, Message-ID: <E1iSQxi-0007Lq-7d@vps40713.inmotionhosting.com>, mail_id: 3Z9TiUmT-AFY, Hits: -, size: 4978, queued_as: 26A111E20295, 80 ms
Nov  6 16:27:38 nowi postfix/amavis/smtp[16695]: DF05F1E20243: to=<user@ourdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.68, delays=0.59/0/0/0.08, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 26A111E20295)

Amavis says PASSED CLEAN and it's not!
It also say ORIGINATIN LOCAL and our internal ip range is 192.168.0.0/16
We've putted originating external IP in blacklist and nothing happens

Please Help.
We are entering in several dnsbl block lists because of this massive mailing

2

Re: Spam mail bot beeing filtered

rabrahan wrote:

Amavis says PASSED CLEAN and it's not!

There's no 100% spam catching guarantee.

Try to run script /root/iRedMail-0.9.9/tools/find_top_sasl_usernames.sh (or download the latest iRedMail-0.9.9 and copy it from the downloaded package), it will show you which users performed a lot smtp authentication, the top one or few might be hacked and used to send spams. You need to reset the password and remove the queued spams.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Spam mail bot beeing filtered

Thanks for your reply!