==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Downloadable Installer
- Linux/BSD distribution name and version: Centos (centos-release-7-5.1804.el7.centos.2.x86_64)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

2019-11-07 14:33:36 INFO [191.252.198.6] Client has not been seen before, greylisted.
2019-11-07 14:33:37 INFO [191.252.198.6] RCPT, anderson.albuquerque@gmpromo.com.br -> k.ligon@seiko-it.com.ph, 451 4.7.1 Sorry, Server is busy, Pls. try again in a minute. [sasl_username=, sender=anderson.albuquerque@gmpromo.com.br, client_name=mail1986.hm1315.locaweb.com.br, reverse_client_name=mail1986.hm1315.locaweb.com.br, helo=mail1986.hm1315.locaweb.com.br, encryption_protocol=, process_time=0.9486s]

==> /var/log/maillog <==
Nov  7 14:33:37 mail2 postfix/smtpd[8922]: NOQUEUE: reject: RCPT from mail1986.hm1315.locaweb.com.br[191.252.198.6] 451 4.7.1 <k.ligon@seiko-it.com.ph>: Recipient address rejected: Sorry, Server is busy, Pls. try again in a minute.; from=<anderson.albuquerque@gmpromo.com.br> to=<k.ligon@seiko-it.com.ph> proto=ESMTP helo=<mail1986.hm1315.locaweb.com.br>
Nov  7 14:33:38 mail2 postfix/smtpd[8922]: disconnect from mail1986.hm1315.locaweb.com.br[191.252.198.6]

Hi Guys,

Recently some of our users received an email with attached MS WORD doc (Trojan HEUR:Trojan.MSOffice.SAgent.gen).
And unfortunately that attachment had already been downloaded and run by the user.

Since then, we are receiving tons of Forged Emails.
I have enabled plugins of IredApd such as reject_sender_login_mismatch but unfortunately there emails that is still delivered in our INBOX.

What is the best way to deal with it.