Dec 29, 2023: iRedMail-1.6.8 has been released.

**iamapo** · 2024-03-14 16:38:28

iamapo
Member
Offline

Registered: 2023-07-03
Posts: 8

Topic: How to reject spams like sender and recipient the same？

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
iRedMail version：1.6.5
Deployed with the downloadable installer
Linux/BSD distribution name and version: CentOS Linux release 7.9.2009 (Core)
Store mail accounts in which backend (LDAP/MySQL/PGSQL):MySQL
Web server (Apache or Nginx):Nginx
Manage mail accounts with iRedAdmin-Pro? No
====
The problem is that some spam emails have our mail adresse in both sender and recipient。We want to reject mail from incoming mails, except authenticated internal users。
The relevant log is below：
Mar 13 10:22:14 mail postfix/postscreen[31860]: CONNECT from [179.6.81.233]:24259 to [192.168.11.60]:25
Mar 13 10:22:20 mail postfix/postscreen[31860]: PASS NEW [179.6.81.233]:24259
Mar 13 10:22:20 mail postfix/smtpd[32032]: connect from unknown[179.6.81.233]
Mar 13 10:22:21 mail postfix/smtpd[32032]: 46A6C2A191C1: client=unknown[179.6.81.233]
Mar 13 10:22:22 mail postfix/cleanup[32165]: 46A6C2A191C1: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:22 mail postfix/qmgr[6816]: 46A6C2A191C1: from=<ginawang@mydomain.com>, size=4256, nrcpt=1 (queue active)
Mar 13 10:22:23 mail postfix/smtpd[32032]: disconnect from unknown[179.6.81.233]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: connect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: 61EF32A191C7: client=mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/cleanup[32042]: 61EF32A191C7: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: disconnect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: from=<ginawang@mydomain.com>, size=5178, nrcpt=1 (queue active)
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Queue-ID: 46A6C2A191C1, Message-ID: <004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>, mail_id: g_x11t0dbdhu, Hits: 6.032, size: 4250, queued_as: 61EF32A191C7, 763 ms, Tests: [BITCOIN_SPAM_07=1.635,BITCOIN_TOEQFM=0.105,DATE_IN_PAST_03_06=1.076,DOS_OUTLOOK_TO_MX=1.449,NO_FM_NAME_IP_HOSTN=0.001,PDS_BTC_ID=0.499,RCVD_IN_SORBS_DUL=0.001,RDNS_NONE=1.274,SPF_NONE=0.001,TO_EQ_FM_DIRECT_MX=0.001,T_SCC_BODY_TEXT_LINE=-0.01]
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN, <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Hits: 6.032, tag=2, tag2=6.2, kill=6.9, queued_as: 61EF32A191C7, L/Y/0/0
Mar 13 10:22:23 mail postfix/amavis/smtp[32082]: 46A6C2A191C1: to=<ginawang@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0.01/0.81, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 61EF32A191C7)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 46A6C2A191C1: removed
Mar 13 10:22:23 mail postfix/pipe[32172]: 61EF32A191C7: to=<ginawang@mydomain.com>, relay=dovecot, delay=0.1, delays=0/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: removed

Thanks for the help!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**Cthulhu** · 2024-03-15 04:36:23

Cthulhu
Member
Offline

Registered: 2019-06-04
Posts: 821

Re: How to reject spams like sender and recipient the same？

iamapo wrote:

The problem is that some spam emails have our mail adresse in both sender and recipient。We want to reject mail from incoming mails, except authenticated internal users

Those are from authenticated users:

Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>

The mail accounts got breached, iredmail refuses sending of unauth mails, else it would be an open relay.

**iamapo** · 2024-03-15 09:47:29

iamapo
Member
Offline

Registered: 2023-07-03
Posts: 8

Re: How to reject spams like sender and recipient the same？

Cthulhu wrote:

iamapo wrote:
The problem is that some spam emails have our mail adresse in both sender and recipient。We want to reject mail from incoming mails, except authenticated internal users
Those are from authenticated users:
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>
The mail accounts got breached, iredmail refuses sending of unauth mails, else it would be an open relay.

I think it is not from real authenticated users, real authenticated users should see the info sasl_method=LOGIN, sasl_username=ginawang@mydomain.com in the log。But I can't find。

**Pavel Zhe** · 2024-03-17 16:31:18

Pavel Zhe
Member
Offline

Registered: 2023-12-12
Posts: 28

Re: How to reject spams like sender and recipient the same？

iamapo wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
iRedMail version：1.6.5
Deployed with the downloadable installer
Linux/BSD distribution name and version: CentOS Linux release 7.9.2009 (Core)
Store mail accounts in which backend (LDAP/MySQL/PGSQL):MySQL
Web server (Apache or Nginx):Nginx
Manage mail accounts with iRedAdmin-Pro? No
====
The problem is that some spam emails have our mail adresse in both sender and recipient。We want to reject mail from incoming mails, except authenticated internal users。
The relevant log is below：
Mar 13 10:22:14 mail postfix/postscreen[31860]: CONNECT from [179.6.81.233]:24259 to [192.168.11.60]:25
Mar 13 10:22:20 mail postfix/postscreen[31860]: PASS NEW [179.6.81.233]:24259
Mar 13 10:22:20 mail postfix/smtpd[32032]: connect from unknown[179.6.81.233]
Mar 13 10:22:21 mail postfix/smtpd[32032]: 46A6C2A191C1: client=unknown[179.6.81.233]
Mar 13 10:22:22 mail postfix/cleanup[32165]: 46A6C2A191C1: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:22 mail postfix/qmgr[6816]: 46A6C2A191C1: from=<ginawang@mydomain.com>, size=4256, nrcpt=1 (queue active)
Mar 13 10:22:23 mail postfix/smtpd[32032]: disconnect from unknown[179.6.81.233]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: connect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: 61EF32A191C7: client=mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/cleanup[32042]: 61EF32A191C7: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: disconnect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: from=<ginawang@mydomain.com>, size=5178, nrcpt=1 (queue active)
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Queue-ID: 46A6C2A191C1, Message-ID: <004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>, mail_id: g_x11t0dbdhu, Hits: 6.032, size: 4250, queued_as: 61EF32A191C7, 763 ms, Tests: [BITCOIN_SPAM_07=1.635,BITCOIN_TOEQFM=0.105,DATE_IN_PAST_03_06=1.076,DOS_OUTLOOK_TO_MX=1.449,NO_FM_NAME_IP_HOSTN=0.001,PDS_BTC_ID=0.499,RCVD_IN_SORBS_DUL=0.001,RDNS_NONE=1.274,SPF_NONE=0.001,TO_EQ_FM_DIRECT_MX=0.001,T_SCC_BODY_TEXT_LINE=-0.01]
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN, <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Hits: 6.032, tag=2, tag2=6.2, kill=6.9, queued_as: 61EF32A191C7, L/Y/0/0
Mar 13 10:22:23 mail postfix/amavis/smtp[32082]: 46A6C2A191C1: to=<ginawang@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0.01/0.81, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 61EF32A191C7)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 46A6C2A191C1: removed
Mar 13 10:22:23 mail postfix/pipe[32172]: 61EF32A191C7: to=<ginawang@mydomain.com>, relay=dovecot, delay=0.1, delays=0/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: removed
Thanks for the help!

Do you have a SPF TXT record in your DNS zone for 'mydomain.com' ?

**iamapo** · 2024-03-18 15:31:56

iamapo
Member
Offline

Registered: 2023-07-03
Posts: 8

Re: How to reject spams like sender and recipient the same？

Pavel Zhe wrote:

iamapo wrote:
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
iRedMail version：1.6.5
Deployed with the downloadable installer
Linux/BSD distribution name and version: CentOS Linux release 7.9.2009 (Core)
Store mail accounts in which backend (LDAP/MySQL/PGSQL):MySQL
Web server (Apache or Nginx):Nginx
Manage mail accounts with iRedAdmin-Pro? No
====
The problem is that some spam emails have our mail adresse in both sender and recipient。We want to reject mail from incoming mails, except authenticated internal users。
The relevant log is below：
Mar 13 10:22:14 mail postfix/postscreen[31860]: CONNECT from [179.6.81.233]:24259 to [192.168.11.60]:25
Mar 13 10:22:20 mail postfix/postscreen[31860]: PASS NEW [179.6.81.233]:24259
Mar 13 10:22:20 mail postfix/smtpd[32032]: connect from unknown[179.6.81.233]
Mar 13 10:22:21 mail postfix/smtpd[32032]: 46A6C2A191C1: client=unknown[179.6.81.233]
Mar 13 10:22:22 mail postfix/cleanup[32165]: 46A6C2A191C1: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:22 mail postfix/qmgr[6816]: 46A6C2A191C1: from=<ginawang@mydomain.com>, size=4256, nrcpt=1 (queue active)
Mar 13 10:22:23 mail postfix/smtpd[32032]: disconnect from unknown[179.6.81.233]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: connect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: 61EF32A191C7: client=mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/cleanup[32042]: 61EF32A191C7: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: disconnect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: from=<ginawang@mydomain.com>, size=5178, nrcpt=1 (queue active)
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Queue-ID: 46A6C2A191C1, Message-ID: <004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>, mail_id: g_x11t0dbdhu, Hits: 6.032, size: 4250, queued_as: 61EF32A191C7, 763 ms, Tests: [BITCOIN_SPAM_07=1.635,BITCOIN_TOEQFM=0.105,DATE_IN_PAST_03_06=1.076,DOS_OUTLOOK_TO_MX=1.449,NO_FM_NAME_IP_HOSTN=0.001,PDS_BTC_ID=0.499,RCVD_IN_SORBS_DUL=0.001,RDNS_NONE=1.274,SPF_NONE=0.001,TO_EQ_FM_DIRECT_MX=0.001,T_SCC_BODY_TEXT_LINE=-0.01]
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN, <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Hits: 6.032, tag=2, tag2=6.2, kill=6.9, queued_as: 61EF32A191C7, L/Y/0/0
Mar 13 10:22:23 mail postfix/amavis/smtp[32082]: 46A6C2A191C1: to=<ginawang@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0.01/0.81, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 61EF32A191C7)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 46A6C2A191C1: removed
Mar 13 10:22:23 mail postfix/pipe[32172]: 61EF32A191C7: to=<ginawang@mydomain.com>, relay=dovecot, delay=0.1, delays=0/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: removed
Thanks for the help!
Do you have a SPF TXT record in your DNS zone for 'mydomain.com' ?

I'm pretty sure I have a SPF TXT record in my DNS zone for 'mydomain.com'。 Due to privacy, 'mydomain.com' is not my real domain name, you should know that。

**Pavel Zhe** · 2024-03-18 19:00:50

Pavel Zhe
Member
Offline

Registered: 2023-12-12
Posts: 28

Re: How to reject spams like sender and recipient the same？

iamapo wrote:

I'm pretty sure I have a SPF TXT record in my DNS zone for 'mydomain.com'。 Due to privacy, 'mydomain.com' is not my real domain name, you should know that。

Well, If you have SPF record, iRedAPD plugins 'greylisting','reject_sender_login_mismatch' should works for you.

**iamapo** · 2024-03-19 17:28:09

iamapo
Member
Offline

Registered: 2023-07-03
Posts: 8

Re: How to reject spams like sender and recipient the same？

Pavel Zhe wrote:

iamapo wrote:
I'm pretty sure I have a SPF TXT record in my DNS zone for 'mydomain.com'。 Due to privacy, 'mydomain.com' is not my real domain name, you should know that。
Well, If you have SPF record, iRedAPD plugins 'greylisting','reject_sender_login_mismatch' should works for you.

Yes, iRedAPD plugins 'greylisting','reject_sender_login_mismatch' work well on our server for a long time。

**Cthulhu** · 2024-03-19 23:27:03

Cthulhu
Member
Offline

Registered: 2019-06-04
Posts: 821

Re: How to reject spams like sender and recipient the same？

As i said, the mail account got hacked

Dec 29, 2023: iRedMail-1.6.8 has been released.

How to reject spams like sender and recipient the same？

Posts: 8

1 Topic by iamapo 2024-03-14 16:38:28 (edited by iamapo 2024-03-15 09:23:42)

Topic: How to reject spams like sender and recipient the same？

2 Reply by Cthulhu 2024-03-15 04:36:23 (edited by Cthulhu 2024-03-15 04:39:13)

Re: How to reject spams like sender and recipient the same？

3 Reply by iamapo 2024-03-15 09:47:29

Re: How to reject spams like sender and recipient the same？

4 Reply by Pavel Zhe 2024-03-17 16:31:18

Re: How to reject spams like sender and recipient the same？

5 Reply by iamapo 2024-03-18 15:31:56

Re: How to reject spams like sender and recipient the same？

6 Reply by Pavel Zhe 2024-03-18 19:00:50 (edited by Pavel Zhe 2024-03-18 19:12:42)

Re: How to reject spams like sender and recipient the same？

7 Reply by iamapo 2024-03-19 17:28:09

Re: How to reject spams like sender and recipient the same？

8 Reply by Cthulhu 2024-03-19 23:27:03

Re: How to reject spams like sender and recipient the same？

Posts: 8