1 (edited by iamapo 2024-03-15 09:23:42)

Topic: How to reject spams like sender and recipient the same?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
iRedMail version:1.6.5
Deployed with the downloadable installer
Linux/BSD distribution name and version: CentOS Linux release 7.9.2009 (Core)
Store mail accounts in which backend (LDAP/MySQL/PGSQL):MySQL
Web server (Apache or Nginx):Nginx
Manage mail accounts with iRedAdmin-Pro? No
====
The problem is that some spam emails have our mail adresse in both sender and recipient。We want to  reject mail from incoming mails, except authenticated internal users。
The relevant log is below:
Mar 13 10:22:14 mail postfix/postscreen[31860]: CONNECT from [179.6.81.233]:24259 to [192.168.11.60]:25
Mar 13 10:22:20 mail postfix/postscreen[31860]: PASS NEW [179.6.81.233]:24259
Mar 13 10:22:20 mail postfix/smtpd[32032]: connect from unknown[179.6.81.233]
Mar 13 10:22:21 mail postfix/smtpd[32032]: 46A6C2A191C1: client=unknown[179.6.81.233]
Mar 13 10:22:22 mail postfix/cleanup[32165]: 46A6C2A191C1: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:22 mail postfix/qmgr[6816]: 46A6C2A191C1: from=<ginawang@mydomain.com>, size=4256, nrcpt=1 (queue active)
Mar 13 10:22:23 mail postfix/smtpd[32032]: disconnect from unknown[179.6.81.233]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: connect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: 61EF32A191C7: client=mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/cleanup[32042]: 61EF32A191C7: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: disconnect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: from=<ginawang@mydomain.com>, size=5178, nrcpt=1 (queue active)
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Queue-ID: 46A6C2A191C1, Message-ID: <004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>, mail_id: g_x11t0dbdhu, Hits: 6.032, size: 4250, queued_as: 61EF32A191C7, 763 ms, Tests: [BITCOIN_SPAM_07=1.635,BITCOIN_TOEQFM=0.105,DATE_IN_PAST_03_06=1.076,DOS_OUTLOOK_TO_MX=1.449,NO_FM_NAME_IP_HOSTN=0.001,PDS_BTC_ID=0.499,RCVD_IN_SORBS_DUL=0.001,RDNS_NONE=1.274,SPF_NONE=0.001,TO_EQ_FM_DIRECT_MX=0.001,T_SCC_BODY_TEXT_LINE=-0.01]
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN, <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Hits: 6.032, tag=2, tag2=6.2, kill=6.9, queued_as: 61EF32A191C7, L/Y/0/0
Mar 13 10:22:23 mail postfix/amavis/smtp[32082]: 46A6C2A191C1: to=<ginawang@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0.01/0.81, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 61EF32A191C7)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 46A6C2A191C1: removed
Mar 13 10:22:23 mail postfix/pipe[32172]: 61EF32A191C7: to=<ginawang@mydomain.com>, relay=dovecot, delay=0.1, delays=0/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: removed

Thanks for the help!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by Cthulhu 2024-03-15 04:39:13)

Re: How to reject spams like sender and recipient the same?

iamapo wrote:

The problem is that some spam emails have our mail adresse in both sender and recipient。We want to  reject mail from incoming mails, except authenticated internal users

Those are from authenticated users:

Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>

The mail accounts got breached, iredmail refuses sending of unauth mails, else it would be an open relay.

3

Re: How to reject spams like sender and recipient the same?

Cthulhu wrote:
iamapo wrote:

The problem is that some spam emails have our mail adresse in both sender and recipient。We want to  reject mail from incoming mails, except authenticated internal users

Those are from authenticated users:

Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>

The mail accounts got breached, iredmail refuses sending of unauth mails, else it would be an open relay.

I think it is not from real authenticated users, real authenticated users should see the info sasl_method=LOGIN, sasl_username=ginawang@mydomain.com in the log。But I can't find。

4

Re: How to reject spams like sender and recipient the same?

iamapo wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
iRedMail version:1.6.5
Deployed with the downloadable installer
Linux/BSD distribution name and version: CentOS Linux release 7.9.2009 (Core)
Store mail accounts in which backend (LDAP/MySQL/PGSQL):MySQL
Web server (Apache or Nginx):Nginx
Manage mail accounts with iRedAdmin-Pro? No
====
The problem is that some spam emails have our mail adresse in both sender and recipient。We want to  reject mail from incoming mails, except authenticated internal users。
The relevant log is below:
Mar 13 10:22:14 mail postfix/postscreen[31860]: CONNECT from [179.6.81.233]:24259 to [192.168.11.60]:25
Mar 13 10:22:20 mail postfix/postscreen[31860]: PASS NEW [179.6.81.233]:24259
Mar 13 10:22:20 mail postfix/smtpd[32032]: connect from unknown[179.6.81.233]
Mar 13 10:22:21 mail postfix/smtpd[32032]: 46A6C2A191C1: client=unknown[179.6.81.233]
Mar 13 10:22:22 mail postfix/cleanup[32165]: 46A6C2A191C1: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:22 mail postfix/qmgr[6816]: 46A6C2A191C1: from=<ginawang@mydomain.com>, size=4256, nrcpt=1 (queue active)
Mar 13 10:22:23 mail postfix/smtpd[32032]: disconnect from unknown[179.6.81.233]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: connect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: 61EF32A191C7: client=mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/cleanup[32042]: 61EF32A191C7: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: disconnect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: from=<ginawang@mydomain.com>, size=5178, nrcpt=1 (queue active)
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Queue-ID: 46A6C2A191C1, Message-ID: <004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>, mail_id: g_x11t0dbdhu, Hits: 6.032, size: 4250, queued_as: 61EF32A191C7, 763 ms, Tests: [BITCOIN_SPAM_07=1.635,BITCOIN_TOEQFM=0.105,DATE_IN_PAST_03_06=1.076,DOS_OUTLOOK_TO_MX=1.449,NO_FM_NAME_IP_HOSTN=0.001,PDS_BTC_ID=0.499,RCVD_IN_SORBS_DUL=0.001,RDNS_NONE=1.274,SPF_NONE=0.001,TO_EQ_FM_DIRECT_MX=0.001,T_SCC_BODY_TEXT_LINE=-0.01]
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN, <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Hits: 6.032, tag=2, tag2=6.2, kill=6.9, queued_as: 61EF32A191C7, L/Y/0/0
Mar 13 10:22:23 mail postfix/amavis/smtp[32082]: 46A6C2A191C1: to=<ginawang@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0.01/0.81, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 61EF32A191C7)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 46A6C2A191C1: removed
Mar 13 10:22:23 mail postfix/pipe[32172]: 61EF32A191C7: to=<ginawang@mydomain.com>, relay=dovecot, delay=0.1, delays=0/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: removed

Thanks for the help!

Do you have a SPF TXT record in your DNS zone for 'mydomain.com' ?

5

Re: How to reject spams like sender and recipient the same?

Pavel Zhe wrote:
iamapo wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
iRedMail version:1.6.5
Deployed with the downloadable installer
Linux/BSD distribution name and version: CentOS Linux release 7.9.2009 (Core)
Store mail accounts in which backend (LDAP/MySQL/PGSQL):MySQL
Web server (Apache or Nginx):Nginx
Manage mail accounts with iRedAdmin-Pro? No
====
The problem is that some spam emails have our mail adresse in both sender and recipient。We want to  reject mail from incoming mails, except authenticated internal users。
The relevant log is below:
Mar 13 10:22:14 mail postfix/postscreen[31860]: CONNECT from [179.6.81.233]:24259 to [192.168.11.60]:25
Mar 13 10:22:20 mail postfix/postscreen[31860]: PASS NEW [179.6.81.233]:24259
Mar 13 10:22:20 mail postfix/smtpd[32032]: connect from unknown[179.6.81.233]
Mar 13 10:22:21 mail postfix/smtpd[32032]: 46A6C2A191C1: client=unknown[179.6.81.233]
Mar 13 10:22:22 mail postfix/cleanup[32165]: 46A6C2A191C1: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:22 mail postfix/qmgr[6816]: 46A6C2A191C1: from=<ginawang@mydomain.com>, size=4256, nrcpt=1 (queue active)
Mar 13 10:22:23 mail postfix/smtpd[32032]: disconnect from unknown[179.6.81.233]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: connect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: 61EF32A191C7: client=mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/cleanup[32042]: 61EF32A191C7: message-id=<004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>
Mar 13 10:22:23 mail postfix/10025/smtpd[32162]: disconnect from mail.mydomain.com[127.0.0.1]
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: from=<ginawang@mydomain.com>, size=5178, nrcpt=1 (queue active)
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN {RelayedInbound}, [179.6.81.233]:24259 [179.6.81.233] <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Queue-ID: 46A6C2A191C1, Message-ID: <004801da74c3$03cb1b78$6e6fd2a0$@mydomain.com>, mail_id: g_x11t0dbdhu, Hits: 6.032, size: 4250, queued_as: 61EF32A191C7, 763 ms, Tests: [BITCOIN_SPAM_07=1.635,BITCOIN_TOEQFM=0.105,DATE_IN_PAST_03_06=1.076,DOS_OUTLOOK_TO_MX=1.449,NO_FM_NAME_IP_HOSTN=0.001,PDS_BTC_ID=0.499,RCVD_IN_SORBS_DUL=0.001,RDNS_NONE=1.274,SPF_NONE=0.001,TO_EQ_FM_DIRECT_MX=0.001,T_SCC_BODY_TEXT_LINE=-0.01]
Mar 13 10:22:23 mail amavis[29733]: (29733-05) Passed CLEAN, <ginawang@mydomain.com> -> <ginawang@mydomain.com>, Hits: 6.032, tag=2, tag2=6.2, kill=6.9, queued_as: 61EF32A191C7, L/Y/0/0
Mar 13 10:22:23 mail postfix/amavis/smtp[32082]: 46A6C2A191C1: to=<ginawang@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0.01/0.81, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 61EF32A191C7)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 46A6C2A191C1: removed
Mar 13 10:22:23 mail postfix/pipe[32172]: 61EF32A191C7: to=<ginawang@mydomain.com>, relay=dovecot, delay=0.1, delays=0/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 13 10:22:23 mail postfix/qmgr[6816]: 61EF32A191C7: removed

Thanks for the help!

Do you have a SPF TXT record in your DNS zone for 'mydomain.com' ?

I'm pretty sure I have a SPF TXT record in my DNS zone for 'mydomain.com'。 Due to privacy, 'mydomain.com' is not my real domain name, you should know that。

6 (edited by Pavel Zhe 2024-03-18 19:12:42)

Re: How to reject spams like sender and recipient the same?

iamapo wrote:

I'm pretty sure I have a SPF TXT record in my DNS zone for 'mydomain.com'。 Due to privacy, 'mydomain.com' is not my real domain name, you should know that。

Well, If you have SPF record, iRedAPD plugins 'greylisting','reject_sender_login_mismatch' should works for you.

7

Re: How to reject spams like sender and recipient the same?

Pavel Zhe wrote:
iamapo wrote:

I'm pretty sure I have a SPF TXT record in my DNS zone for 'mydomain.com'。 Due to privacy, 'mydomain.com' is not my real domain name, you should know that。

Well, If you have SPF record, iRedAPD plugins 'greylisting','reject_sender_login_mismatch' should works for you.

Yes, iRedAPD plugins 'greylisting','reject_sender_login_mismatch'  work well on our server for a long time。

8

Re: How to reject spams like sender and recipient the same?

As i said, the mail account got hacked