Aug 5, 2024: iRedMail-1.7.1 has been released.

**predmijat** · 2024-08-11 07:09:06

predmijat
Member
Offline

Registered: 2018-11-25
Posts: 13

Topic: How do I blacklist this?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.1 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer? No
- Linux/BSD distribution name and version: Ubuntu 22.04.3 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB (MySQL)
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

Aug 11 00:15:17 mail postfix/smtpd[134170]: 840951CE365B: client=idealcart.ru[45.95.146.101]
Aug 11 00:15:17 mail postfix/cleanup[134181]: 840951CE365B: message-id=<8a733ae5a3103a35c66c25ce6aaf90c5d3d9@abs-cbn.com>
Aug 11 00:15:17 mail postfix/qmgr[579]: 840951CE365B: from=<info@abs-cbn.com>, size=1557, nrcpt=1 (queue active)
Aug 11 00:15:18 mail amavis[33406]: (33406-01) Passed CLEAN {RelayedInbound}, [45.95.146.101]:37607 [45.95.146.101] ESMTP/ESMTP <info@abs-cbn.com> -> <my_email@my_domain>, (ESMTPS://[45.95.146.101]:37607), Queue-ID: 840951CE365B, Message-ID: <8a733ae5a3103a35c66c25ce6aaf90c5d3d9@abs-cbn.com>, mail_id: 2aMmSm1TYzYm, b: bRqy7F6GA, Hits: 1.256, size: 1557, queued_as: 4CF881CE8614, Subject: "Re: Private link", From: <info@abs-cbn.com>, helo=idealcart.ru, Tests: [HTML_MESSAGE=0.001,RCVD_IN_BL_SPAMCOP_NET=1.246,RCVD_IN_DNSWL_HI=-5,RCVD_IN_MSPIKE_BL=0.001,RCVD_IN_MSPIKE_L3=0.001,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,SPF_FAIL=5,SPF_HELO_NONE=0.001,URIBL_BLOCKED=0.001,URIBL_DBL_BLOCKED_OPENDNS=0.001,URIBL_ZEN_BLOCKED_OPENDNS=0.001], autolearn=no autolearn_force=no, autolearnscore=1.255, 542 ms
Aug 11 00:15:18 mail postfix/smtp-amavis/smtp[134186]: 840951CE365B: to=<my_email@my_domain>, orig_to=<my_email@my_domain>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.89, delays=0.3/0.04/0/0.54, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4CF881CE8614)
Aug 11 00:15:18 mail postfix/qmgr[579]: 840951CE365B: removed

====

Hi, I've been receiving some SPAM messages for the last few days. The pattern is the same - 'FROM' is set to info@some_well_known_domain, but in headers I can see that it was received from idealcart.ru (Received: from idealcart.ru (idealcart.ru [45.95.146.101])).

1. Why did this end up in the inbox in the first place?
2. How do I blacklist list this? Will blacklisting idealcart.ru work ok considering it's not in FROM?

Thank you

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2024-08-14 09:33:18

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,082

Re: How do I blacklist this?

The key in this issue is the rule "RCVD_IN_DNSWL_HI=-5".
DNSWL had some false positives before, which allows spams delivered to mailbox.
You may want to disable this rule in SpamAssassin like this thread:
FYI https://forum.iredmail.org/topic18941-s … wlhi5.html

**predmijat** · 2024-08-14 16:53:06

predmijat
Member
Offline

Registered: 2018-11-25
Posts: 13

Re: How do I blacklist this?

Ok, thank you.
My initial question still stands do - how would I blacklist something like this?

I used `wblist_admin.py --add --blacklist ...` in the past, but I'm not sure what to do if there's a mismatch between the FROM and the actual address it was sent from

**ZhangHuangbin** · 2024-08-14 17:13:39

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,082

Re: How do I blacklist this?

- As you can see, this email got 1.256 score, if you disable the RCVD_IN_DNSWL_HI rule, it becomes 6.256, which is higher the tag version and will be marked as spam. So this change is enough in this case.
- If you want to block IP addresses, sender email address / domain, use the "/opt/iredapd/tools/wblist_admin.py" is ok.

**predmijat** · 2024-08-14 18:05:18

predmijat
Member
Offline

Registered: 2018-11-25
Posts: 13

Re: How do I blacklist this?

I want to block it, but 'FROM' is fake here, so I don't know how. I don't want to block a legit domain.

For example, one message had info@nfl.com in FROM, while helo is idealcart.ru, but wblist_admin.py won't work with helo, right?

**Cthulhu** · 2024-08-15 22:02:43

Cthulhu
Member
Offline

Registered: 2019-06-04
Posts: 907

Re: How do I blacklist this?

etc/postfix/helo_access

you can add it there

**predmijat** · 2024-08-15 22:04:23

predmijat
Member
Offline

Registered: 2018-11-25
Posts: 13

Re: How do I blacklist this?

Great, thank you!

Aug 5, 2024: iRedMail-1.7.1 has been released.

How do I blacklist this?

Posts: 7

1 Topic by predmijat 2024-08-11 07:09:06

Topic: How do I blacklist this?

2 Reply by ZhangHuangbin 2024-08-14 09:33:18

Re: How do I blacklist this?

3 Reply by predmijat 2024-08-14 16:53:06

Re: How do I blacklist this?

4 Reply by ZhangHuangbin 2024-08-14 17:13:39

Re: How do I blacklist this?

5 Reply by predmijat 2024-08-14 18:05:18

Re: How do I blacklist this?

6 Reply by Cthulhu 2024-08-15 22:02:43

Re: How do I blacklist this?

7 Reply by predmijat 2024-08-15 22:04:23

Re: How do I blacklist this?

Posts: 7