Topic: how to this type of phising
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.0 OPENLDAP
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: debian/buntu
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): OPENLDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello i receive and distribute some phising mail i'd like to understand why is not block by spf or dmarc issue
how to set config for better blocking ?
9514-Sep 1 17:33:40 mail postfix/dnsblog[77086]: addr 82.165.123.131 listed by domain zen.spamhaus.org as 127.255.255.254
9515-Sep 1 17:33:41 mail postfix/postscreen[76715]: PASS OLD [82.165.123.131]:37221
9516-Sep 1 17:33:46 mail postfix/smtpd[77397]: connect from unknown[82.165.123.131]
9517-Sep 1 17:33:46 mail postfix/smtpd[77397]: Anonymous TLS connection established from unknown[82.165.123.131]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
9518-Sep 1 17:33:51 mail postfix/smtpd[77397]: 4cFtFW5FqWz29QR: client=unknown[82.165.123.131]
9519:Sep 1 17:33:51 mail postfix/cleanup[77129]: 4cFtFW5FqWz29QR: message-id=<20250901083334.CBCF76EDF23E9B5E@stanleys.com.es>
9520:Sep 1 17:33:51 mail postfix/qmgr[1862]: 4cFtFW5FqWz29QR: from=<service@stanleys.com.es>, size=8895, nrcpt=1 (queue active)
9521-Sep 1 17:33:51 mail postfix/smtpd[77397]: disconnect from unknown[82.165.123.131] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
9522-Sep 1 17:33:52 mail postfix/10025/smtpd[77133]: connect from localhost[127.0.0.1]
9523-Sep 1 17:33:52 mail postfix/10025/smtpd[77133]: 4cFtFX1hcxz29QS: client=localhost[127.0.0.1]
9524:Sep 1 17:33:52 mail postfix/cleanup[77388]: 4cFtFX1hcxz29QS: message-id=<20250901083334.CBCF76EDF23E9B5E@stanleys.com.es>
9525:Sep 1 17:33:52 mail postfix/qmgr[1862]: 4cFtFX1hcxz29QS: from=<service@stanleys.com.es>, size=9312, nrcpt=1 (queue active)
9526-Sep 1 17:33:52 mail postfix/10025/smtpd[77133]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
9527:Sep 1 17:33:52 mail amavis[26661]: (26661-19) Passed CLEAN {RelayedInbound}, [82.165.123.131]:37221 [159.242.234.169] ESMTP/ESMTP <service@stanleys.com.es> -> <eric@MYemailDOMAIN>, (ESMTPS://[82.165.123.131]:37221 < 159.242.234.169), Queue-ID: 4cFtFW5FqWz29QR, Message-ID: <20250901083334.CBCF76EDF23E9B5E@stanleys.com.es>, mail_id: VM_QEJgUHxsP, b: JIbE1xtCc, Hits: -0.268, size: 8894, queued_as: 4cFtFX1hcxz29QS, Subject: "Contravention en attente - Majorité automatique sous 48h (raw: =?Windows-1252?B?Q29udHJhdmVudGlvbiBlbiBhdHRlbnRlIC0gTWFqb3JpdOkgYXV0b21hdGlxdWUgc291cyA0OGg=?=)", From: <service@stanleys.com.es>, helo=p-solarsrl.com, Tests: [BAYES_00=-1.9,FROM_EXCESS_BASE64=0.001,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,RCVD_IN_DNSWL_BLOCKED=0.001,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,RDNS_NONE=0.793,SPF_HELO_SOFTFAIL=0.732,SPF_PASS=-0.001,TO_NO_BRKTS_NORDNS_HTML=0.001,URIBL_BLOCKED=0.001,URIBL_DBL_BLOCKED_OPENDNS=0.001], autolearn=no autolearn_force=no, autolearnscor...
9528-Sep 1 17:33:52 mail amavis[26661]: (26661-19) ...e=2.276, 468 ms
9529-Sep 1 17:33:52 mail postfix/amavis/smtp[77390]: 4cFtFW5FqWz29QR: to=<eric@MYemailDOMAIN>, orig_to=<alias@MYemailDOMAIN>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.6, delays=5.1/0/0/0.47, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4cFtFX1hcxz29QS)
9530-Sep 1 17:33:52 mail postfix/qmgr[1862]: 4cFtFW5FqWz29QR: removed
thanks for help about that
T.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.