1 Topic by Docent

  • Docent
  • Member
  • Offline
  • Registered: 2017-03-29
  • Posts: 7

Topic: Problem with spam comming from servers without domain/unknown

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.8
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache2
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue: No
====

Mail header with spam:
======================
Return-Path: <Gutierrez5051@vivnederland.nl>
Delivered-To: XXX
Received: from localhost (localhost [127.0.0.1])
    by XXX.XXX.pl (Postfix) with ESMTP id 9059140985
    for <XXX>; Thu, 23 Mar 2017 17:32:26 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at XXX.XXX.pl
X-Spam-Flag: NO
X-Spam-Score: 3.769
X-Spam-Level: ***
X-Spam-Status: No, score=3.769 tagged_above=-999 required=4
    tests=[BAYES_05=-0.5, HELO_MISC_IP=0.248, PUMPDUMP=1,
    RCVD_IN_BRBL_LASTEXT=1.449, RDNS_NONE=0.793, SPF_NEUTRAL=0.779]
    autolearn=no autolearn_force=no
Received: from XXX.XXX.pl ([127.0.0.1])
    by localhost (XXX.XXX.pl [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id dDsh9Ao7XQ_W for <XXXl>;
    Thu, 23 Mar 2017 17:32:26 +0100 (CET)
Received: from [220.158.152.58] (unknown [106.67.91.18])
    by XXX.XXX.pl (Postfix) with ESMTP id E89CF4045C
    for <XXXl>; Thu, 23 Mar 2017 17:32:24 +0100 (CET)
Received: (from apache@localhost)
    by vivnederland.nl (8.14.7/8.14.7/Submit) id 5C6997883E673D;
    Thu, 23 Mar 2017 22:02:22 +0530
Message-Id: <20170323220222.5C6997883E673D@vivnederland.nl>
To: XXX
Subject: I've got strong reasons to believe that this stock is about to soar.
X-PHP-Originating-Script: 1035:Sendmail.php
From: "Russell Gutierrez" <Gutierrez5051@vivnederland.nl>
Date: Thu, 23 Mar 2017 22:02:22 +0530
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0

I have smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch but its not working
Postfix main.cf
==============
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

#smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_banner = $myorigin ESMTP Server
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/XXX.XXX/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/XXX.XXX/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/XXX.XXX/chain.pem
#smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
#smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
#smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.


default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 209715200
header_size_limit = 51200
smtpd_recipient_limit = 100
smtpd_delay_reject = yes


myhostname = XXX.XXX
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
myorigin = XXX
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
relayhost =
mynetworks = 127.0.0.0/8 10.0.0.0/24 x.x.x.x
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = x.x.x.x 127.0.0.1
inet_protocols = all
virtual_alias_domains =
allow_percent_hack = no
swap_bangpath = no
mydomain = XXX
mynetworks_style = host
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_tls_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = yes
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_sender_login_mismatch, reject_unauth_pipelining, reject_unknown_sender_domain,
delay_warning_time = 0h
maximal_queue_lifetime = 4h
bounce_queue_lifetime = 4h
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_invalid_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
queue_run_delay = 300s
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
enable_original_recipient = no
disable_vrfy_command = yes
home_mailbox = Maildir/
allow_min_user = no
message_size_limit = 104857600
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org
# , reject_unverified_recipient
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031,
smtpd_tls_security_level = may
smtpd_tls_loglevel = 0
tls_random_source = dev:/dev/urandom
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp-amavis_destination_recipient_limit = 1

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem

Please help - thank you in advance!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,809

Re: Problem with spam comming from servers without domain/unknown

Please show us full log related to this spam in Postfix log file.

3 Reply by Docent

  • Docent
  • Member
  • Offline
  • Registered: 2017-03-29
  • Posts: 7

Re: Problem with spam comming from servers without domain/unknown

Mar 23 17:32:23 xxxx postfix/smtpd[22673]: connect from unknown[106.67.91.18]
Mar 23 17:32:24 xxxx postfix/smtpd[22673]: warning: 18.91.67.106.list.dsbl.org: RBL lookup error: Host or domain name not found. Name service error for name=18.91.67.106.list.dsbl.org type=A: Host not found, try again
Mar 23 17:32:24 xxxx postfix/smtpd[22673]: E89CF4045C: client=unknown[106.67.91.18]
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: E89CF4045C: message-id=<20170323220222.5C6997883E673D@vivnederland.nl>
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: E89CF4045C: from=<Gutierrez5051@vivnederland.nl>, size=2000, nrcpt=1 (queue active)
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) ESMTP :10024 /var/lib/amavis/tmp/amavis-20170323T173226-22461-F4XyXSgT: <Gutierrez5051@vivnederland.nl> -> <xxxx@xxxx.pl> SIZE=2000 BODY=8BITMIME Received: from xxxx.xxxx.pl ([127.0.0.1]) by localhost (xxxx.xxxx.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <xxxx@xxxx.pl>; Thu, 23 Mar 2017 17:32:26 +0100 (CET)
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) Checking: dDsh9Ao7XQ_W MYUSERS [106.67.91.18] <Gutierrez5051@vivnederland.nl> -> <xxxx@xxxx.pl>
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) p001 1 Content-Type: text/plain, size: 1278 B, name:
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) spam-tag, <Gutierrez5051@vivnederland.nl> -> <xxxx@xxxx.pl>, No, score=3.769 tagged_above=-999 required=4 tests=[BAYES_05=-0.5, HELO_MISC_IP=0.248, PUMPDUMP=1, RCVD_IN_BRBL_LASTEXT=1.449, RDNS_NONE=0.793, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) dkim: candidate originators: From:<Gutierrez5051@vivnederland.nl>
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) dkim: not signing, empty signing domain, From: <Gutierrez5051@vivnederland.nl>
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: connect from localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: 9059140985: client=localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: 9059140985: message-id=<20170323220222.5C6997883E673D@vivnederland.nl>
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: disconnect from localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 9059140985: from=<Gutierrez5051@vivnederland.nl>, size=2698, nrcpt=1 (queue active)
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) dDsh9Ao7XQ_W FWD from <Gutierrez5051@vivnederland.nl> -> <xxxx@xxxx.pl>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9059140985
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) Passed CLEAN {RelayedInternal}, MYUSERS LOCAL [106.67.91.18]:15864 [106.67.91.18] ESMTP/ESMTP <Gutierrez5051@vivnederland.nl> -> <xxxx@xxxx.pl>, (ESMTP://[106.67.91.18]:15864), Queue-ID: E89CF4045C, Message-ID: <20170323220222.5C6997883E673D@vivnederland.nl>, mail_id: dDsh9Ao7XQ_W, b: zsgvkOGv1, Hits: 3.769, size: 1994, queued_as: 9059140985, Subject: "I've got strong reasons to believe that this stock is about to soar.", From: <Gutierrez5051@vivnederland.nl>, helo=[220.158.152.58], Tests: [BAYES_05=-0.5,HELO_MISC_IP=0.248,PUMPDUMP=1,RCVD_IN_BRBL_LASTEXT=1.449,RDNS_NONE=0.793,SPF_NEUTRAL=0.779], autolearn=no autolearn_force=no, autolearnscore=4.818, 381 ms
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) TIMING-SA total 237 ms - parse: 1.47 (0.6%), extract_message_metadata: 4.3 (1.8%), get_uri_detail_list: 0.83 (0.4%), tests_pri_-1000: 4.8 (2.0%), tests_pri_-950: 1.61 (0.7%), tests_pri_-900: 1.81 (0.8%), tests_pri_-400: 22 (9.3%), check_bayes: 21 (8.7%), b_tokenize: 8 (3.5%), b_tok_get_all: 3.6 (1.5%), b_comp_prob: 3.4 (1.4%), b_tok_touch_all: 0.35 (0.1%), b_finish: 1.13 (0.5%), tests_pri_0: 174 (73.2%), check_spf: 38 (16.2%), check_dkim_adsp: 64 (27.1%), poll_dns_idle: 25 (10.4%), check_pyzor: 0.13 (0.1%), tests_pri_500: 3.9 (1.6%), get_report: 0.74 (0.3%)
Mar 23 17:32:26 xxxx postfix/smtp[22618]: E89CF4045C: to=<xxxx@xxxx.pl>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.8/0/0.01/0.38, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9059140985)
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: E89CF4045C: removed
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) size: 1994, TIMING [total 391 ms] - sql-prepare: 4.0 (1%)1, SMTP greeting: 2.9 (1%)2, SMTP EHLO: 0.6 (0%)2, SMTP pre-MAIL: 0.7 (0%)2, mkdir tempdir: 1.5 (0%)2, create email.txt: 0.2 (0%)3, sql-connect: 7 (2%)4, lookup_sql: 0.8 (0%)5, lookup_sql: 1.1 (0%)5, SMTP pre-DATA-flush: 1.3 (0%)5, SMTP DATA: 28 (7%)12, check_init: 0.6 (0%)12, digest_hdr: 2.6 (1%)13, digest_body_dkim: 0.5 (0%)13, collect_info: 3.3 (1%)14, gen_mail_id: 3.9 (1%)15, mkdir parts: 1.0 (0%)15, mime_decode: 8 (2%)17, get-file-type1: 42 (11%)28, parts_decode: 0.3 (0%)28, check_header: 0.8 (0%)28, AV-scan-1: 3.6 (1%)29, spam-wb-list: 1.0 (0%)30, SA msg read: 0.4 (0%)30, SA parse: 2.7 (1%)30, SA check: 234 (60%)90, decide_mail_destiny: 3.6 (1%)91, notif-quar: 0.3 (0%)91, fwd-connect: 6 (2%)93, fwd-mail-pip: 4.0 (1%)94, fwd-rcpt-pip: 0.2 (0%)94, fwd-data-chkpnt: 0.1 (0%)94, write-header: 0.4 (0%)94, fwd-data-contents: 0.1 (0%)94, fwd-end-chkpnt: 2.4 (1%)95, prepare-dsn: 1.3 (0%)95, report: ...
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) ...2.5 (1%)95, main_log_entry: 9 (2%)98, sql-update: 3.3 (1%)99, update_snmp: 3.2 (1%)99, SMTP pre-response: 0.4 (0%)100, SMTP response: 0.2 (0%)100, unlink-1-files: 0.3 (0%)100, rundown: 1.1 (0%)100
Mar 23 17:32:26 xxxx amavis[22461]: (22461-01) Requesting process rundown after 1 tasks (and 1 sessions)
Mar 23 17:32:26 xxxx postfix/pickup[19414]: 99327458A0: uid=2000 from=<>
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: 99327458A0: message-id=<dovecot-sieve-1490286746-611965-0@xxxx.xxxx.pl>
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 99327458A0: from=<>, size=746, nrcpt=1 (queue active)
Mar 23 17:32:26 xxxx postfix/pipe[22680]: 9059140985: to=<xxxx@xxxx.pl>, relay=dovecot, delay=0.06, delays=0/0/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 9059140985: removed
Mar 23 17:32:26 xxxx amavis[22684]: (22684-01) ESMTP :10024 /var/lib/amavis/tmp/amavis-20170323T173226-22684-CR7u6QWx: <> -> <Gutierrez5051@vivnederland.nl> SIZE=746 BODY=8BITMIME Received: from xxxx.xxxx.pl ([127.0.0.1]) by localhost (xxxx.xxxx.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <Gutierrez5051@vivnederland.nl>; Thu, 23 Mar 2017 17:32:26 +0100 (CET)
Mar 23 17:32:26 xxxx amavis[22684]: (22684-01) Checking: Oase-S9Vpn93 [127.0.0.1] <> -> <Gutierrez5051@vivnederland.nl>
Mar 23 17:32:26 xxxx amavis[22684]: (22684-01) p001 1 Content-Type: text/plain, size: 103 B, name:
Mar 23 17:32:26 xxxx amavis[22771]: storage and lookups will use the same connection to SQL
Mar 23 17:32:26 xxxx amavis[22684]: (22684-01) bounce unverifiable, originating, <> -> <Gutierrez5051@vivnederland.nl>
Mar 23 17:32:26 xxxx amavis[22684]: (22684-01) spam-tag, <> -> <Gutierrez5051@vivnederland.nl>, No, score=-1.901 tagged_above=-999 required=4 tests=[BAYES_00=-1.9, NO_RELAYS=-0.001] autolearn=ham autolearn_force=no
Mar 23 17:32:26 xxxx amavis[22684]: (22684-01) dkim: candidate originators: From:<xxxx@xxxx.pl>
Mar 23 17:32:26 xxxx amavis[22684]: (22684-01) dkim: signing (author), From: <xxxx@xxxx.pl> (From:<xxxx@xxxx.pl>), KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>xxxx.pl, s=>dkim, ttl=>864000, x=>1491150747
Mar 23 17:32:27 xxxx postfix/smtpd[22673]: disconnect from unknown[106.67.91.18]
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: connect from localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: 0572A4045C: client=localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/cleanup[22611]: 0572A4045C: message-id=<dovecot-sieve-1490286746-611965-0@xxxx.xxxx.pl>
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: disconnect from localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 0572A4045C: from=<>, size=2039, nrcpt=1 (queue active)
Mar 23 17:32:27 xxxx amavis[22684]: (22684-01) Oase-S9Vpn93 FWD from <> -> <Gutierrez5051@vivnederland.nl>, BODY=8BITMIME 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0572A4045C
Mar 23 17:32:27 xxxx amavis[22684]: (22684-01) Passed CLEAN {RelayedInternal}, LOCAL [127.0.0.1] /ESMTP <> -> <Gutierrez5051@vivnederland.nl>, (), Message-ID: <dovecot-sieve-1490286746-611965-0@xxxx.xxxx.pl>, mail_id: Oase-S9Vpn93, b: nfa9fOrW3, Hits: -1.901, size: 746, queued_as: 0572A4045C, Subject: "Wiadomość zautomatyzowana (raw: =?utf-8?q?Wiadomo=C5=9B=C4=87?= zautomatyzowana)", From: <xxxx@xxxx.pl>, helo=, Tests: [BAYES_00=-1.9,NO_RELAYS=-0.001], autolearn=ham autolearn_force=no, autolearnscore=0, dkim_new=dkim:xxxx.pl, 407 ms
Mar 23 17:32:27 xxxx amavis[22684]: (22684-01) TIMING-SA total 208 ms - parse: 1.78 (0.9%), extract_message_metadata: 2.3 (1.1%), get_uri_detail_list: 0.28 (0.1%), tests_pri_-1000: 2.9 (1.4%), tests_pri_-950: 1.13 (0.5%), tests_pri_-900: 1.25 (0.6%), tests_pri_-400: 10 (5.0%), check_bayes: 9 (4.5%), b_tokenize: 3.1 (1.5%), b_tok_get_all: 1.31 (0.6%), b_comp_prob: 1.65 (0.8%), b_tok_touch_all: 0.14 (0.1%), b_finish: 0.66 (0.3%), tests_pri_0: 135 (65.0%), check_spf: 0.36 (0.2%), check_dkim_adsp: 108 (52.0%), check_pyzor: 0.14 (0.1%), tests_pri_500: 2.9 (1.4%), learn: 44 (21.1%), b_learn: 43 (20.4%), b_count_change: 3.5 (1.7%), get_report: 0.39 (0.2%)
Mar 23 17:32:27 xxxx postfix/smtp[22618]: 99327458A0: to=<Gutierrez5051@vivnederland.nl>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.42, delays=0.01/0/0.01/0.41, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0572A4045C)
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 99327458A0: removed
Mar 23 17:32:27 xxxx amavis[22684]: (22684-01) size: 746, TIMING [total 417 ms] - sql-prepare: 4.0 (1%)1, SMTP greeting: 3.3 (1%)2, SMTP EHLO: 1.0 (0%)2, SMTP pre-MAIL: 0.7 (0%)2, mkdir tempdir: 2.1 (1%)3, create email.txt: 0.3 (0%)3, sql-connect: 9 (2%)5, lookup_sql: 0.5 (0%)5, SMTP pre-DATA-flush: 1.5 (0%)5, SMTP DATA: 24 (6%)11, check_init: 0.9 (0%)11, digest_hdr: 3.1 (1%)12, digest_body_dkim: 0.4 (0%)12, collect_info: 2.6 (1%)13, gen_mail_id: 3.6 (1%)14, mkdir parts: 1.1 (0%)14, mime_decode: 9 (2%)16, get-file-type1: 46 (11%)27, parts_decode: 0.3 (0%)27, check_header: 0.9 (0%)27, AV-scan-1: 3.4 (1%)28, spam-wb-list: 1.2 (0%)29, SA msg read: 0.4 (0%)29, SA parse: 3.1 (1%)29, SA check: 205 (49%)79, decide_mail_destiny: 3.4 (1%)79, notif-quar: 0.5 (0%)79, write-header: 9 (2%)82, fwd-data-dkim: 7 (2%)83, fwd-connect: 40 (10%)93, fwd-mail-pip: 0.9 (0%)93, fwd-rcpt-pip: 0.2 (0%)93, fwd-data-chkpnt: 0.0 (0%)93, write-header: 0.4 (0%)93, fwd-data-contents: 0.0 (0%)93, fwd-end-chkpnt: 2.7 (1%)94, prepar...
Mar 23 17:32:27 xxxx amavis[22684]: (22684-01) ...e-dsn: 1.2 (0%)94, report: 3.5 (1%)95, main_log_entry: 13 (3%)98, sql-update: 3.4 (1%)99, update_snmp: 3.2 (1%)100, SMTP pre-response: 0.4 (0%)100, SMTP response: 0.2 (0%)100, unlink-1-files: 0.3 (0%)100, rundown: 1.1 (0%)100
Mar 23 17:32:27 xxxx amavis[22684]: (22684-01) Requesting process rundown after 1 tasks (and 1 sessions)
Mar 23 17:32:27 xxxx amavis[22773]: storage and lookups will use the same connection to SQL
Mar 23 17:32:27 xxxx postfix/smtp[22653]: 0572A4045C: to=<Gutierrez5051@vivnederland.nl>, relay=srv1.flexfilter.nl[62.84.240.181]:25, delay=0.29, delays=0/0/0.17/0.12, dsn=5.0.0, status=bounced (host srv1.flexfilter.nl[62.84.240.181] said: 550 "Unknown User" (in reply to RCPT TO command))
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 0572A4045C: removed

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,809

Re: Problem with spam comming from servers without domain/unknown

*) Which is your local domain?
*) Which log line is related to this spam?
*) Which version of iRedAPD are you running? show us output of command "ls -l /opt/". Seems you're running with an old iRedAPD release.
*) What's the log related to this spam in iRedAPD log file?
*) Do you have plugin "reject_null_sender" and "reject_sender_login_mismatch" enabled in /opt/iredapd/settings.py?

5 Reply by Docent

  • Docent
  • Member
  • Offline
  • Registered: 2017-03-29
  • Posts: 7

Re: Problem with spam comming from servers without domain/unknown

I removed antispam/amavis

Mar 23 17:32:23 xxxx postfix/smtpd[22673]: connect from unknown[106.67.91.18]
Mar 23 17:32:24 xxxx postfix/smtpd[22673]: warning: 18.91.67.106.list.dsbl.org: RBL lookup error: Host or domain name not found. Name service error for name=18.91.67.106.list.dsbl.org type=A: Host not found, try again
Mar 23 17:32:24 xxxx postfix/smtpd[22673]: E89CF4045C: client=unknown[106.67.91.18]
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: E89CF4045C: message-id=<20170323220222.5C6997883E673D@vivnederland.nl>
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: E89CF4045C: from=<Gutierrez5051@vivnederland.nl>, size=2000, nrcpt=1 (queue active)
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: connect from localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: 9059140985: client=localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: 9059140985: message-id=<20170323220222.5C6997883E673D@vivnederland.nl>
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: disconnect from localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 9059140985: from=<Gutierrez5051@vivnederland.nl>, size=2698, nrcpt=1 (queue active)
Mar 23 17:32:26 xxxx postfix/smtp[22618]: E89CF4045C: to=<xxxx@xxxx.pl>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.8/0/0.01/0.38, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9059140985)
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: E89CF4045C: removed
Mar 23 17:32:26 xxxx postfix/pickup[19414]: 99327458A0: uid=2000 from=<>
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: 99327458A0: message-id=<dovecot-sieve-1490286746-611965-0@xxxx.xxxx.pl>
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 99327458A0: from=<>, size=746, nrcpt=1 (queue active)
Mar 23 17:32:26 xxxx postfix/pipe[22680]: 9059140985: to=<xxxx@xxxx.pl>, relay=dovecot, delay=0.06, delays=0/0/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 9059140985: removed
Mar 23 17:32:27 xxxx postfix/smtpd[22673]: disconnect from unknown[106.67.91.18]
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: connect from localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: 0572A4045C: client=localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/cleanup[22611]: 0572A4045C: message-id=<dovecot-sieve-1490286746-611965-0@xxxx.xxxx.pl>
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: disconnect from localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 0572A4045C: from=<>, size=2039, nrcpt=1 (queue active)
Mar 23 17:32:27 xxxx postfix/smtp[22618]: 99327458A0: to=<Gutierrez5051@vivnederland.nl>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.42, delays=0.01/0/0.01/0.41, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0572A4045C)
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 99327458A0: removed
Mar 23 17:32:27 xxxx postfix/smtp[22653]: 0572A4045C: to=<Gutierrez5051@vivnederland.nl>, relay=srv1.flexfilter.nl[62.84.240.181]:25, delay=0.29, delays=0/0/0.17/0.12, dsn=5.0.0, status=bounced (host srv1.flexfilter.nl[62.84.240.181] said: 550 "Unknown User" (in reply to RCPT TO command))
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 0572A4045C: removed

6 Reply by Docent (edited by Docent 2017-04-11 17:01:00)

  • Docent
  • Member
  • Offline
  • Registered: 2017-03-29
  • Posts: 7

Re: Problem with spam comming from servers without domain/unknown

This is a view of this log grouped into 4 separate messages that came with spam at the same time.

The spam mail in 1st post came at that time from
Received: from [220.158.152.58] (unknown [106.67.91.18])

Mar 23 17:32:23 xxxx postfix/smtpd[22673]: connect from unknown[106.67.91.18]
Mar 23 17:32:24 xxxx postfix/smtpd[22673]: warning: 18.91.67.106.list.dsbl.org: RBL lookup error: Host or domain name not found. Name service error for name=18.91.67.106.list.dsbl.org type=A: Host not found, try again
Mar 23 17:32:24 xxxx postfix/smtpd[22673]: E89CF4045C: client=unknown[106.67.91.18]
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: E89CF4045C: message-id=<20170323220222.5C6997883E673D@vivnederland.nl>
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: E89CF4045C: from=<Gutierrez5051@vivnederland.nl>, size=2000, nrcpt=1 (queue active)
Mar 23 17:32:26 xxxx postfix/smtp[22618]: E89CF4045C: to=<xxxx@xxxx.pl>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.8/0/0.01/0.38, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9059140985)
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: E89CF4045C: removed
=============
Mar 23 17:32:26 xxxx postfix/pickup[19414]: 99327458A0: uid=2000 from=<>
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: 99327458A0: message-id=<dovecot-sieve-1490286746-611965-0@xxxx.xxxx.pl>
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 99327458A0: from=<>, size=746, nrcpt=1 (queue active)
Mar 23 17:32:27 xxxx postfix/smtp[22618]: 99327458A0: to=<Gutierrez5051@vivnederland.nl>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.42, delays=0.01/0/0.01/0.41, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0572A4045C)
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 99327458A0: removed
=============
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: connect from localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: 9059140985: client=localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/cleanup[22611]: 9059140985: message-id=<20170323220222.5C6997883E673D@vivnederland.nl>
Mar 23 17:32:26 xxxx postfix/smtpd[22652]: disconnect from localhost[127.0.0.1]
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 9059140985: from=<Gutierrez5051@vivnederland.nl>, size=2698, nrcpt=1 (queue active)
Mar 23 17:32:26 xxxx postfix/pipe[22680]: 9059140985: to=<xxxx@xxxx.pl>, relay=dovecot, delay=0.06, delays=0/0/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 23 17:32:26 xxxx postfix/qmgr[16846]: 9059140985: removed
Mar 23 17:32:27 xxxx postfix/smtpd[22673]: disconnect from unknown[106.67.91.18]
=============
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: connect from localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: 0572A4045C: client=localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/cleanup[22611]: 0572A4045C: message-id=<dovecot-sieve-1490286746-611965-0@xxxx.xxxx.pl>
Mar 23 17:32:27 xxxx postfix/smtpd[22652]: disconnect from localhost[127.0.0.1]
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 0572A4045C: from=<>, size=2039, nrcpt=1 (queue active)
Mar 23 17:32:27 xxxx postfix/smtp[22653]: 0572A4045C: to=<Gutierrez5051@vivnederland.nl>, relay=srv1.flexfilter.nl[62.84.240.181]:25, delay=0.29, delays=0/0/0.17/0.12, dsn=5.0.0, status=bounced (host srv1.flexfilter.nl[62.84.240.181] said: 550 "Unknown User" (in reply to RCPT TO command))
Mar 23 17:32:27 xxxx postfix/qmgr[16846]: 0572A4045C: removed

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,809

Re: Problem with spam comming from servers without domain/unknown

Docent wrote:

Received: from [220.158.152.58] (unknown [106.67.91.18])

This "unknown" means Postfix cannot get its DNS name by querying DNS. It's normal.

8 Reply by Docent (edited by Docent 2017-04-22 15:41:53)

  • Docent
  • Member
  • Offline
  • Registered: 2017-03-29
  • Posts: 7

Re: Problem with spam comming from servers without domain/unknown

How can I block IP's without DNS that are sending mails to me?

9 Reply by yonux

  • yonux
  • Member
  • Offline
  • Registered: 2017-04-13
  • Posts: 2

Re: Problem with spam comming from servers without domain/unknown

You can try using "reject_unknown_reverse_client_hostname" in your main.cf file and see what happens.
It should do the trick.
False positives will be misconfigured email servers and you can be sure that :
- others emails servers will send notifications to it
- 99% of such emails servers send spam

10 Reply by Docent

  • Docent
  • Member
  • Offline
  • Registered: 2017-03-29
  • Posts: 7

Re: Problem with spam comming from servers without domain/unknown

In which option and after which entry should I put it?

11 Reply by yonux

  • yonux
  • Member
  • Offline
  • Registered: 2017-04-13
  • Posts: 2

Re: Problem with spam comming from servers without domain/unknown

Find the line beginning with "smtpd_sender_restrictions =" and add "reject_unknown_reverse_client_hostname" to the list, or just "smtpd_sender_restrictions = reject_unknown_reverse_client_hostname" if it does not exist.

12 Reply by Docent

  • Docent
  • Member
  • Offline
  • Registered: 2017-03-29
  • Posts: 7

Re: Problem with spam comming from servers without domain/unknown

After one day I can add that it should be after all "allow" rules to not block the users that are not using DSL lines, because some providers are not giving users dns names for their PC and they were blocked by the server.