Topic: mailserver missed a spam, what should we do?
==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Linux 4.2.6-1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi Zhang,
I received a spam
something like this
Dear Account User: ouremail@our-domain.com,
Your ouremail@our-domain.com, has been BLACKLISTED under the Mail Network Service due to Subsequent Verification failure on your Account.
We recommend that you Update and Verify your Account below to avoid suspension:
Verify Your Email Account Now
Ignoring this message will cause your Email account to be terminated without your permission.
Account Settings for: ouremail@our-domain.com
Thank You.
Notification | Copyright © 2018
the email header:
Received: from efilter.ctgtel.net (efilter.ctgtel.net [103.25.81.2])
by ldap.our-domain.com (Postfix) with ESMTPS id EF7C0A160100
for <ouremail@our-domain.com>; Thu, 8 Mar 2018 07:04:59 +0800 (HKT)
Received: from ldap.our-domain.com ([127.0.0.1])
by smtp.our-domain.com (smtp.our-domain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id nUPXZKEJ0ZfR for <bccOurEmail@our-domain.com>;
Thu, 8 Mar 2018 07:05:00 +0800 (HKT)
Received: from [192.168.0.101] by mail.ctgtel.net (MDaemon PRO v10.1.0)
with ESMTP id md50000086740.msg
for <ouremail@our-domain.com>; Wed, 07 Mar 2018 17:20:18 +0600
Received: from mail.ctgtel.net (mail.ctgtel.net [103.25.81.4])
by efilter.ctgtel.net (Postfix) with ESMTP id B900324987
for <ouremail@our-domain.com>; Wed, 7 Mar 2018 17:20:20 +0600 (+06)
Received: from smtp.our-domain.com (localhost [127.0.0.1])
by ldap.our-domain.com (Postfix) with ESMTP id EA01DA160520
for <bccouremail@our-domain.com>; Thu, 8 Mar 2018 07:05:04 +0800 (HKT)
Return-Path: <hakim@ctgtel.net>
From: "Email Notification" <hakim@ctgtel.net>
To: <ouremail@our-domain.com>
Subject: Verification failures for ouremail@our-domain.com
Date: Wed, 7 Mar 2018 19:20:14 +0800
Message-ID: <20180307230504.EA01DA160520@ldap.our-domain.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_13C5_01D3BA2B.69A41F40"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKwj2anTe91KvNlqKlNtmbyy0ePxw==
We found out that the spam come from efilter.ctgtel.net [103.25.81.2]) and this domain is registered in DNS
the mail log is as follow:
Mar 8 07:04:58 ct-openldap postfix/smtpd[19637]: connect from efilter.ctgtel.net[103.25.81.2]
Mar 8 07:04:58 ct-openldap postfix/smtpd[19637]: Anonymous TLS connection established from efilter.ctgtel.net[103.25.81.2]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 8 07:04:59 ct-openldap postfix/smtpd[19637]: EF7C0A160100: client=efilter.ctgtel.net[103.25.81.2]
Mar 8 07:05:00 ct-openldap postfix/cleanup[19939]: EF7C0A160100: message-id=<>
Mar 8 07:05:00 ct-openldap postfix/qmgr[21350]: EF7C0A160100: from=<hakim@ctgtel.net>, size=63919, nrcpt=3 (queue active)
Mar 8 07:05:00 ct-openldap postfix/smtpd[19637]: disconnect from efilter.ctgtel.net[103.25.81.2]
Mar 8 07:05:04 ct-openldap postfix/10025/smtpd[19960]: connect from localhost[127.0.0.1]
Mar 8 07:05:04 ct-openldap postfix/10025/smtpd[19960]: D395CA160106: client=localhost[127.0.0.1]
Mar 8 07:05:04 ct-openldap postfix/cleanup[19939]: D395CA160106: message-id=<20180307230504.D395CA160106@ldap.our-domain.com>
Mar 8 07:05:04 ct-openldap postfix/10025/smtpd[19961]: connect from localhost[127.0.0.1]
Mar 8 07:05:04 ct-openldap postfix/10025/smtpd[19960]: disconnect from localhost[127.0.0.1]
Mar 8 07:05:04 ct-openldap postfix/qmgr[21350]: D395CA160106: from=<hakim@ctgtel.net>, size=64777, nrcpt=1 (queue active)
Mar 8 07:05:04 ct-openldap amavis[18413]: (18413-07) Passed CLEAN {RelayedInbound}, [103.25.81.2]:54744 [103.25.81.4] <hakim@ctgtel.net> -> <ouremail@our-domain.com>, Queue-ID: EF7C0A160100, mail_id: G7Ou99rda94H, Hits: 2.478, size: 63919, queued_as: D395CA160106, 4593 ms, Tests: [BAYES_00=-1.9,HTML_MESSAGE=0.001,MISSING_MID=0.497,TO_IN_SUBJ=0.099,TVD_PH_BODY_ACCOUNTS_PRE=0.001,URIBL_BLOCKED=0.001,URIBL_PH_SURBL=0.28,URI_WP_HACKED=3.499]
Mar 8 07:05:04 ct-openldap postfix/10025/smtpd[19961]: D5DCAA160500: client=localhost[127.0.0.1]
Mar 8 07:05:04 ct-openldap postfix/cleanup[19939]: D5DCAA160500: message-id=<20180307230504.D5DCAA160500@ldap.our-domain.com>
Mar 8 07:05:04 ct-openldap postfix/smtp-amavis/smtp[19940]: EF7C0A160100: to=<ouremail@our-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.8, delays=1.2/0/0/4.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D395CA160106)
the spam server efilter.ctgtel.net[103.25.81.2] is genuine. and i found out thru mxtoolbox
1 spamwall.ctgtel.net 216.55.102.53
Level 3 Communications, Inc. (AS3356) 24 hrs Blacklist Check SMTP Test
10 spamwall.ctgtel.net 216.55.102.53
Level 3 Communications, Inc. (AS3356) 24 hrs Blacklist Check SMTP Test
20 rnd.ctgtel.net 103.25.81.25
Progressive Tower (1st Floor) (AS58912) 24 hrs Blacklist Check SMTP Test
Zhang,
how could we stop this kind of spam email which server is well registered?
P.S. i hide our domain and intended email recipient as ourmail@our-domain.com
thanks
Napoleon
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.