1

Topic: iRedAPD blacklist - how to block username with wildcard domain

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MARIADB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? - No, I use iRedAdmin and Linux cli.
====

Hi all,

I'm trying to fight some annoying spammers. They send me emails and passing all the Greylisting, SPF, and DKIM checks (I have all this enabled as in official iRedMail installation docs). The content of the messages look pretty relevant and differs every time so there is no chance to teach any spam filter to recognise this messages as spam. They change their domain names every time, IPs, and providers, but I noticed most of the time they use same usernames in sender addresses. iRedMail documentation clearly states I can block a user, a domain, an IP, a domain and all its subdomains, and all senders.

My question is how to blacklist sender address using wildcard domains like this: "senders@*"? Or even better: "senders@*.com"? They use "senders@*dynamic*domain*name*" and "bounce@*dynamic*domain*name*". I don't expect emails from "senders" and "bounce" users of any domain name.

Are there any other ways to fight this annoying guys?

An example of headers:

Return-Path: <senders@***SPAMMERS*DOMAIN***>
Delivered-To: ***my*email***
Received: from ***my*mail*server*** (***my*mail*server*** [127.0.0.1])
    by ***my*mail*server*** (Postfix) with ESMTP id 1C******7A
    for <***my*email***>; Wed, 19 Sep 2018 **:**:** +**00 (***)
X-Virus-Scanned: amavisd-new at ***my*mail*server***
Authentication-Results: ***my*mail*server*** (amavisd-new); dkim=pass (1024-bit key)
    header.d=***SPAMMERS*DOMAIN***; domainkeys=pass (1024-bit key)
    header.from=senders@***SPAMMERS*DOMAIN*** header.d=***SPAMMERS*DOMAIN***
Received: from ***my*mail*server*** ([127.0.0.1])
    by ***my*mail*server*** (***my*mail*server*** [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id iL******G1 for <***my*email***>;
    Wed, 19 Sep 2018 **:**:** +**00 (***)
Received: from ***SPAMMERS*DOMAIN*** (***SPAMMERS*DOMAIN*** [XX.XX.XX.XX])
    by ***my*mail*server*** (Postfix) with ESMTP id BE******29
    for <***my*email***>; Wed, 19 Sep 2018 **:**:** +**00 (***)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=***SPAMMERS*DOMAIN***;
h=Message-ID:Reply-To:From:To:Subject:Date:MIME-Version:Content-Type; i=senders@***SPAMMERS*DOMAIN***;
bh=CMZI**********************Z8c=;
b=mDzc*******************************************************************fE4RV
   5yix*******************************************************************PBT3a
   qSy+**************************aZBU=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=***SPAMMERS*DOMAIN***;
b=BwAg*******************************************************************Sd0/8
   IUH8*******************************************************************qqn3s
   xSVu**************************26Cg=;
Message-ID: <87****************************b8@***SPAMMERS*DOMAIN***>
Reply-To: =?windows-1251?B.......w==?= <bounce@***SPAMMERS*DOMAIN***>
From: =?windows-1251?B.......w==?= <senders@***SPAMMERS*DOMAIN***>
To: <***my*email***>
Subject: =?windows-1251?B?8e******************4A==?=
Date: Thu, 20 Sep 2018 **:**:** +**00
Organization: =?windows-1251?B?.../?=
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="8a78************************7657"

--8a78*************************7657
Content-Type: text/plain; charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

***the*rest*of*the*message*here***

Thanks for any help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iRedAPD blacklist - how to block username with wildcard domain

You could try to set
smtpd_sender_restrictions = ...
and add/modify the contents of
check_sender_access pcre:/etc/postfix/sender_access.pcre

See http://postfix.cs.utah.edu/postconf.5.h … strictions
and
http://postfix.cs.utah.edu/access.5.html

user@  Matches all mail addresses with the specified  user
              part.

3

Re: iRedAPD blacklist - how to block username with wildcard domain

Try this:

cd /opt/iredapd/tools/
python --add --blacklist 'senders@*'

Replace 'senders@' by the real username part of spammers you want to blacklist.