1

Topic: Iredapd outbound limits bypassed

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

as you know some time email account was stolen and used for send spam. So we have setup a limit of 24 emails per day via iredapd and throttle plugins. All works fine but today we have find a spammers that was able to bypass limit and send more than 5000 emails in few hours. Here the logs:

From Postfix SMTP Auth:

Dec  6 02:14:59 smtp postfix/smtps/smtpd[26965]: 439HhM4mx1z4xGP: client=ec2-54-232-242-3.sa-east-1.compute.amazonaws.com[54.232.242.3], sasl_method=LOGIN, sasl_username=serve@ammsegurancas35.net
Dec  6 02:15:00 smtp postfix/cleanup[9137]: 439HhM4mx1z4xGP: warning: header Subject: |-Central de Aviso.        PROTOCOLO: 03252358/9663-65 from ec2-54-232-242-3.sa-east-1.compute.amazonaws.com[54.232.242.3]; from=<#central.bb.4873@ammsegurancas35.net> to=<adrianolfreitas@hotmail.com> proto=ESMTP helo=<WIN-QUJ6M3E7EJ1>
Dec  6 02:15:00 smtp postfix/cleanup[9137]: 439HhM4mx1z4xGP: message-id=<065420181214013086422E4B$359FD7304D@WINQUJMEEJ>
Dec  6 02:15:03 smtp opendkim[700]: 439HhM4mx1z4xGP: DKIM-Signature field added (s=qbm1812058745, d=ammsegurancas35.net)
Dec  6 02:15:03 smtp postfix/qmgr[5870]: 439HhM4mx1z4xGP: from=<#central.bb.4873@ammsegurancas35.net>, size=534647, nrcpt=1 (queue active)
Dec  6 02:15:06 smtp postfix/smtp[26978]: 439HhM4mx1z4xGP: to=<adrianolfreitas@hotmail.com>, relay=hotmail-com.olc.protection.outlook.com[104.47.33.33]:25, delay=8.3, delays=5.3/0/0.71/2.3, dsn=2.6.0, status=sent (250 2.6.0 <065420181214013086422E4B$359FD7304D@WINQUJMEEJ> [InternalId=26959509736995, Hostname=BN3NAM01HT089.eop-nam01.prod.protection.outlook.com] 541638 bytes in 1.038, 509.165 KB/sec Queued mail for delivery -> 250 2.1.5)
Dec  6 02:15:06 smtp postfix/qmgr[5870]: 439HhM4mx1z4xGP: removed

From Iredapd logs:

2018-12-06 02:14:59 INFO 54.232.242.3 RCPT, serve@ammsegurancas35.net => #central.bb.4873@ammsegurancas35.net -> adrianolfreitas@hotmail.com, REJECT Quota exceeded (number of mails in total) [0.0036s]
2018-12-06 02:15:04 INFO 54.232.242.3 END-OF-MESSAGE, serve@ammsegurancas35.net => #central.bb.4873@ammsegurancas35.net -> adrianolfreitas@hotmail.com, DUNNO [0.9702s]

Iredapd understand that the limit for account has been exceeded, but Postfix not reject/deny the users.

How is possibile? Could be because the spammers open an SMTP session and use always the same for sent all emails?

Our Iredapd version is 2.0.

Thanks

2

Re: Iredapd outbound limits bypassed

Unfortunately, iRedAPD-2.0 has a bug that it doesn't treat address leading with '#' (e.g. '#user@domain.com') as a valid email address, so it's bypassed.

iRedAPD-2.1 (and later releases) fixed this issue. So please upgrade. smile

==== UPDATE ====

Here's patch for iRedAPD-2.0 to fix it if you don't want to upgrade right now:
https://bitbucket.org/zhb/iredapd/commi … bdbb4f5b01

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Iredapd outbound limits bypassed

Thanks Zhang,

in the mean time I have apply the patch, in the next days I will update to iRedAPD-2.1.