1 Topic by kevinnksk

  • kevinnksk
  • Member
  • Offline
  • Registered: 2018-02-02
  • Posts: 8

Topic: A log of junk mail send into mail server, how to block it.

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  0.9.2
- Deployed with iRedMail Easy or the downloadable installer?  downloadable installer
- Linux/BSD distribution name and version: CentOS release 6.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql  Ver 14.14 Distrib 5.1.73,
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?   iRedAdmin
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====


Our user will forward email to google for backup purpose. Recently, our mail server received a lot of SPAM, so the SPAM is forward to google. After that, out mail server is block by google now.

HOW to block the SPAM ON amavisd or postfix or iredmail?
the SPAM domain name is XXX.icu, XXX.ic XXX.ru,  but i worry the mis-blocking if force block the XXX.icu  XXX.ic  XXX.ru on postfix [ check_sender_access pcre:/etc/postfix/reject_domains ]




[root@svr log]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
29E9C5C00CA     5993 Tue Jan  8 16:48:12  nitid@preynne.icu
(host alt1.gmail-smtp-in.l.google.com[64.233.168.26] said: 421-4.7.0 [202.181.178.189      15] Our system has detected that this message is 421-4.7.0 suspicious due to the very low reputation of the sending domain. To 421-4.7.0 best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0  https://support.google.com/mail/answer/188131 for more information. p81si14516247oia.75 - gsmtp (in reply to end of DATA command))
                                         user@gmail.com

B245B5C00C9     5163 Tue Jan  8 16:47:17  nitid@preynne.icu
(host alt1.gmail-smtp-in.l.google.com[64.233.168.26] said: 421-4.7.0 [202.181.178.189      15] Our system has detected that this message is 421-4.7.0 suspicious due to the very low reputation of the sending domain. To 421-4.7.0 best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0  https://support.google.com/mail/answer/188131 for more information. p10si548788otl.267 - gsmtp (in reply to end of DATA command))
                                         user@gmail.com

C83D55C00C6     5992 Tue Jan  8 16:45:11  vinie@preynne.icu
(host alt1.gmail-smtp-in.l.google.com[64.233.168.27] said: 421-4.7.0 [202.181.178.189      15] Our system has detected that this message is 421-4.7.0 suspicious due to the very low reputation of the sending domain. To 421-4.7.0 best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0  https://support.google.com/mail/answer/188131 for more information. l13si30398808otf.147 - gsmtp (in reply to end of DATA command))
                                         user@gmail.com

877495C00C7     8874 Tue Jan  8 17:42:58  pulse@homylie.icu
(host alt1.gmail-smtp-in.l.google.com[64.233.169.27] said: 421-4.7.0 [202.181.178.189      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0  https://support.google.com/mail/?p=Unso … LimitError to 421 4.7.0 review our Bulk Email Senders Guidelines. y203si22939945oiy.164 - gsmtp (in reply to end of DATA command))
                                         user@gmail.com

D0EA55C00C4     8641 Tue Jan  8 17:39:41  yquem@homylie.icu
(host alt1.gmail-smtp-in.l.google.com[64.233.169.26] said: 421-4.7.0 [202.181.178.189      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0  https://support.google.com/mail/?p=Unso … LimitError to 421 4.7.0 review our Bulk Email Senders Guidelines. t202si24843192oih.223 - gsmtp (in reply to end of DATA command))
                                         user@gmail.com

1E9EA5C00CC     7620 Tue Jan  8 17:41:39  yquem@homylie.icu
(host alt1.gmail-smtp-in.l.google.com[64.233.169.26] said: 421-4.7.0 [202.181.178.189      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0  https://support.google.com/mail/?p=Unso … LimitError to 421 4.7.0 review our Bulk Email Senders Guidelines. 94si36150554oto.184 - gsmtp (in reply to end of DATA command))
                                        user@gmail.com




[root@svr log]# cat /var/log/maillog | grep nitid@preynne.icu
Jan  8 16:47:16 mail postfix/qmgr[7552]: C20735C00BC: from=<nitid@preynne.icu>, size=4088, nrcpt=2 (queue active)
Jan  8 16:47:17 mail postfix/qmgr[7552]: C053C5C00CA: from=<nitid@preynne.icu>, size=5165, nrcpt=1 (queue active)
Jan  8 16:47:17 mail postfix/qmgr[7552]: B245B5C00C9: from=<nitid@preynne.icu>, size=5163, nrcpt=1 (queue active)
Jan  8 16:47:17 mail amavis[8664]: (08664-16) Passed CLEAN {RelayedInbound}, [37.44.228.26]:47675 [37.44.228.26] <nitid@preynne.icu> -> <user@gmail.com>, Queue-ID: C20735C00BC, Message-ID: <a5mXnsmMx7OEM0q58q37j_Fj6CFuarQ_-SuedNVjFFs.BcUlZfvnbV4bZYWBxRABeU5jk5LBBrmjPgKhQb_3CyA@preynne.icu>, mail_id: 7IJ-oPMrRrhi, Hits: 3.198, size: 4080, queued_as: B245B5C00C9, dkim_sd=mta:preynne.icu, 1612 ms
Jan  8 16:47:17 mail amavis[9333]: (09333-07) Passed CLEAN {RelayedInbound}, [37.44.228.26]:47675 [37.44.228.26] <nitid@preynne.icu> -> <USER@DOMAIN.com>, Queue-ID: C20735C00BC, Message-ID: <a5mXnsmMx7OEM0q58q37j_Fj6CFuarQ_-SuedNVjFFs.BcUlZfvnbV4bZYWBxRABeU5jk5LBBrmjPgKhQb_3CyA@preynne.icu>, mail_id: p0vHc8-Tt3S2, Hits: 3.198, size: 4080, queued_as: C053C5C00CA, dkim_sd=mta:preynne.icu, 1646 ms
Jan  8 16:48:08 mail postfix/qmgr[7552]: 732B95C00CB: from=<nitid@preynne.icu>, size=4251, nrcpt=1 (queue active)
Jan  8 16:48:10 mail postfix/qmgr[7552]: 5E95A5C00CA: from=<nitid@preynne.icu>, size=5318, nrcpt=1 (queue active)
Jan  8 16:48:10 mail amavis[9333]: (09333-08) Passed CLEAN {RelayedInbound}, [37.44.228.26]:46735 [37.44.228.26] <nitid@preynne.icu> -> <johnchu@lision.com.hk>, Queue-ID: 732B95C00CB, Message-ID: <IubjQ0LD1gk1zCy-0IXSyjB98BJbR3r4XHDllDwwP0c.-fVQwyp4oJS0suWakYUsGJCkzPxmgWCmfQkDIIf5SDo@preynne.icu>, mail_id: jcBhs87o2gqT, Hits: 3.198, size: 4243, queued_as: 5E95A5C00CA, dkim_sd=mta:preynne.icu, 1550 ms
Jan  8 16:48:10 mail postfix/pickup[5177]: 7A9895C00CB: uid=2000 from=<nitid@preynne.icu>
Jan  8 16:48:10 mail postfix/qmgr[7552]: 7A9895C00CB: from=<nitid@preynne.icu>, size=5550, nrcpt=1 (queue active)
Jan  8 16:48:12 mail postfix/qmgr[7552]: 29E9C5C00CA: from=<nitid@preynne.icu>, size=5993, nrcpt=1 (queue active)
Jan  8 16:48:12 mail amavis[8664]: (08664-17) Passed CLEAN {RelayedInbound}, [127.0.0.1] [37.44.228.26] <nitid@preynne.icu> -> <lisionhongltd@gmail.com>, Message-ID: <IubjQ0LD1gk1zCy-0IXSyjB98BJbR3r4XHDllDwwP0c.-fVQwyp4oJS0suWakYUsGJCkzPxmgWCmfQkDIIf5SDo@preynne.icu>, mail_id: aGYsSAm-6JX3, Hits: 3.199, size: 5542, queued_as: 29E9C5C00CA, dkim_sd=mta:preynne.icu, 1682 ms
Jan  8 16:48:24 mail postfix/qmgr[7552]: F24395C00CC: from=<nitid@preynne.icu>, size=4023, nrcpt=1 (queue active)
Jan  8 16:48:25 mail postfix/qmgr[7552]: DBCCE5C00D1: from=<nitid@preynne.icu>, size=5078, nrcpt=1 (queue active)
Jan  8 16:48:25 mail amavis[8885]: (08885-16) Passed CLEAN {RelayedInbound}, [37.44.228.26]:41454 [37.44.228.26] <nitid@preynne.icu> -> <sc@camieliu.com>, Queue-ID: F24395C00CC, Message-ID: <_RapTKeLIiKgGgQQBtB3RlVgHdpa8UPvqPTcQ0rQq64.5DmwmbJFQHq1P3ntXKwXbg@preynne.icu>, mail_id: gQPIEJdnDe1I, Hits: 3.198, size: 4015, queued_as: DBCCE5C00D1, dkim_sd=mta:preynne.icu, 1609 ms
Jan  8 16:48:41 mail postfix/qmgr[7552]: DCE795C00CC: from=<nitid@preynne.icu>, size=4237, nrcpt=1 (queue active)
Jan  8 16:48:42 mail postfix/qmgr[7552]: D36125C00CD: from=<nitid@preynne.icu>, size=5302, nrcpt=1 (queue active)
Jan  8 16:48:42 mail amavis[8615]: (08615-18) Passed CLEAN {RelayedInbound}, [37.44.228.26]:55985 [37.44.228.26] <nitid@preynne.icu> -> <newton@newton.com.hk>, Queue-ID: DCE795C00CC, Message-ID: <QoEkm7BesqEmklBUoXe_mbrOzCzDgfvdJa2fM_n6sDA.3JSqPxTDTgZb-S8x0w0s68xdYGUMfhoobjpEONb5uCI@preynne.icu>, mail_id: IcjOwn542hvF, Hits: 3.198, size: 4229, queued_as: D36125C00CD, dkim_sd=mta:preynne.icu, 1673 ms
Jan  8 16:54:49 mail postfix/qmgr[7552]: 29E9C5C00CA: from=<nitid@preynne.icu>, size=5993, nrcpt=1 (queue active)
Jan  8 16:54:49 mail postfix/qmgr[7552]: B245B5C00C9: from=<nitid@preynne.icu>, size=5163, nrcpt=1 (queue active)
Jan  8 17:04:49 mail postfix/qmgr[7552]: 29E9C5C00CA: from=<nitid@preynne.icu>, size=5993, nrcpt=1 (queue active)
Jan  8 17:04:49 mail postfix/qmgr[7552]: B245B5C00C9: from=<nitid@preynne.icu>, size=5163, nrcpt=1 (queue active)
Jan  8 17:24:49 mail postfix/qmgr[7552]: 29E9C5C00CA: from=<nitid@preynne.icu>, size=5993, nrcpt=1 (queue active)
Jan  8 17:24:49 mail postfix/qmgr[7552]: B245B5C00C9: from=<nitid@preynne.icu>, size=5163, nrcpt=1 (queue active)



[root@svr log]# cat /var/log/maillog | grep yquem@homylie.icu
Jan  8 17:41:37 mail postfix/qmgr[7552]: 25DED5C00C7: from=<yquem@homylie.icu>, size=6963, nrcpt=2 (queue active)
Jan  8 17:41:39 mail postfix/qmgr[7552]: 0B3F25C00CB: from=<yquem@homylie.icu>, size=7622, nrcpt=1 (queue active)
Jan  8 17:41:39 mail amavis[13728]: (13728-16) Passed CLEAN {RelayedInbound}, [37.44.228.27]:35092 [37.44.228.27] <yquem@homylie.icu> -> <USER@DOMAIN.com.hk>, Queue-ID: 25DED5C00C7, Message-ID: <HvSBAR3dvm_oiseUMDuvx4AJCuvIYUxn9awaz-mYRhY.rAJ7JPzgol1NlqqlCEGaJGtxgk-GO8XSBCFzb6kOwpE@homylie.icu>, mail_id: CTpG4ZpDqj5H, Hits: 1.503, size: 6951, queued_as: 0B3F25C00CB, dkim_sd=svr1:homylie.icu, 1589 ms
Jan  8 17:41:39 mail postfix/qmgr[7552]: 1E9EA5C00CC: from=<yquem@homylie.icu>, size=7620, nrcpt=1 (queue active)
Jan  8 17:41:39 mail amavis[13981]: (13981-14) Passed CLEAN {RelayedInbound}, [37.44.228.27]:35092 [37.44.228.27] <yquem@homylie.icu> -> <rebecca.hs.chiu@gmail.com>, Queue-ID: 25DED5C00C7, Message-ID: <HvSBAR3dvm_oiseUMDuvx4AJCuvIYUxn9awaz-mYRhY.rAJ7JPzgol1NlqqlCEGaJGtxgk-GO8XSBCFzb6kOwpE@homylie.icu>, mail_id: NJ1BPxaZW9Ln, Hits: 1.503, size: 6951, queued_as: 1E9EA5C00CC, dkim_sd=svr1:homylie.icu, 1671 ms
Jan  8 17:44:49 mail postfix/qmgr[7552]: D0EA55C00C4: from=<yquem@homylie.icu>, size=8641, nrcpt=1 (queue active)


nslookup

> preynne.icu
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
preynne.icu     MX preference = 10, mail exchanger = aspmx.l.google.com

> homylie.icu
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
homylie.icu     MX preference = 10, mail exchanger = aspmx.l.google.com

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: A log of junk mail send into mail server, how to block it.

You can:

- Block the sender domain directly. Or block particular sender.
- Add one line in Amavisd config file (/etc/amavisd/amavisd.conf on CentOS) to increase log, Amavisd will log matched SpamAssassin rules, try to find the rule you want to increase score, this will help mark the email as spam.

$log_templ = $log_verbose_templ;

Do you have DNSBL services enabled to help reduce spam?