1 (edited by shoaib 2019-08-28 19:53:44)

Topic: Bulk Mail Spamming

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
iRedMail version (check /etc/iredmail-release):  0.9.9.
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: CentOS Linux release 7.6.1810 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? yes (3.7)
====================================================
Dear Team,
                 Kindly suggest me for how to restrict spamming mails. I facing the issue from 1 week.
Kindly find the attachment.
-

Post's attachments

bad header.png
bad header.png 20.53 kb, file has never been downloaded. 

maillog1.txt 1.53 mb, file has never been downloaded. 

Mail_Spamming.jpg
Mail_Spamming.jpg 757.31 kb, file has never been downloaded. 

Sent automatic Increase.jpg
Sent automatic Increase.jpg 96.9 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Bulk Mail Spamming

It's very possible that some mail accounts' passwords were hacked and used to send spams.
Try to use the "find_top_sasl_usernames.sh" script below to find which smtp user sent most emails, then it's the possible spammer:
https://bitbucket.org/zhb/iredmail/src/ … ail/tools/

Reset its password immediately, also clean up the queued emails  sent by this user.

Btw, do you have plugin "reject_null_sender" enabled in iRedAPD (/opt/iredapd/settings.py)?

3

Re: Bulk Mail Spamming

Already added "reject_null_sender"
but problem not resolved

4

Re: Bulk Mail Spamming

What about the result of "find_top_sasl_usernames.sh"?

5

Re: Bulk Mail Spamming

@iredmail, some IDs automatic send mail on these IDs.

6

Re: Bulk Mail Spamming

Apr 16 07:00:28 mailserver journal: fail2ban.filter [23994]: INFO [postfix-iredmail] Found 157.245.58.81 - 2020-04-16 07:00:27
Apr 16 07:00:43 mailserver journal: iredapd Blacklisted: outbound_wblist=(2984, 1, 'B')
Apr 16 07:00:43 mailserver journal: iredapd [77.40.16.219] RCPT, sandeep.suman@ => mikamiteru6@mail.ru, REJECT Blacklisted [sasl_username=sandeep.suman@, sender=sandeep.suman@, client_name=unknown, reverse_client_name=219.16.pppoe.mari-el.ru, helo=localhost.localdomain, encryption_protocol=TLSv1.2, encryption_cipher=AES256-SHA, server_port=, process_time=0.0181s]
Apr 16 07:00:44 mailserver journal: fail2ban.filter [23994]: INFO [postfix-iredmail] Found 77.40.16.219 - 2020-04-16 07:00:43
Apr 16 07:00:59 mailserver journal: fail2ban.filter [23994]: INFO [dovecot-iredmail] Found 47.8.178.243 - 2020-04-16 07:00:59
--
Apr 16 07:34:01 mailserver systemd: Removed slice User Slice of sogo.
Apr 16 07:34:49 mailserver journal: iredapd Blacklisted: outbound_wblist=(2984, 1, 'B')
Apr 16 07:34:49 mailserver journal: iredapd [178.176.175.42] RCPT, hemanta.deo@ => mikamiteru6@mail.ru, REJECT Blacklisted [sasl_username=hemanta.deo@, sender=hemanta.deo@, client_name=unknown, reverse_client_name=unknown, helo=localhost.localdomain, encryption_protocol=TLSv1.2, encryption_cipher=AES256-SHA, server_port=, process_time=0.0196s]
Apr 16 07:34:50 mailserver journal: fail2ban.filter [23994]: INFO [postfix-iredmail] Found 178.176.175.42 - 2020-04-16 07:34:49
Apr 16 07:35:01 mailserver systemd: Created slice User Slice of sogo.
--
Apr 16 10:18:21 mailserver journal: iredapd [103.126.6.202] RCPT, bounce@ebr-registry.com -> cv@, DUNNO [sasl_username=, sender=bounce@ebr-registry.com, client_name=unknown, reverse_client_name=unknown, helo=www.onemedical.com, encryption_protocol=, encryption_cipher=, server_port=, process_time=0.0099s]
Apr 16 10:18:21 mailserver journal: iredapd Blacklisted: outbound_wblist=(2984, 1, 'B')
Apr 16 10:18:21 mailserver journal: iredapd [188.162.199.128] RCPT, sameerkr.gupta@ => mikamiteru6@mail.ru, REJECT Blacklisted [sasl_username=sameerkr.gupta@, sender=sameerkr.gupta@, client_name=unknown, reverse_client_name=client.yota.ru, helo=localhost.localdomain, encryption_protocol=TLSv1.2, encryption_cipher=AES256-SHA, server_port=, process_time=0.0060s]
Apr 16 10:18:21 mailserver journal: fail2ban.filter [23994]: INFO [postfix-iredmail] Found 188.162.199.128 - 2020-04-16 10:18:21
Apr 16 10:18:22 mailserver journal: iredapd [103.126.6.202] END-OF-MESSAGE, bounce@ebr-registry.com -> cv@, DUNNO [recipient_count=1, size=12382, process_time=0.0034s]
--
Apr 16 10:44:18 mailserver journal: fail2ban.filter [23994]: INFO [postfix-iredmail] Found 47.8.77.220 - 2020-04-16 10:44:17
Apr 16 10:44:42 mailserver journal: iredapd Blacklisted: outbound_wblist=(2984, 1, 'B')
Apr 16 10:44:42 mailserver journal: iredapd [188.162.199.128] RCPT, sanjeet.raj@ => mikamiteru6@mail.ru, REJECT Blacklisted [sasl_username=sanjeet.raj@, sender=sanjeet.raj@, client_name=unknown, reverse_client_name=client.yota.ru, helo=localhost.localdomain, encryption_protocol=TLSv1.2, encryption_cipher=AES256-SHA, server_port=, process_time=0.0066s]
Apr 16 10:44:43 mailserver journal: fail2ban.filter [23994]: INFO [postfix-iredmail] Found 188.162.199.128 - 2020-04-16 10:44:42
Apr 16 10:45:01 mailserver systemd: Created slice User Slice of sogo.
--
Apr 16 13:08:01 mailserver systemd: Removed slice User Slice of sogo.
Apr 16 13:08:41 mailserver journal: iredapd Blacklisted: outbound_wblist=(2984, 1, 'B')
Apr 16 13:08:41 mailserver journal: iredapd [178.176.175.254] RCPT, kamlesh.singh@ => mikamiteru6@mail.ru, REJECT Blacklisted [sasl_username=kamlesh.singh@, sender=kamlesh.singh@, client_name=unknown, reverse_client_name=unknown, helo=localhost.localdomain, encryption_protocol=TLSv1.2, encryption_cipher=AES256-SHA, server_port=, process_time=0.0077s]
Apr 16 13:08:42 mailserver journal: fail2ban.filter [23994]: INFO [postfix-iredmail] Found 178.176.175.254 - 2020-04-16 13:08:41
Apr 16 13:09:01 mailserver systemd: Created slice User Slice of sogo.

7

Re: Bulk Mail Spamming

Apr 16 04:54:34 mailserver postfix/postscreen[27491]: CONNECT from [37.59.188.48]:42495 to [172.31.255.50]:25
--
Apr 16 07:00:39 mailserver postfix/submission/smtpd[17701]: connect from unknown[77.40.16.219]
Apr 16 07:00:41 mailserver postfix/submission/smtpd[17701]: Anonymous TLS connection established from unknown[77.40.16.219]: TLSv1.2 with cipher AES256-SHA (256/256 bits)
Apr 16 07:00:43 mailserver postfix/submission/smtpd[17701]: NOQUEUE: reject: RCPT from unknown[77.40.16.219]: 554 5.7.1 <mikamiteru6@mail.ru>: Recipient address rejected: Blacklisted; from=<sandeep.suman@> to=<mikamiteru6@mail.ru> proto=ESMTP helo=<localhost.localdomain>
Apr 16 07:00:44 mailserver postfix/submission/smtpd[17701]: disconnect from unknown[77.40.16.219]
Apr 16 07:00:52 mailserver postfix/postscreen[27491]: CONNECT from [192.236.147.197]:40802 to [172.31.255.50]:25
--
Apr 16 07:34:46 mailserver postfix/submission/smtpd[20518]: connect from unknown[178.176.175.42]
Apr 16 07:34:48 mailserver postfix/submission/smtpd[20518]: Anonymous TLS connection established from unknown[178.176.175.42]: TLSv1.2 with cipher AES256-SHA (256/256 bits)
Apr 16 07:34:49 mailserver postfix/submission/smtpd[20518]: NOQUEUE: reject: RCPT from unknown[178.176.175.42]: 554 5.7.1 <mikamiteru6@mail.ru>: Recipient address rejected: Blacklisted; from=<hemanta.deo@> to=<mikamiteru6@mail.ru> proto=ESMTP helo=<localhost.localdomain>
Apr 16 07:34:51 mailserver postfix/submission/smtpd[20518]: disconnect from unknown[178.176.175.42]
Apr 16 07:35:09 mailserver postfix/postscreen[27491]: CONNECT from [172.31.255.2]:46206 to [172.31.255.50]:25
--
Apr 16 10:18:19 mailserver postfix/submission/smtpd[9208]: Anonymous TLS connection established from unknown[188.162.199.128]: TLSv1.2 with cipher AES256-SHA (256/256 bits)
Apr 16 10:18:21 mailserver postfix/smtpd[8092]: 492mv94Q3bz18m9k1: client=unknown[103.126.6.202]
Apr 16 10:18:21 mailserver postfix/submission/smtpd[9208]: NOQUEUE: reject: RCPT from unknown[188.162.199.128]: 554 5.7.1 <mikamiteru6@mail.ru>: Recipient address rejected: Blacklisted; from=<sameerkr.gupta@> to=<mikamiteru6@mail.ru> proto=ESMTP helo=<localhost.localdomain>
Apr 16 10:18:22 mailserver postfix/cleanup[8945]: 492mv94Q3bz18m9k1: message-id=<fd50215a68f551c259d26469a594a07b@localhost.localdomain>
Apr 16 10:18:22 mailserver postfix/qmgr[27485]: 492mv94Q3bz18m9k1: from=<bounce@ebr-registry.com>, size=12537, nrcpt=1 (queue active)
--
Apr 16 10:44:40 mailserver postfix/submission/smtpd[13094]: connect from unknown[188.162.199.128]
Apr 16 10:44:41 mailserver postfix/submission/smtpd[13094]: Anonymous TLS connection established from unknown[188.162.199.128]: TLSv1.2 with cipher AES256-SHA (256/256 bits)
Apr 16 10:44:42 mailserver postfix/submission/smtpd[13094]: NOQUEUE: reject: RCPT from unknown[188.162.199.128]: 554 5.7.1 <mikamiteru6@mail.ru>: Recipient address rejected: Blacklisted; from=<sanjeet.raj@> to=<mikamiteru6@mail.ru> proto=ESMTP helo=<localhost.localdomain>
Apr 16 10:44:44 mailserver postfix/submission/smtpd[13094]: disconnect from unknown[188.162.199.128]
Apr 16 10:44:57 mailserver postfix/postscreen[27491]: CONNECT from [66.163.190.193]:44689 to [172.31.255.50]:25
--
Apr 16 13:08:38 mailserver postfix/submission/smtpd[10256]: connect from unknown[178.176.175.254]
Apr 16 13:08:40 mailserver postfix/submission/smtpd[10256]: Anonymous TLS connection established from unknown[178.176.175.254]: TLSv1.2 with cipher AES256-SHA (256/256 bits)
Apr 16 13:08:41 mailserver postfix/submission/smtpd[10256]: NOQUEUE: reject: RCPT from unknown[178.176.175.254]: 554 5.7.1 <mikamiteru6@mail.ru>: Recipient address rejected: Blacklisted; from=<kamlesh.singh@> to=<mikamiteru6@mail.ru> proto=ESMTP helo=<localhost.localdomain>
Apr 16 13:08:42 mailserver postfix/submission/smtpd[10256]: disconnect from unknown[178.176.175.254]
Apr 16 13:09:09 mailserver postfix/postscreen[27491]: CONNECT from [172.31.255.2]:42752 to [172.31.255.50]:25

8

Re: Bulk Mail Spamming

Please tell me how to solve this problem. I have been facing this problem for long time.

9

Re: Bulk Mail Spamming

2020-04-16 13:08:41     178.176.175.254     kamlesh.singh@     kamlesh.singh@     mikamiteru6@mail.ru     REJECT     Blacklisted

10

Re: Bulk Mail Spamming

Please try to use script shipped in iRedMail installer "tools/find_top_sasl_usernames.sh" to find the top username performed most SMTP authentications, it's very possible that their passwords were cracked and used to send spams.

11

Re: Bulk Mail Spamming

i have already change the password but issue not resolved.

12

Re: Bulk Mail Spamming

Time     Client Address     Auth Username     Envelope Sender     Recipient     SMTP Action     Rejection Reason
2020-04-17 14:39:19     77.40.8.88     ranjeetsah.gupta     from@email.com     zzzxxxzzxxx0@gmail.com     REJECT     Sender is not same as SMTP authenticate username

2020-04-17 14:39:19     77.40.8.88     prashant.kmr19     from@email.com     zzzxxxzzxxx0@gmail.com     REJECT     Sender is not same as SMTP authenticate username

2020-04-17 14:39:19     77.40.8.88     amitkr.sah     from@email.com     zzzxxxzzxxx0@gmail.com     REJECT     Sender is not same as SMTP authenticate username

2020-04-17 14:39:19     77.40.8.88     sanjeet.raj     from@email.com     zzzxxxzzxxx0@gmail.com     REJECT     Sender is not same as SMTP authenticate username

2020-04-17 14:39:19     77.40.8.88     priya.srivastava     from@email.com     zzzxxxzzxxx0@gmail.com     REJECT     Sender is not same as SMTP authenticate username

13

Re: Bulk Mail Spamming

today's logs in iredadmin-pro

14

Re: Bulk Mail Spamming

@iredmail, kindly look this issue

15

Re: Bulk Mail Spamming

- Well, you need to share related log so that others can help troubleshoot.
- You mentioned "some IDs automatic send mail on these IDs", but where's related Postfix AND iRedAPD log of this issue? The "blacklisted" line is outbound blacklisting done by iRedAPD, which is ok as temporary solution. we need related log in Postfix and iRedAPD log files please.

shoaib wrote:

2020-04-17 14:39:19     77.40.8.88     sanjeet.raj     from@email.com     zzzxxxzzxxx0@gmail.com     REJECT     Sender is not same as SMTP authenticate username

It says "Sender is not same as SMTP authenticate username", and if this auth username "from@email.com" is sending spam, you should change its password immediately, also clean up queued emails.

16

Re: Bulk Mail Spamming

--
Apr 20 10:58:01 mailserver systemd: Started Session 26486 of user sogo.
Apr 20 10:58:01 mailserver systemd: Removed slice User Slice of sogo.
Apr 20 10:58:01 mailserver journal: iredapd [188.162.43.219] RCPT, priya.srivastava@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=priya.srivastava@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=prmbb, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0119s]
Apr 20 10:58:01 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.43.219 - 2020-04-20 10:58:01
Apr 20 10:58:03 mailserver php-fpm: [20-Apr-2020 10:58:03] NOTICE: [pool inet] child 16465 exited with code 0 after 2678.104982 seconds from start
--
Apr 20 10:58:35 mailserver php-fpm: [20-Apr-2020 10:58:35] NOTICE: [pool inet] child 23927 started
Apr 20 10:58:58 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 203.27.235.123 - 2020-04-20 10:58:57
Apr 20 10:58:59 mailserver journal: iredapd [178.176.174.185] RCPT, sandeep.suman@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sandeep.suman@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=fneqo, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0016s]
Apr 20 10:58:59 mailserver journal: iredapd [178.176.174.185] RCPT, thanu.mahto@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=thanu.mahto@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=fcnuglj, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0014s]
Apr 20 10:58:59 mailserver journal: iredapd [178.176.174.185] RCPT, prashant.kmr19@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=prashant.kmr19@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=nteiir, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0014s]
Apr 20 10:58:59 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.185 - 2020-04-20 10:58:59
Apr 20 10:58:59 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.185 - 2020-04-20 10:58:59
Apr 20 10:58:59 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.185 - 2020-04-20 10:58:59
Apr 20 10:58:59 mailserver journal: iredapd [178.176.174.185] RCPT, yogesh.pandey@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=yogesh.pandey@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=fgxlsib, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 10:58:59 mailserver journal: iredapd [178.176.174.185] RCPT, dinesh.tiwari@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=dinesh.tiwari@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=ilhlug, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0011s]
Apr 20 10:58:59 mailserver journal: iredapd [178.176.174.185] RCPT, ram.prasad@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=ram.prasad@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=flfjat, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0011s]
Apr 20 10:58:59 mailserver journal: iredapd [178.176.174.185] RCPT, sanjeet.raj@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sanjeet.raj@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=ebnp, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0011s]
Apr 20 10:58:59 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.185 - 2020-04-20 10:58:59
Apr 20 10:58:59 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.185 - 2020-04-20 10:58:59
--
Apr 20 10:59:09 mailserver journal: iredapd [192.168.5.12] RCPT, sweta.kumari@ => vinay.dwivedi@, OK [sasl_username=sweta.kumari@, sender=sweta.kumari@, client_name=unknown, reverse_client_name=unknown, helo=LAPTOPJ605AGUL, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0187s]
Apr 20 10:59:09 mailserver journal: iredapd [192.168.5.12] END-OF-MESSAGE, sweta.kumari@ => vinay.dwivedi@, DUNNO [recipient_count=1, size=31851, process_time=0.0003s]
Apr 20 10:59:16 mailserver journal: iredapd [188.162.43.219] RCPT, dinesh.tiwari@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=dinesh.tiwari@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=wyqbo, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0019s]
Apr 20 10:59:16 mailserver journal: iredapd [188.162.43.219] RCPT, sonoo.kumar@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sonoo.kumar@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=oafnxx, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0014s]
Apr 20 10:59:16 mailserver journal: iredapd [188.162.43.219] RCPT, sirajuddin.ansari@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sirajuddin.ansari@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=mcrclno, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0013s]
Apr 20 10:59:16 mailserver journal: iredapd [188.162.43.219] RCPT, ranjeetsah.gupta@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=ranjeetsah.gupta@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=wtmq, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0011s]
Apr 20 10:59:16 mailserver journal: iredapd [188.162.43.219] RCPT, ram.prasad@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=ram.prasad@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=jzmkxam, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 10:59:16 mailserver journal: iredapd [188.162.43.219] RCPT, sanjeet.raj@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sanjeet.raj@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=ucouwz, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 10:59:16 mailserver journal: iredapd [188.162.43.219] RCPT, amitkr.sah@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=amitkr.sah@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=kqzpyso, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 10:59:16 mailserver journal: iredapd [188.162.43.219] RCPT, deepakverma19@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=deepakverma19@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=kaopsfk, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0014s]
Apr 20 10:59:16 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.43.219 - 2020-04-20 10:59:16
Apr 20 10:59:16 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.43.219 - 2020-04-20 10:59:16
--
Apr 20 14:18:12 mailserver journal: iredapd [127.0.0.1] RCPT, chandra.mohan@ => shailesh.bhardwaj@, OK [sasl_username=chandra.mohan@, sender=chandra.mohan@, client_name=localhost, reverse_client_name=localhost, helo=mailserver.medhaj.com, encryption_protocol=TLSv1, encryption_cipher=ECDHE-RSA-AES256-SHA, server_port=, process_time=0.0068s]
Apr 20 14:18:12 mailserver journal: iredapd [127.0.0.1] END-OF-MESSAGE, chandra.mohan@ => , DUNNO [recipient_count=24, size=7721, process_time=0.0016s]
Apr 20 14:18:29 mailserver journal: iredapd [178.176.174.139] RCPT, ranjeetsah.gupta@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=ranjeetsah.gupta@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=pyxpg, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0018s]
Apr 20 14:18:30 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.139 - 2020-04-20 14:18:29
Apr 20 14:18:31 mailserver journal: iredapd Whitelisted: wblist=(1, 82, 'W')
--
Apr 20 14:18:31 mailserver journal: iredapd [192.168.4.21] RCPT, raju.chattry@ => samir.tripathi@, OK [sasl_username=raju.chattry@, sender=raju.chattry@, client_name=unknown, reverse_client_name=unknown, helo=MTCPL539, encryption_protocol=TLSv1, encryption_cipher=AES128-SHA, server_port=, process_time=0.0060s]
Apr 20 14:18:31 mailserver journal: iredapd [192.168.4.21] END-OF-MESSAGE, raju.chattry@ => , DUNNO [recipient_count=5, size=153493, process_time=0.0032s]
Apr 20 14:18:34 mailserver journal: iredapd [188.162.199.112] RCPT, ram.prasad@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=ram.prasad@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=mzcsqf, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0023s]
Apr 20 14:18:34 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.199.112 - 2020-04-20 14:18:34
Apr 20 14:18:37 mailserver systemd-logind: Removed session 26707.
--
Apr 20 14:19:12 mailserver systemd: Started Session 26714 of user root.
Apr 20 14:19:12 mailserver systemd-logind: New session 26714 of user root.
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, yogesh.pandey@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=yogesh.pandey@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=ctduqlr, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0128s]
Apr 20 14:19:38 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.139 - 2020-04-20 14:19:38
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, sonoo.kumar@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sonoo.kumar@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=ktifsn, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0014s]
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, sirajuddin.ansari@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sirajuddin.ansari@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=oakg, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0013s]
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, thanu.mahto@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=thanu.mahto@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=nqtqcxs, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, sanjeet.raj@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sanjeet.raj@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=zpwmbh, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, sandeep.suman@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sandeep.suman@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=ntxsvar, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, ram.prasad@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=ram.prasad@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=vqbbh, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, priya.srivastava@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=priya.srivastava@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=yuax, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:38 mailserver journal: iredapd [178.176.174.139] RCPT, prashant.kmr19@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=prashant.kmr19@, sender=from@email.com, client_name=unknown, reverse_client_name=unknown, helo=jyjgzm, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:38 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.139 - 2020-04-20 14:19:38
Apr 20 14:19:38 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.139 - 2020-04-20 14:19:38
--
Apr 20 14:19:38 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 178.176.174.139 - 2020-04-20 14:19:38
Apr 20 14:19:38 mailserver journal: fail2ban.actions [32406]: NOTICE [postfix-iredmail] Ban 178.176.174.139
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, deepakverma19@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=deepakverma19@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=xyxfu, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0017s]
Apr 20 14:19:47 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.199.112 - 2020-04-20 14:19:47
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, dinesh.tiwari@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=dinesh.tiwari@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=dfpdu, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0014s]
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, prashant.kmr19@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=prashant.kmr19@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=rcfdsjn, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0013s]
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, anil.sah@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=anil.sah@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=dlguh, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0013s]
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, ranjeetsah.gupta@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=ranjeetsah.gupta@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=qjlxh, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, yogesh.pandey@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=yogesh.pandey@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=aiig, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0013s]
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, sirajuddin.ansari@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sirajuddin.ansari@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=ozqiwaf, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, priya.srivastava@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=priya.srivastava@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=aeuh, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0013s]
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, sanjeet.raj@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=sanjeet.raj@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=uraq, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0011s]
Apr 20 14:19:47 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.199.112 - 2020-04-20 14:19:47
Apr 20 14:19:47 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.199.112 - 2020-04-20 14:19:47
--
Apr 20 14:19:47 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.199.112 - 2020-04-20 14:19:47
Apr 20 14:19:47 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.199.112 - 2020-04-20 14:19:47
Apr 20 14:19:47 mailserver journal: iredapd [188.162.199.112] RCPT, thanu.mahto@ => from@email.com -> zzzxxxzzxxx0@gmail.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=thanu.mahto@, sender=from@email.com, client_name=unknown, reverse_client_name=client.yota.ru, helo=utli, encryption_protocol=TLSv1.2, encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384, server_port=, process_time=0.0012s]
Apr 20 14:19:47 mailserver journal: fail2ban.filter [32406]: INFO [postfix-iredmail] Found 188.162.199.112 - 2020-04-20 14:19:47
Apr 20 14:19:47 mailserver journal: fail2ban.actions [32406]: NOTICE [postfix-iredmail] Ban 188.162.199.112

17

Re: Bulk Mail Spamming

--
Apr 20 10:57:59 mailserver postfix/postscreen[31502]: CONNECT from [45.95.168.194]:47466 to [172.31.255.50]:25
Apr 20 10:58:00 mailserver postfix/submission/smtpd[23516]: Anonymous TLS connection established from unknown[188.162.43.219]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 10:58:01 mailserver postfix/submission/smtpd[23516]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<prmbb>
Apr 20 10:58:02 mailserver postfix/dnsblog[23315]: addr 45.95.168.194 listed by domain b.barracudacentral.org as 127.0.0.2
Apr 20 10:58:02 mailserver postfix/submission/smtpd[23516]: disconnect from unknown[188.162.43.219]
--
Apr 20 10:58:57 mailserver postfix/submission/smtpd[24018]: Anonymous TLS connection established from unknown[178.176.174.185]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 10:58:59 mailserver postfix/submission/smtpd[23516]: NOQUEUE: reject: RCPT from unknown[178.176.174.185]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<fneqo>
Apr 20 10:58:59 mailserver postfix/submission/smtpd[23999]: NOQUEUE: reject: RCPT from unknown[178.176.174.185]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<fcnuglj>
Apr 20 10:58:59 mailserver postfix/submission/smtpd[24003]: NOQUEUE: reject: RCPT from unknown[178.176.174.185]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<nteiir>
Apr 20 10:58:59 mailserver postfix/submission/smtpd[24016]: NOQUEUE: reject: RCPT from unknown[178.176.174.185]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<fgxlsib>
Apr 20 10:58:59 mailserver postfix/submission/smtpd[24017]: NOQUEUE: reject: RCPT from unknown[178.176.174.185]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<ilhlug>
Apr 20 10:58:59 mailserver postfix/submission/smtpd[23998]: NOQUEUE: reject: RCPT from unknown[178.176.174.185]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<flfjat>
Apr 20 10:58:59 mailserver postfix/submission/smtpd[24018]: NOQUEUE: reject: RCPT from unknown[178.176.174.185]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<ebnp>

Apr 20 10:59:09 mailserver postfix/submission/smtpd[24075]: connect from unknown[192.168.5.12]
--
Apr 20 10:59:15 mailserver postfix/submission/smtpd[24141]: Anonymous TLS connection established from unknown[188.162.43.219]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 10:59:15 mailserver postfix/submission/smtpd[24142]: Anonymous TLS connection established from unknown[188.162.43.219]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 10:59:16 mailserver postfix/submission/smtpd[24116]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<wyqbo>
Apr 20 10:59:16 mailserver postfix/submission/smtpd[24126]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<oafnxx>
Apr 20 10:59:16 mailserver postfix/submission/smtpd[24075]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<mcrclno>
Apr 20 10:59:16 mailserver postfix/submission/smtpd[24136]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<wtmq>
Apr 20 10:59:16 mailserver postfix/submission/smtpd[24114]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<jzmkxam>
Apr 20 10:59:16 mailserver postfix/submission/smtpd[24135]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<ucouwz>
Apr 20 10:59:16 mailserver postfix/submission/smtpd[24118]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<kqzpyso>
Apr 20 10:59:16 mailserver postfix/submission/smtpd[24117]: NOQUEUE: reject: RCPT from unknown[188.162.43.219]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<kaopsfk>
Apr 20 10:59:56 mailserver postfix/postscreen[31502]: CONNECT from [172.31.255.2]:36604 to [172.31.255.50]:25
Apr 20 10:59:56 mailserver postfix/postscreen[31502]: WHITELISTED [172.31.255.2]:36604
--
Apr 20 14:18:26 mailserver postfix/submission/smtpd[15510]: connect from unknown[178.176.174.139]
Apr 20 14:18:27 mailserver postfix/submission/smtpd[15510]: Anonymous TLS connection established from unknown[178.176.174.139]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 14:18:29 mailserver postfix/submission/smtpd[15510]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<pyxpg>
Apr 20 14:18:30 mailserver postfix/submission/smtpd[15510]: disconnect from unknown[178.176.174.139]
Apr 20 14:18:31 mailserver postfix/submission/smtpd[15089]: warning: hostname client.yota.ru does not resolve to address 188.162.199.112: Name or service not known
--
Apr 20 14:18:32 mailserver postfix/pipe[15344]: 495L2S1Bmtz18hCLV: to=<alka.tripathi@>, relay=dovecot, delay=0.77, delays=0.37/0/0/0.39, dsn=2.0.0, status=sent (delivered via dovecot service)
Apr 20 14:18:32 mailserver postfix/qmgr[31431]: 495L2S1Bmtz18hCLV: removed
Apr 20 14:18:34 mailserver postfix/submission/smtpd[15089]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<mzcsqf>
Apr 20 14:18:34 mailserver postfix/submission/smtpd[15540]: disconnect from unknown[192.168.4.21]
Apr 20 14:18:35 mailserver postfix/submission/smtpd[15089]: disconnect from unknown[188.162.199.112]
--
Apr 20 14:19:37 mailserver postfix/submission/smtpd[16148]: Anonymous TLS connection established from unknown[178.176.174.139]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 14:19:37 mailserver postfix/submission/smtpd[16146]: Anonymous TLS connection established from unknown[178.176.174.139]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 14:19:38 mailserver postfix/submission/smtpd[15510]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<ctduqlr>
Apr 20 14:19:38 mailserver postfix/submission/smtpd[15089]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<ktifsn>
Apr 20 14:19:38 mailserver postfix/submission/smtpd[16123]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<oakg>
Apr 20 14:19:38 mailserver postfix/submission/smtpd[15540]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<nqtqcxs>
Apr 20 14:19:38 mailserver postfix/submission/smtpd[16124]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<zpwmbh>
Apr 20 14:19:38 mailserver postfix/submission/smtpd[16125]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<ntxsvar>
Apr 20 14:19:38 mailserver postfix/submission/smtpd[16126]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<vqbbh>
Apr 20 14:19:38 mailserver postfix/submission/smtpd[16127]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<yuax>
Apr 20 14:19:38 mailserver postfix/submission/smtpd[16128]: NOQUEUE: reject: RCPT from unknown[178.176.174.139]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<jyjgzm>
Apr 20 14:19:44 mailserver postfix/submission/smtpd[16176]: warning: hostname client.yota.ru does not resolve to address 188.162.199.112: Name or service not known
Apr 20 14:19:44 mailserver postfix/submission/smtpd[16176]: connect from unknown[188.162.199.112]
--
Apr 20 14:19:45 mailserver postfix/submission/smtpd[16202]: Anonymous TLS connection established from unknown[188.162.199.112]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 14:19:46 mailserver postfix/submission/smtpd[16204]: Anonymous TLS connection established from unknown[188.162.199.112]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16194]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<xyxfu>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16190]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<dfpdu>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16176]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<rcfdsjn>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16186]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<dlguh>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16189]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<qjlxh>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16188]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<aiig>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16184]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<ozqiwaf>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16185]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<aeuh>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16177]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<uraq>
Apr 20 14:19:47 mailserver postfix/submission/smtpd[16202]: NOQUEUE: reject: RCPT from unknown[188.162.199.112]: 554 5.7.1 <zzzxxxzzxxx0@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<from@email.com> to=<zzzxxxzzxxx0@gmail.com> proto=ESMTP helo=<utli>
Apr 20 14:19:55 mailserver postfix/postscreen[31502]: CONNECT from [176.56.14.200]:43092 to [172.31.255.50]:25
Apr 20 14:19:56 mailserver postfix/postscreen[31502]: CONNECT from [172.31.255.2]:44756 to [172.31.255.50]:25

18

Re: Bulk Mail Spamming

@iredmail, this is iredapd & postfix logs.

19

Re: Bulk Mail Spamming

@iredmail, please provide the solution.

20

Re: Bulk Mail Spamming

The solution is mentioned in #15: https://forum.iredmail.org/post73867.html#p73867

21

Re: Bulk Mail Spamming

i have already change the password and blocked these IPs but issue not resolved.

22

Re: Bulk Mail Spamming

Please also check /var/log/iredapd/iredapd.log, which smtp sasl username is used to send spams?

23

Re: Bulk Mail Spamming

hii,
i am getting too much delivery failed mails from <> sender and no such mails send from our server but undelivered mails in bulk is hitting my inbox kindly help.

24

Re: Bulk Mail Spamming

open your own thread, provide related informations and log files, then you might get help, but necroing a 2y old thread won't get you any help...