1 Topic by kovbal

  • kovbal
  • Member
  • Offline
  • Registered: 2017-01-10
  • Posts: 8

Topic: iredapd is killed by "spam"? I have to restart every few hours

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4.2 MYSQL edition
- Deployed with iRedMail Easy or the downloadable installer? - Downloadable installer
- Linux/BSD distribution name and version:  Ubuntu 20.04.3 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  Mysql
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Dear forum members,

It seems, that one of my iredmail server keeps getting malicious email which would go to mx01.mytld.com whereas the server serves only for mytld.com

iredapd just keeps 'hanging', that means, it is inaccessible on port 7777, and i can see in the dovecot logs numerous log lines like this:

Feb 11 23:28:20 mail python3[2749301]: iredapd [SPF][__12.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] No valid IP addresses/networks.
Feb 11 23:28:20 mail python3[2749301]: iredapd [SPF][include __9.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] empty
Feb 11 23:28:20 mail python3[2749301]: iredapd [SPF][include __7.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] empty
Feb 11 23:28:21 mail python3[2749301]: iredapd [SPF][include __5.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] empty
Feb 11 23:28:21 mail python3[2749301]: iredapd [SPF][include __2.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] empty
Feb 11 23:28:21 mail python3[2749301]: iredapd [SPF][include __11.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] v=spf1 include:__1.__11.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org. inc>
Feb 11 23:28:21 mail python3[2749301]: iredapd [SPF][__11.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] 'spf:' tag: __7.__11.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org., __3.__11.__12>
Feb 11 23:28:21 mail python3[2749301]: iredapd [SPF][include __7.__11.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] empty
Feb 11 23:28:22 mail python3[2749301]: iredapd [SPF][include __3.__11.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] empty
Feb 11 23:28:22 mail python3[2749301]: iredapd [SPF][include __4.__11.__12.__12.__10.__11.__10.__1.__12.__10.__1.kovbal.net-measurement.org.] empty


I'm trying to escalate this as an attack, I've already blacklisted the target email@mx01.mytld.com, also this .net-measurement.org stuff, but this just keeps happening.

Can you tell me a way to efficiently filter out this type of attacks, and protect iredapd from falling apart?

Thanks,
Balazs Kovacs

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by dgreer

  • dgreer
  • Member
  • Offline
  • Registered: 2021-12-17
  • Posts: 10

Re: iredapd is killed by "spam"? I have to restart every few hours

I simply want to add my opinion to this since no one has responded in ~3 days.

I suggest making sure to upgrade to 1.5.1 of IRedMail and the latest IRedMail-Pro.

Second, to protect our mail servers and keep them doing what they do best, we employ email gateways that block spam/malware/etc. before it reaches our actual iRedMail servers.  We let the gateways take the brunt of traffic so our mail servers don't get overloaded.   I'm not saying this is a solution to your problem, which should be addressed by iRedMail, just making a suggestion in case you need a quicker solution.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: iredapd is killed by "spam"? I have to restart every few hours

kovbal wrote:

iredapd just keeps 'hanging', that means, it is inaccessible on port 7777, and i can see in the dovecot logs numerous log lines like this:

These SPF check log seems correct, although the domain names are weird.

Any other related error / warning or suspected log lines in iRedAPD log file? Or any log line identifies that iRedAPD crashed?

Is it possible to get direct ssh access (with root privilege) for deeper investigation? Or send me (zhb _at_ iredmail _dot_ org) full (compressed) iRedAPD log file for quick investigation?

4 Reply by ale-freetime

  • ale-freetime
  • Member
  • Offline
  • Registered: 2012-10-09
  • Posts: 8

Re: iredapd is killed by "spam"? I have to restart every few hours

Hello,
I had the same problem, the iredapd process does not crash but remains hanging, the connections on socket 7777 all remain in close_wait (it seems to me that they were 10).
In the iredapd log (with debugging enabled) there are no errors, only many lines with attempts to resolve the spf record.

[SPF][include __11.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __2.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __8.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __9.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __10.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __4.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __3.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __12.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __5.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __1.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __6.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][include __7.__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] empty
[SPF][__12.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.] No valid IP addresses/networks.
[SPF] Error while querying DNS SPF record __10.__11.__10.__10.__12.__11.__11.__11.__1.__1.__12.prestitoperte.net-measurement.org.: Timeout('The DNS operation timed out after 5.005071640014648 seconds')

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: iredapd is killed by "spam"? I have to restart every few hours

Seems it's caused by domain name "prestitoperte.net-measurement.org" (and "kovbal.net-measurement.org"), its SPF record includes __X.prestitoperte.net-measurement.org (X is a number), but __X.prestitoperte.net-measurement.org recursively includes __X.__X.prestitoperte.net-measurement.org, it goes on and on.

Could you please check iRedAPD log file and figure out which domain name include "X.net-measurement.org"?

6 Reply by add (edited by add 2022-02-19 04:42:53)

  • add
  • Member
  • Offline
  • Registered: 2020-04-16
  • Posts: 3

Re: iredapd is killed by "spam"? I have to restart every few hours

I also noticed the same (?) problem, and it started on 2.2.2022 (before this server was running for years without any trouble):

Feb  2 06:29:33 m01 postfix/smtpd[6392]: warning: problem talking to server 127.0.0.1:7777: Connection timed out

on that date there were 10 errors like this and then nothing until 7.2.2022:

Feb  7 09:45:59 m01 postfix/smtpd[26386]: warning: problem talking to server 127.0.0.1:7777: Connec
tion timed out

on that date there were 230 errors and after that about the same every day, with peaks up to 339 cases.

I tried increasing SQL_CONNECTION_POOL_SIZE in iredapd, also rebooted the server and nothing helps.

The load on server is not too bad, there are several VPS on the same HW, but load is about the same all the time.

There is one difference from the original poster - iredapd in my case does restart itself after a few minutes, but in the mean time the sending client receives timeout error.

I'm also having trouble enabling logging for iredapd, I don't see anything in /var/log/iredapd/ neither in /var/log/syslog (besides systemd messages when starting it).

I also noticed many SASL error like this:

Feb 18 21:02:10 m01 postfix/smtps/smtpd[2546]: warning: unknown[1.53.215.13]: SASL PLAIN authentication failed: Connection lost to authentication server
Feb 18 21:02:17 m01 postfix/smtps/smtpd[2548]: warning: unknown[41.60.216.87]: SASL PLAIN authentication failed: Connection lost to authentication server
Feb 18 21:02:29 m01 postfix/smtps/smtpd[2548]: warning: unknown[41.60.216.87]: SASL PLAIN authentication failed: Connection lost to authentication server

but those were also present before and didn't seem to affect anything.


iredapd version is 3.0.0, iredmail 0.9.9 and iredadmin-pro 3.8, I know it's quite old, but it worked until now with no problems.

Please help smile

7 Reply by add

  • add
  • Member
  • Offline
  • Registered: 2020-04-16
  • Posts: 3

Re: iredapd is killed by "spam"? I have to restart every few hours

I added "GREYLISTING_BYPASS_SPF = False" to iredapd settings and now the timeout connecting to port 7777  has not shown up in the last 10 hours.
I hope it stays the same on monday when the traffic increases.

It looks like there must be some problem resolving DNS SPF records, but I cannot tell the difference between now and dates before 2. february when all of this started.

But it's better to only disable SFP greylisting than the whole iredapd policy server.