1 Topic by tedsje (edited by tedsje 2024-12-09 17:59:11)

  • tedsje
  • Member
  • Offline
  • Registered: 2018-12-19
  • Posts: 26

Topic: Mail has "Passed Spam" but mailserver response to the sender

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.8
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: Debian 11
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

There is something i dont understand what the mailsystem is doing. Sometimes when a incoming mail has its label "Passed SPAM", its still getting through, in some cases. Sometimes the spammer even gets a reply.

Log (Passed Spam):

Dec  9 03:01:00 mail postfix/smtpd[1107467]: 4Y64pN163Fz1JD19: client=xn--j1afm.048.xn--p1acf[62.173.138.85]
Dec  9 03:01:00 mail postfix/cleanup[1107471]: 4Y64pN163Fz1JD19: message-id=<38471488H37154023W11161532Y41818844A@idifxolzz>
Dec  9 03:01:00 mail postfix/qmgr[755224]: 4Y64pN163Fz1JD19: from=<ifxolzz@givallsersion.de>, size=71613, nrcpt=1 (queue active)
Dec  9 03:01:00 mail postfix/smtpd[1107467]: disconnect from xn--j1afm.048.xn--p1acf[62.173.138.85] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec  9 03:01:00 mail postfix/smtps/smtpd[1106263]: Anonymous TLS connection established from unknown[188.166.179.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec  9 03:01:00 mail postfix/10025/smtpd[1107475]: connect from mail.changed_mailserver_domain.nl[127.0.0.1]
Dec  9 03:01:00 mail postfix/10025/smtpd[1107475]: discarding EHLO keywords: CHUNKING
Dec  9 03:01:00 mail postfix/10025/smtpd[1107475]: 4Y64pN5KxCz1JD1H: client=mail.changed_mailserver_domain.nl[127.0.0.1]
Dec  9 03:01:00 mail postfix/cleanup[1107471]: 4Y64pN5KxCz1JD1H: message-id=<38471488H37154023W11161532Y41818844A@idifxolzz>
Dec  9 03:01:00 mail postfix/qmgr[755224]: 4Y64pN5KxCz1JD1H: from=<ifxolzz@givallsersion.de>, size=72579, nrcpt=1 (queue active)
Dec  9 03:01:00 mail postfix/10025/smtpd[1107475]: disconnect from mail.changed_mailserver_domain.nl[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec  9 03:01:00 mail amavis[1073598]: (1073598-12) Passed SPAM {RelayedTaggedInbound}, [62.173.138.85]:55816 [78.111.75.174] ESMTP/ESMTP <ifxolzz@givallsersion.de> -> <secretariaat@the_client_domain.nl>, (ESMTP://[62.173.138.85]:55816 < ESMTPA://78.111.75.174), Queue-ID: 4Y64pN163Fz1JD19, Message-ID: <38471488H37154023W11161532Y41818844A@idifxolzz>, mail_id: 4xTZ1ofsFTKB, b: 1D9dHi5IC, Hits: 5.015, size: 71613, queued_as: 4Y64pN5KxCz1JD1H, Subject: "Zit comfortabel overal...", From: <ifxolzz@givallsersion.de>, helo=xn--j1afm.048.xn--p1acf, Tests: [BAYES_50=0.8,CONT_DECLINE_BO=3,HTML_IMAGE_ONLY_12=1.2,HTML_IMAGE_RATIO_02=0.001,HTML_MESSAGE=0.001,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,SPF_HELO_NONE=0.001,SPF_PASS=-0.001,T_TVD_MIME_EPI=0.01,URIBL_BLOCKED=0.001], autolearn=no autolearn_force=no, autolearnscore=4.215, 398 ms
Dec  9 03:01:00 mail postfix/amavis/smtp[1107472]: 4Y64pN163Fz1JD19: to=<secretariaat@the_client_domain.nl>, orig_to=<info@the_client_domain.nl>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.8, delays=0.37/0.02/0.01/0.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4Y64pN5KxCz1JD1H)
Dec  9 03:01:00 mail postfix/qmgr[755224]: 4Y64pN163Fz1JD19: removed
Dec  9 03:01:00 mail postfix/pickup[1096541]: 4Y64pN6NfSz1JD1K: uid=2000 from=<>
Dec  9 03:01:00 mail postfix/pipe[1107476]: 4Y64pN5KxCz1JD1H: to=<secretariaat@the_client_domain.nl>, relay=dovecot, delay=0.15, delays=0.04/0.01/0/0.1, dsn=2.0.0, status=sent (delivered via dovecot service)
Dec  9 03:01:00 mail postfix/qmgr[755224]: 4Y64pN5KxCz1JD1H: removed
Dec  9 03:01:00 mail postfix/cleanup[1107471]: 4Y64pN6NfSz1JD1K: message-id=<dovecot-1733709660-854355-0@mail.changed_mailserver_domain.nl>
Dec  9 03:01:00 mail postfix/qmgr[755224]: 4Y64pN6NfSz1JD1K: from=<>, size=2829, nrcpt=1 (queue active)
Dec  9 03:01:01 mail postfix/10025/smtpd[1107475]: connect from mail.changed_mailserver_domain.nl[127.0.0.1]
Dec  9 03:01:01 mail postfix/10025/smtpd[1107475]: discarding EHLO keywords: CHUNKING
Dec  9 03:01:01 mail postfix/10025/smtpd[1107475]: 4Y64pP1FnPz1JD19: client=mail.changed_mailserver_domain.nl[127.0.0.1]
Dec  9 03:01:01 mail postfix/cleanup[1107471]: 4Y64pP1FnPz1JD19: message-id=<dovecot-1733709660-854355-0@mail.changed_mailserver_domain.nl>
Dec  9 03:01:01 mail postfix/10025/smtpd[1107475]: disconnect from mail.changed_mailserver_domain.nl[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec  9 03:01:01 mail postfix/qmgr[755224]: 4Y64pP1FnPz1JD19: from=<>, size=3943, nrcpt=1 (queue active)
Dec  9 03:01:01 mail amavis[1075004]: (1075004-11) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [127.0.0.1] /ESMTP <> -> <ifxolzz@givallsersion.de>, (), Message-ID: <dovecot-1733709660-854355-0@mail.change_mailserver_domain.nl>, mail_id: A8sJuv1pGQZO, b: 4S6IkK9VQ, Hits: 0.799, size: 2844, queued_as: 4Y64pP1FnPz1JD19, Subject: "Rejected: [SPAM] Zit comfortabel overal...", From: <postmaster@the_client_domain.nl>, helo=, Tests: [BAYES_50=0.8,NO_RELAYS=-0.001], autolearn=ham autolearn_force=no, autolearnscore=0, dkim_new=dkim:centralhost.nl, 278 ms
Dec  9 03:01:01 mail postfix/amavis/smtp[1107472]: 4Y64pN6NfSz1JD1K: to=<ifxolzz@givallsersion.de>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.36, delays=0.06/0/0.01/0.29, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4Y64pP1FnPz1JD19)

Log (unknown user)

Dec  9 03:17:29 mail postfix/postscreen[1082415]: CONNECT from [62.173.138.85]:58059 to [192.168.1.50]:25
Dec  9 03:17:29 mail postfix/postscreen[1082415]: PASS OLD [62.173.138.85]:58059
Dec  9 03:17:29 mail postfix/smtpd[1109521]: connect from xn--j1afm.048.xn--p1acf[62.173.138.85]
Dec  9 03:17:29 mail postfix/smtpd[1109521]: NOQUEUE: reject: RCPT from xn--j1afm.048.xn--p1acf[62.173.138.85]: 550 5.1.1 <user@the_client_domain.nl>: Recipient address rejected: User unknown; from=<ixsacqh@givallsersion.de> to=<user@the_client_domain.nl> proto=ESMTP helo=<xn--j1afm.048.xn--p1acf>


Mapping:

mail.changed_mailserver_domain.nl = My Mailserver
ifxolzz@givallsersion.de = De Spammer (this can be anything. for example: auflandhe@304bxgbpf.com or ebikepronw@aiguoxing.com, You know this are not valid domains)
@the_client_domain.nl = recieving domain (on my mailserver)


I dont understand why this is happening. In the Amavis i used the option to D_DISCARD everthing.

The problem is that this kind of "Spammers" sends to all the available mailboxes that the mailserver has. And if its hits a mailbox then the mail get checked (and gets the label "passed SPAM") when it does not hit a mailbox it wil get a reply "no such user in virtual mailbox" (which is also bad).

And to make the above situation whore... Sometimes it replies to known mailservers (like Gmail our Outlook) which is bad for my reputation. 

For example: i am using sendscore and i always have a reputation of 99% / 100%. Week before blackfriday (and after) i do have a bad reputation. And i know this has to do with the above logic. (see attachment for the reputation graph)

Long story short: If there is a label "Passed SPAM" Just remove the mail, do not reply, or anything. Reply with "Subject: [SPAM] subject tekst" will only harm your own reputation.

Any ideas? i am really out of options to prevent random domains that are spamming (to all mailboxes in a timestamp of 24 hours).

Post's attachments

Schermafdruk van 2024-12-09 10-30-25.png 36.54 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by chris.23lo

  • chris.23lo
  • Member
  • Offline
  • Registered: 2022-06-30
  • Posts: 54

Re: Mail has "Passed Spam" but mailserver response to the sender

I tried to be a learner here (ie, not expert), can you share the mysql output

use amavisd;
SELECT spam_lover,bypass_spam_checks,spam_quarantine_to  FROM policy WHERE policy_name='@.' ;

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,134

Re: Mail has "Passed Spam" but mailserver response to the sender

tedsje wrote:

the Amavis i used the option to D_DISCARD everthing.

iRedMail inserts a SQL record as global spam policy in SQL table "amavisd.policy" (with `policy_name=@.`), it overrides the ones set in Amavisd config file.

4 Reply by tedsje (edited by tedsje 2024-12-12 16:51:20)

  • tedsje
  • Member
  • Offline
  • Registered: 2018-12-19
  • Posts: 26

Re: Mail has "Passed Spam" but mailserver response to the sender

chris.23lo wrote:

I tried to be a learner here (ie, not expert), can you share the mysql output

use amavisd;
SELECT spam_lover,bypass_spam_checks,spam_quarantine_to  FROM policy WHERE policy_name='@.' ;


Hello @chris. This is the result of the query:
Database changed
MariaDB [amavisd]> SELECT spam_lover,bypass_spam_checks,spam_quarantine_to  FROM policy WHERE policy_name='@.' ;
+------------+--------------------+--------------------+
| spam_lover | bypass_spam_checks | spam_quarantine_to |
+------------+--------------------+--------------------+
| Y          | N                  |                    |
+------------+--------------------+--------------------+



ZhangHuangbin wrote:
tedsje wrote:

the Amavis i used the option to D_DISCARD everthing.

iRedMail inserts a SQL record as global spam policy in SQL table "amavisd.policy" (with `policy_name=@.`), it overrides the ones set in Amavisd config file.

Alright, i do not really what al this kind of "attributes" means related to problem. The most logical problem could be that the attribute "spam_quarantine_to" is set to NULL.

Please can you help me to get a better understanding.

This are my settings:

id  = 1
policy_name = @,
virus_lover  = N
spam_lover = Y
unchecked_lover = NULL
banned_files_lover = N
bad_header_lover = Y
bypass_virus_checks = N
bypass_spam_checks = N
bypass_banned_checks  = N
bypass_header_checks  = N
virus_quarantine_to = virus-quarantine
spam_quarantine_to = *** emtpy string *** (litterly)
banned_quarantine_to = banned-quarantine

Attributes below are "NULL"
unchecked_quarantine_to
bad_header_quarantine_to
clean_quarantine_to
archive_quarantine_to
spam_tag_level
spam_tag2_level
spam_tag3_level
spam_kill_level
spam_dsn_cutoff_level
spam_quarantine_cutoff_level
addr_extension_virus
addr_extension_spam
addr_extension_banned
addr_extension_bad_header
warnvirusrecip
warnbannedrecip
warnbadhrecip
newvirus_admin
virus_admin
banned_admin
bad_header_admin
spam_admin
spam_subject_tag
spam_subject_tag2
spam_subject_tag3
message_size_limit
banned_rulenames
disclaimer_options
forward_method
sa_userconf
sa_username

I am happy to hear from you guys.

5 Reply by chris.23lo (edited by chris.23lo 2024-12-12 17:45:41)

  • chris.23lo
  • Member
  • Offline
  • Registered: 2022-06-30
  • Posts: 54

Re: Mail has "Passed Spam" but mailserver response to the sender

Be fair that this is the amavisd-new component...

At some point if you do quarantine by setting spam_quarantine_to, you may need to look further how to check quarantine and release some mail if it is wrongly classified.

if you update spam_lover=N, you should not see all the tagged [SPAM] mails and they are DISCARDed.

6 Reply by chris.23lo (edited by chris.23lo 2024-12-12 18:08:13)

  • chris.23lo
  • Member
  • Offline
  • Registered: 2022-06-30
  • Posts: 54

Re: Mail has "Passed Spam" but mailserver response to the sender

You may also want to look into this
https://www.postfix.org/ADDRESS_VERIFIC … #recipient