Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Spam issues

  1. #1
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Angry Spam issues

    Hey, I have tried my best to get this filtered out but cannot sort it at all. I have included "localhost, unknown" and other obvious things in amavis config settings to flag it with 10.0 score, postfix is set to filter by RFC headers, by dns and reverse dns but this thing still gets in and drives me mad at this point. Could you please look at this email and let me know what to do, it is hard to believe that the system cannot filter out such simple thing. It does not learn from it too. Amavis is removing 80% of junk but this seem to be impossible to be blocked out. Thank you for all your help. Mark

    Received: from zimbra.local (LHLO zimbra.local) (192.168.1.2) by
    zimbra.local with LMTP; Tue, 20 Aug 2013 06:51:25 +1200 (NZST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by zimbra.local (Postfix) with ESMTP id 3D283182465
    for <xxx@xxx.com>; Tue, 20 Aug 2013 06:51:25 +1200 (NZST) <- DOMAIN REMOVED FOR SECURITY...
    X-Virus-Scanned: amavisd-new at zimbra.local
    X-Spam-Flag: NO
    X-Spam-Score: 0
    X-Spam-Level:
    X-Spam-Status: No, score=x tagged_above=-10 required=6.6 WHITELISTED tests=[]
    autolearn=unavailable
    Received: from zimbra.local ([127.0.0.1])
    by localhost (zimbra.local [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id fJqCrG4GwAsr for <xxx@xxx.com>;
    Tue, 20 Aug 2013 06:51:25 +1200 (NZST)
    Received: from 37.213.171.142 (unknown [37.213.171.142])
    by zimbra.local (Postfix) with SMTP id 632F1182464
    for <xxx@xxx.com>; Tue, 20 Aug 2013 06:51:02 +1200 (NZST)
    Received: from unknown (HELO localhost) (james.jordan@izardweston.co.nz@45.199.118.158) <- this is always different and not true at all
    by 37.213.171.142 with ESMTPA; Mon, 19 Aug 2013 21:56:36 +0200
    From: james.jordan@izardweston.co.nz
    To: xxx@xxx.com
    Subject: Our New Actual Gains Pick Is Here
    Date: Mon, 19 Aug 2013 21:43:19 +0200
    Message-Id: <20130819185123.632F1182464@zimbra.local>

    Latest Headline: The M_ON K is on the breakout!!! M_ON K is on a one
    day of advertising and its showing a biggest volume on today! Analysts
    named it a flavor of the month. And you must to discover why...
    MONARCHY RESOURCES INC. is a recent supernova in expansion in
    exploration. The market is huge. Monarchy Resources, Inc would
    honestly be a $1.80 stock super shortly. The media will develop for
    two weeks and the share valuation will raise monthly. Go pocketing
    cash with M_ON K. Order your $26'000 shares on Tue, August 20th below
    0.36.

  2. #2
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Default

    Here I have some logs:

    Aug 20 06:51:01 zimbra postfix/smtpd[28933]: connect from unknown[37.213.171.142]
    Aug 20 06:51:03 zimbra postfix/smtpd[28933]: NOQUEUE: filter: RCPT from unknown[37.213.171.142]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<xxx@xxx.com> proto=SMTP helo=<37.213.171.142>
    Aug 20 06:51:03 zimbra postfix/smtpd[28933]: NOQUEUE: filter: RCPT from unknown[37.213.171.142]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<xxx@xxx.com> proto=SMTP helo=<37.213.171.142>
    Aug 20 06:51:13 zimbra postfix/smtpd[28933]: warning: 142.171.213.37.blackholes.mail-abuse.org: RBL lookup error: Host or domain name not found. Name service error for name=142.171.213.37.blackholes.mail-abuse.org type=A: Host not found, try again
    Aug 20 06:51:23 zimbra postfix/smtpd[28933]: warning: 142.171.213.37.relays.mail-abuse.org: RBL lookup error: Host or domain name not found. Name service error for name=142.171.213.37.relays.mail-abuse.org type=A: Host not found, try again
    Aug 20 06:51:23 zimbra postfix/smtpd[28933]: 632F1182464: client=unknown[37.213.171.142]
    Aug 20 06:51:25 zimbra postfix/cleanup[29188]: 632F1182464: message-id=<20130819185123.632F1182464@zimbra.local>
    Aug 20 06:51:25 zimbra postfix/qmgr[25614]: 632F1182464: from=<>, size=1117, nrcpt=1 (queue active)
    Aug 20 06:51:25 zimbra postfix/amavisd/smtpd[29193]: connect from localhost.localdomain[127.0.0.1]
    Aug 20 06:51:25 zimbra postfix/amavisd/smtpd[29193]: 3D283182465: client=localhost.localdomain[127.0.0.1]
    Aug 20 06:51:25 zimbra postfix/cleanup[29188]: 3D283182465: message-id=<20130819185123.632F1182464@zimbra.local>
    Aug 20 06:51:25 zimbra postfix/qmgr[25614]: 3D283182465: from=<>, size=1729, nrcpt=1 (queue active)
    Aug 20 06:51:25 zimbra postfix/amavisd/smtpd[29193]: disconnect from localhost.localdomain[127.0.0.1]
    Aug 20 06:51:25 zimbra postfix/smtp[29190]: 632F1182464: to=< xxx@xxx.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=23, delays=23/0/0/0.11, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3D283182465)
    Aug 20 06:51:25 zimbra postfix/qmgr[25614]: 632F1182464: removed
    Aug 20 06:51:25 zimbra postfix/lmtp[29194]: 3D283182465: to=< xxx@xxx.com >, relay=zimbra.local[192.168.1.2]:7025, delay=0.14, delays=0.03/0.01/0/0.11, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Aug 20 06:51:25 zimbra postfix/qmgr[25614]: 3D283182465: removed
    Aug 20 06:51:25 zimbra postfix/smtpd[28933]: disconnect from unknown[37.213.171.142]

    This is some spam training:

    20130818234501 Starting spam/ham cleanup
    [] INFO: Total messages processed: 1
    [] INFO: Total messages processed: 0
    20130818234506 Finished spam/ham cleanup
    20130819230002 Starting spam/ham extraction from system accounts.
    [] INFO: Total messages processed: 7
    [] INFO: Total messages processed: 0
    20130819230013 Finished extracting spam/ham from system accounts.
    20130819230013 Starting spamassassin training.
    netset: cannot include 127.0.0.0/8 as it has already been included
    Learned tokens from 7 message(s) (7 message(s) examined)
    netset: cannot include 127.0.0.0/8 as it has already been included
    Learned tokens from 0 message(s) (0 message(s) examined)
    netset: cannot include 127.0.0.0/8 as it has already been included
    20130819230019 Finished spamassassin training.
    20130819234502 Starting spam/ham cleanup
    [] INFO: Total messages processed: 7
    [] INFO: Total messages processed: 0
    20130819234507 Finished spam/ham cleanup

  3. #3
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Default

    and here are configs:

    mail_owner = postfix
    bounce_notice_recipient = postmaster
    content_filter = smtp-amavis:[127.0.0.1]:10024
    smtp_sasl_security_options = noplaintext,noanonymous
    relayhost = xxx.com:25
    virtual_alias_expansion_limit = 10000
    smtpd_sasl_authenticated_header = no
    smtp_helo_name = $myhostname
    broken_sasl_auth_clients = yes
    minimal_backoff_time = 300s
    sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
    always_add_missing_headers = yes
    smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
    smtpd_helo_required = yes
    virtual_transport = error
    sendmail_path = /opt/zimbra/postfix/sbin/sendmail
    smtpd_sasl_security_options = noanonymous
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client bl.spamcop.net reject_rbl_client blackholes.mail-abuse.org reject_rbl_client diallups.mail-abuse.org reject_rbl_client relays.mail-abuse.org, permit
    smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    smtpd_reject_unlisted_recipient = no
    bounce_queue_lifetime = 5d
    smtp_sasl_mechanism_filter =
    local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_milters =
    smtpd_tls_security_level = may
    smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/opt/zimbra/postfix/conf/access_table, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
    lmtp_host_lookup = dns
    delay_warning_time = 0h
    header_checks =
    queue_run_delay = 300s
    virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
    notify_classes = resource,software
    command_directory = /opt/zimbra/postfix/sbin
    smtpd_client_restrictions = reject_unauth_pipelining
    smtpd_tls_auth_only = yes
    virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
    mailq_path = /opt/zimbra/postfix/sbin/mailq
    smtpd_banner = $myhostname ESMTP $mail_name
    mynetworks = 127.0.0.0/8 192.168.1.0/24
    lmtp_connection_cache_time_limit = 4s
    transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
    virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
    smtpd_sasl_auth_enable = yes
    smtpd_tls_loglevel = 1
    maximal_backoff_time = 4000s
    virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
    inet_protocols = ipv4
    non_smtpd_milters =
    daemon_directory = /opt/zimbra/postfix/libexec
    smtp_tls_security_level =
    alias_maps = hash:/etc/aliases
    setgid_group = postdrop
    smtp_cname_overrides_servername = no
    mydestination = localhost
    smtpd_end_of_data_restrictions =
    import_environment =
    myhostname = zimbra.local
    message_size_limit = 10240000
    recipient_delimiter =
    in_flow_delay = 1s
    smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
    queue_directory = /opt/zimbra/data/postfix/spool
    propagate_unmatched_extensions = canonical
    manpage_directory = /opt/zimbra/postfix/man
    smtp_fallback_relay =
    smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
    smtp_sasl_password_maps =
    lmtp_connection_cache_destinations =
    newaliases_path = /opt/zimbra/postfix/sbin/newaliases
    smtp_sasl_auth_enable = no
    mailbox_size_limit = 0
    disable_dns_lookups = no

    where access_table is:


    dynamic REJECT
    unknown REJECT
    localhost REJECT
    localdomain.com REJECT
    anotherlocaldomain.com REJECT

    and amavis config addons are:

    # soft-blacklisting (positive score)
    'sender@example.net' => 3.0,
    '.example.net' => 1.0,
    'unknown' => 10.0,
    '.unknown' => 10.0,
    'localhost' => 10.0,
    'dynamic' => 10.0,
    '.dynamic.' => 10.0,
    '.localhost.com' => 10.0,

    },
    ], # end of site-wide tables

    full config file is here:
    https://www.dropbox.com/sh/al1e6t084g56n4o/h9-emdvS9E -> x.txt

    Thank you for help.
    Mark

  4. #4
    Join Date
    Jan 2007
    Location
    Austin, Tx
    Posts
    45
    Rep Power
    8

    Default

    Mark,

    You need to add reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname. Based on what I am seeing above, that would successfully block the emails presented. You can do so through the GUI admin under the global MTA settings.

    I would take out the following that are in red, as they are potentially more harmful than helpful. The unknown is because of non_fqdn helo. The localhost is valid, it is the handoff from your local postfix to amavisd-new and vice versa. Puting in rules to block localhost could potentially block good email, or even all email. Fortunately the "permit_mynetworks" has been preventing your valid emails from being blocked.

    dynamic REJECT
    unknown REJECT
    localhost REJECT

    localdomain.com REJECT
    anotherlocaldomain.com REJECT

    # soft-blacklisting (positive score)
    'sender@example.net' => 3.0,
    '.example.net' => 1.0,
    'unknown' => 10.0,
    '.unknown' => 10.0,
    'localhost' => 10.0,

    'dynamic' => 10.0,
    '.dynamic.' => 10.0,
    '.localhost.com' => 10.0,

    UPDATE: I noticed the I missed the following in the header you initially posted:

    Received: from unknown (HELO localhost)
    I would still take out the rejects or point values assigned to "localhost" but I wanted you to know that the reject_non_fqdn_helo_hostname would still block that email.

    Regards,

    Brad
    Last edited by btriem; 08-20-2013 at 01:08 AM.

  5. #5
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Default

    thnx, I will go for it and let you know if it works. Thnx

  6. #6
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Default

    Hey, I have added as well reject_non_fqdn_sender, reject_unknown_sender_domain. It nailed it.

    Thnx for your help.

  7. #7
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Default

    Hey, I was able to stop 99% of rubbish but I still get some moron targeting me directly, he must be using some proxy servers, I have managed to force him to use his real IP but each time it is from different part of the world.
    I bet he is directly connecting to my smtp and typing the data in (sort of speaking). In the past he was sending me 5 emails a day per account, now I am getting one on occasions but each time he does find a hole I patch it. Now I am in the end of the tunnel.

    Please have a look at this and try to advise hot to eliminate it. Thnx

    Received: from zimbra.local (LHLO zimbra.local) (192.168.x.x) by
    zimbra.local with LMTP; Sun, 8 Sep 2013 06:00:28 +1200 (NZST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by zimbra.local (Postfix) with ESMTP id 55DC7182466
    for <xxx@xxx.com>; Sun, 8 Sep 2013 06:00:28 +1200 (NZST)
    X-Virus-Scanned: amavisd-new at zimbra.local
    X-Spam-Flag: NO
    X-Spam-Score: 0
    X-Spam-Level:
    X-Spam-Status: No, score=x tagged_above=-10 required=6.6 WHITELISTED tests=[]
    autolearn=unavailable
    Received: from mail.xxx.com ([127.0.0.1])
    by localhost (zimbra.local [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 0fNu-NyVcbT4 for <xxx@xxx.com>;
    Sun, 8 Sep 2013 06:00:28 +1200 (NZST)
    Received: from bzq-79-181-9-109.red.bezeqint.net (bzq-79-181-9-109.red.bezeqint.net [79.181.9.109])
    by zimbra.local (Postfix) with SMTP id 13422182465
    for <xxx@xxx.com>; Sun, 8 Sep 2013 06:00:04 +1200 (NZST)
    Received: from unknown (HELO localhost) (jfindleynn@skate.reno.nv.us@143.132.194.223)
    by bzq-79-181-9-109.red.bezeqint.net with ESMTPA; Sat, 7 Sep 2013 21:04:31 +0200
    X-Originating-IP: 143.132.194.223
    From: jfindleynn@skate.reno.nv.us
    To: xxx@xxx.com
    Subject: new picks very bullish
    Message-Id: <20130907180026.13422182465@zimbra.local>
    Date: Sun, 8 Sep 2013 06:00:04 +1200 (NZST)

    You can make money on war! It`s right time to get this done. As
    soon as the US takes military action against Syria, oil prices
    will rise as well as Monarchy Resources Inc (M ONK) share price.
    Start making $$$ on September 9, grab M ONK shares.

  8. #8
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Default

    Some statistics here:

    Grand Totals
    ------------
    messages

    37 received
    27 delivered
    0 forwarded
    0 deferred
    3 bounced
    642 rejected (95%)
    0 reject warnings
    0 held
    0 discarded (0%)

  9. #9
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Default

    here is the log (I cannot work out this, when I was setting up manually servers in old days on postfix and spamassasin I haven't seen such thing):

    Sep 8 06:00:02 zimbra postfix/smtpd[30194]: connect from bzq-79-181-9-109.red.bezeqint.net[79.181.9.109]
    Sep 8 06:00:05 zimbra postfix/smtpd[30194]: NOQUEUE: filter: RCPT from bzq-79-181-9-109.red.bezeqint.net[79.181.9.109]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<xxx@xxx.com> proto=SMTP helo=<bzq-79-181-9-109.red.bezeqint.net>
    Sep 8 06:00:05 zimbra postfix/smtpd[30194]: NOQUEUE: filter: RCPT from bzq-79-181-9-109.red.bezeqint.net[79.181.9.109]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=< xxx@xxx.com> proto=SMTP helo=<bzq-79-181-9-109.red.bezeqint.net>
    Sep 8 06:00:15 zimbra postfix/smtpd[30194]: warning: 109.9.181.79.blackholes.mail-abuse.org: RBL lookup error: Host or domain name not found. Name service error for name=109.9.181.79.blackholes.mail-abuse.org type=A: Host not found, try again
    Sep 8 06:00:26 zimbra postfix/smtpd[30194]: warning: 109.9.181.79.relays.mail-abuse.org: RBL lookup error: Host or domain name not found. Name service error for name=109.9.181.79.relays.mail-abuse.org type=A: Host not found, try again
    Sep 8 06:00:26 zimbra postfix/smtpd[30194]: 13422182465: client=bzq-79-181-9-109.red.bezeqint.net[79.181.9.109]
    Sep 8 06:00:28 zimbra postfix/cleanup[31061]: 13422182465: message-id=<20130907180026.13422182465@zimbra.local>
    Sep 8 06:00:28 zimbra postfix/qmgr[28808]: 13422182465: from=<>, size=898, nrcpt=1 (queue active)
    Sep 8 06:00:28 zimbra postfix/amavisd/smtpd[31065]: connect from localhost.localdomain[127.0.0.1]
    Sep 8 06:00:28 zimbra postfix/amavisd/smtpd[31065]: 55DC7182466: client=localhost.localdomain[127.0.0.1]
    Sep 8 06:00:28 zimbra postfix/cleanup[31061]: 55DC7182466: message-id=<20130907180026.13422182465@zimbra.local>
    Sep 8 06:00:28 zimbra postfix/qmgr[28808]: 55DC7182466: from=<>, size=1526, nrcpt=1 (queue active)
    Sep 8 06:00:28 zimbra postfix/amavisd/smtpd[31065]: disconnect from localhost.localdomain[127.0.0.1]
    Sep 8 06:00:28 zimbra postfix/smtp[31062]: 13422182465: to=< xxx@xxx.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=24, delays=24/0.02/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 55DC7182466)
    Sep 8 06:00:28 zimbra postfix/qmgr[28808]: 13422182465: removed
    Sep 8 06:00:28 zimbra postfix/lmtp[31066]: 55DC7182466: to=< xxx@xxx.com>, relay=zimbra.local[192.168.1.2]:7025, delay=0.15, delays=0.03/0.01/0/0.11, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Sep 8 06:00:28 zimbra postfix/qmgr[28808]: 55DC7182466: removed
    Sep 8 06:00:29 zimbra postfix/smtpd[30194]: disconnect from bzq-79-181-9-109.red.bezeqint.net[79.181.9.109]

  10. #10
    Join Date
    Apr 2012
    Location
    NZ
    Posts
    13
    Rep Power
    3

    Default

    Anybody successfully used "address_verify_sender" with zimbra, it looks like it is not turned on by default. How do I reject empty sender like this: ".9.109]: <>: Sender address t" ?
    Thnx for help

Similar Threads

  1. Spam issues again
    By bhwong in forum Administrators
    Replies: 7
    Last Post: 09-27-2010, 01:34 PM
  2. Spam issues
    By bhwong in forum Administrators
    Replies: 2
    Last Post: 09-15-2010, 11:24 PM
  3. help me fix my spam issues please
    By cornbread in forum Users
    Replies: 5
    Last Post: 04-13-2010, 12:38 PM
  4. SPAM issues
    By ZAM in forum Users
    Replies: 6
    Last Post: 07-15-2009, 11:27 AM
  5. Spam issues with 3.1.0
    By FunkyPenguin in forum Administrators
    Replies: 6
    Last Post: 04-20-2006, 09:43 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •