Postfix Spamassassin - spam from same sender blocked and also allowed through

shaun8421 · 12-01-2015, 10:25 PM

I have spamassassin installed on a CENTOS server. We are receiving spam on a daily basis. The strange thing is i can see in /var/log/maillog that the same sender is sending mail through to the server as follows:

(note - The sender is the exact same sender: no-reply@ukmail.com)

"connect from localhost[127.0.0.1]"
When i see this entry, it lets through the mail from no-reply@ukmail.com

"connect from unknown[49.248.180.193]"
When i see this entry, i see the logs say that it blocked it using zen.spamhaus.org

What would be causing it to allow the spam through connecting as 127.0.0.1? About 9/10 messages are blocked (because it is using an actual ip address which is known as spam), and then the 1/10 is sending through to us (because somehow it is using 127.0.0.1 as the address)?

Here is an output of the log (note i have changed the e-mail addresses to '@ourdomainhere.com' with 'user1' and 'user2' at the front of the @ for privacy:

Dec 1 21:41:35 mail01 postfix/smtpd[8223]: connect from localhost[127.0.0.1]
Dec 1 21:41:35 mail01 postfix/smtpd[8223]: 4BD75B401E2: client=localhost[127.0.0.1]
Dec 1 21:41:35 mail01 postfix/cleanup[8216]: 4BD75B401E2: message-id=<2015122010134407fihbYri@ourdomainhere.com>
Dec 1 21:41:35 mail01 postfix/qmgr[27989]: 4BD75B401E2: from=<no-reply@ukmail.com>, size=168267, nrcpt=1 (queue active)
Dec 1 21:41:35 mail01 postfix/smtpd[8223]: disconnect from localhost[127.0.0.1]
Dec 1 21:41:35 mail01 amavis[7996]: (07996-04) Passed CLEAN {RelayedInbound}, [85.105.254.49]:19004 [85.105.254.49] <no-reply@ukmail.com> -> <user1@ourdomainhere.com>, Queue-ID: 203DDB401F5, Messri@ourdomainhere.com>, mail_id: 8JD1m75Aj4fm, Hits: 4.076, size: 167482, queued_as: 4BD75B401E2, 629 ms
Dec 1 21:41:35 mail01 postfix/smtp[8221]: 203DDB401F5: to=<user1@ourdomainhere.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=13/0/0/0.63, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smt0 Ok: queued as 4BD75B401E2)
Dec 1 21:41:35 mail01 postfix/qmgr[27989]: 203DDB401F5: removed
Dec 1 21:41:35 mail01 postfix/smtp[8224]: 4BD75B401E2: to=<user1@ourdomainhere.com>, relay=172.18.31.4[172.18.31.4]:25, delay=0.55, delays=0.22/0/0/0.32, dsn=2.6.0, status=sent (250 2.6.0 <201512au> [InternalId=2571980] Queued mail for delivery)
Dec 1 21:41:35 mail01 postfix/qmgr[27989]: 4BD75B401E2: removed
Dec 1 21:41:49 mail01 postfix/smtpd[7980]: connect from unknown[49.248.180.193]
Dec 1 21:41:51 mail01 postfix/smtpd[7980]: NOQUEUE: reject: RCPT from unknown[49.248.180.193]: 554 5.7.1 Service unavailable; Client host [49.248.180.193] blocked using zen.spamhaus.org; http://www.spamhaus/www.spamhaus.org...9.248.180.193; from=<no-reply@ukmail.com> to=<user2@ourdomainhere.com> proto=ESMTP helo=<[49.248.180.193]>
Dec 1 21:41:52 mail01 postfix/smtpd[7980]: disconnect from unknown[49.248.180.193]

shaun8421 · 12-01-2015, 10:55 PM

On closer look, it looks like they all use 127.0.0.1 to send the mail through for legitimate mail as well. What can I do to work out why the odd few bits of spam (about 10-15 messages per person) are getting through? Particularly when the mail log shows e.g. no-reply@ukmail.com was blocked by spamhaus, but also let through?

ceyx · 12-02-2015, 01:20 AM

Spamhaus blocks by IP, not domain.

Quote:

[85.105.254.49]:19004 [85.105.254.49] <no-reply@ukmail.com>

gets thru

Quote:

Client host [49.248.180.193] blocked using zen.spamhaus.org

does not

Block the 85.105.254.49 IP with IPtables or Fail2ban !

descendant_command · 12-02-2015, 03:11 AM

The connections from 127.0.0.1 is likely amavis re-injected mail that hasn't triggered any quarantine/drop.
Check the message headers for spamassassin debug output to see what scores are applied (you may need to configure it to tag all messages, not just the 'hits').