Page 1 of 1

Azure Cloud Spam (continued from MagicSpam for Plesk forum)

Posted: Thu Mar 25, 2021 6:01 am
by puzzel76
Hello dear MagicSpam Team,

as I am using Pro on my server I continue the Azure Cloud Spam thread here.
viewtopic.php?f=15&t=237371

Screenshot of Settings attached.

Here is an excerpt of my maillog:

Mar 25 13:48:16 lvps176-28-23-41 postfix/smtpd[19327]: connect from vdds-46.westus.cloudapp.azure.com[137.135.47.133]
Mar 25 13:48:17 lvps176-28-23-41 postfix/smtpd[19327]: 39B501409FE: client=vdds-46.westus.cloudapp.azure.com[137.135.47.133]
Mar 25 13:48:17 lvps176-28-23-41 postfix/cleanup[19347]: 39B501409FE: message-id=<0.0.167.E6.1D72085FD064EB6.0@uspmta194086.emarsys.net>
Mar 25 13:48:17 lvps176-28-23-41 check-quota[19351]: Starting the check-quota filter...
Mar 25 13:48:17 lvps176-28-23-41 psa-pc-remote[17660]: SKIP during call 'check-quota' handler
Mar 25 13:48:17 lvps176-28-23-41 spf[19352]: Starting the spf filter...
Mar 25 13:48:17 lvps176-28-23-41 spf[19352]: Error code: (2) Could not find a valid SPF record
Mar 25 13:48:17 lvps176-28-23-41 spf[19352]: Failed to query MAIL-FROM: No DNS data for 'adostudio.it'.
Mar 25 13:48:17 lvps176-28-23-41 spf[19352]: SPF result: none
Mar 25 13:48:17 lvps176-28-23-41 spf[19352]: SPF status: PASS
Mar 25 13:48:17 lvps176-28-23-41 psa-pc-remote[17660]: PASS during call 'spf' handler
Mar 25 13:48:17 lvps176-28-23-41 psa-pc-remote[17660]: SKIP during call 'magicspam-flag' handler
Mar 25 13:48:17 lvps176-28-23-41 postfix/qmgr[17412]: 39B501409FE: from=<>, size=32286, nrcpt=1 (queue active)
Mar 25 13:48:17 lvps176-28-23-41 postfix-local[19355]: postfix-local: from=MAILER-DAEMON, to=mario@gaida.de, dirname=/var/qmail/mailnames
Mar 25 13:48:17 lvps176-28-23-41 dk_check[19356]: Starting the dk_check filter...
Mar 25 13:48:17 lvps176-28-23-41 dk_check[19356]: DKIM Bad signature
Mar 25 13:48:17 lvps176-28-23-41 dk_check[19356]: DKIM verification (d=emarsys.net, 1024-bit key) failed: signature verification failed
Mar 25 13:48:17 lvps176-28-23-41 dk_check[19356]: DKIM verification (d=email.experteer.com, 1024-bit key) failed: signature verification failed
Mar 25 13:48:17 lvps176-28-23-41 postfix-local[19355]: PASS during call 'dd52-domainkeys' handler
Mar 25 13:48:17 lvps176-28-23-41 postfix-local[19355]: SKIP during call 'magicspam-flag' handler
Mar 25 13:48:17 lvps176-28-23-41 postfix/pipe[19354]: 39B501409FE: to=<mario@gaida.de>, relay=plesk_virtual, delay=1.3, delays=1.3/0.01/0/0.06, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Mar 25 13:48:17 lvps176-28-23-41 postfix/qmgr[17412]: 39B501409FE: removed
Mar 25 13:48:17 lvps176-28-23-41 postfix/smtpd[19327]: disconnect from vdds-46.westus.cloudapp.azure.com[137.135.47.133] ehlo=1 mail=1 rcpt=1 bdat=4 quit=1 commands=8

Perhaps this can help you find a way to block azure cloud spam.

kind regards
Mario

Re: Azure Cloud Spam (continued from MagicSpam for Plesk forum)

Posted: Thu Mar 25, 2021 6:38 pm
by magicspam
Hello puzzel76,

Thank you for the additional information.

Your MagicSpam installation already seems to be quite strictly configured. Since you are using the PRO version, your best option to stop inbound spam from their networks is to enable the MagicSpam custom SpamAssassin Rules if you have SpamAssassin installed on your server.

MagicSpam Admin Interface >> Anti-Spam >> SpamAssassin

If you already have the MagicSpam custom SpamAssassin Rules enabled, please confirm that the LM_IS_AZURE_IP has been hitting. You can check by running the following command on the terminal as root:

Code: Select all

zgrep LM_IS_AZURE_IP /var/log/mail.log*
Otherwise, if you do not expect to receive any email from Microsoft Azure networks, you can block all incoming email from Microsoft Azure networks by adding the RAT-Azure RBL (azure.spamrats.com) through:

MagicSpam Admin Interface >> Anti-Spam >> IP Reputation >> RBL

It would be helpful for our Threat Research Team if you were able to provide us with the logs and samples of the spam coming from Microsoft Azure networks. You can retrieve logs by running the following command on the terminal as root:

Code: Select all

grep cloudapp.azure.com /var/log/magicspam/mslog*
Please send us the logs and spam samples as attachments to us via email at:

support@magicspam.com

Hopefully, this information will help you.

Thank you.