We starting implementing an inbound and outbound 3rd party anti-spam gateway service. We are using Spam Hero and so far it is reasonably priced and working well.
Since turning on the outbound smart host relay to use Spam Hero's outbound server, we are seeing alot of these types of messages in the logs.
Code: Select all
said: 550 5.7.1 Could not find a valid Account ID (0) for the given domain
The from address is <>
Code: Select all
Oct 16 18:31:08 zimbra postfix/dkimmilter/smtpd[11632]: connect from localhost[127.0.0.1]
Oct 16 18:31:08 zimbra postfix/dkimmilter/smtpd[11632]: D0C276212E0: client=localhost[127.0.0.1]
Oct 16 18:31:08 zimbra postfix/cleanup[11503]: D0C276212E0: message-id=<1655472678.1800.1571221868406.JavaMail.zimbra@zimbra>
Oct 16 18:31:08 zimbra postfix/dkimmilter/smtpd[11632]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 16 18:31:08 zimbra postfix/qmgr[9107]: D0C276212E0: from=<>, size=2490, nrcpt=1 (queue active)
Oct 16 18:31:08 zimbra amavis[7812]: (07812-06) ryz5gDn7jL7L FWD from <> -> <email@shootlevel.icu>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as D0C276212E0
Oct 16 18:31:08 zimbra postfix/smtpd[13916]: NOQUEUE: filter: RCPT from xxxxxxREMOVEDTOANONYMIZEXXXXXX[xxxxxxREMOVEDTOANONYMIZEXXXXXX]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<email@shootlevel.icu> proto=ESMTP helo=<xxxxxxREMOVEDTOANONYMIZEXXXXXX>
Oct 16 18:31:08 zimbra amavis[7803]: (07803-12) ESMTP :10032 /opt/zimbra/data/amavisd/tmp/amavis-20191016T182148-07803-79m86mdm: <> -> <email@shootlevel.icu> SIZE=2490 Received: from xxxxxxREMOVEDTOANONYMIZEXXXXXX ([127.0.0.1]) by localhost (xxxxxxREMOVEDTOANONYMIZEXXXXXX [xxxxxxREMOVEDTOANONYMIZEXXXXXX]) (amavisd-new, port 10032) with ESMTP for <email@shootlevel.icu>; Wed, 16 Oct 2019 18:31:08 +0800 (HKT)
Oct 16 18:31:08 zimbra amavis[7812]: (07812-06) Passed CLEAN {RelayedOutbound}, ORIGINATING/MYNETS LOCAL [xxxxxxREMOVEDTOANONYMIZEXXXXXX]:34530 <> -> <email@shootlevel.icu>, Queue-ID: B68C26212E1, Message-ID: <1655472678.1800.1571221868406.JavaMail.zimbra@zimbra>, mail_id: ryz5gDn7jL7L, Hits: -, size: 1080, queued_as: D0C276212E0, 181 ms
Oct 16 18:31:08 zimbra postfix/smtpd[13916]: E8CCE6212E4: client=xxxxxxREMOVEDTOANONYMIZEXXXXXX[xxxxxxREMOVEDTOANONYMIZEXXXXXX]
Oct 16 18:31:08 zimbra postfix/smtp[13933]: B68C26212E1: to=<email@shootlevel.icu>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.21, delays=0.02/0/0/0.18, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as D0C276212E0)
Oct 16 18:31:08 zimbra postfix/qmgr[9107]: B68C26212E1: removed
Code: Select all
top 50 Senders by message count
-------------------------------
228 from=<>
I would like to find out which user account is responsible. I don't want to just block all from=<> right away because we might have an internal system that legitimately sends automated emails.
Thanks for any suggestions.