:fail: does not work to stop spoofed returned addresses

[jackie46]

Its intestesting that :fail: does not stop spoofed return mail.

We have 5 domains constantly being targetting with ridiculous return email addresses.
:fail: is set on all 5 domains.

Yet the message is being delivered to the mail queue irregardless of the :fail: setting.

:fail is supposed to stop anyuser@domain.com and it does but when it is a spoofed return, :fail: is ignored and the message is sent to the mail queue anyway.

Anyone have any idea why :fail: does not stop these messages?

[webignition]

Setting the default address to :fail: should reject all mail to any invalid local user.

This means that mail will be rejected if the To: address is not a valid local mailbox or forwarder.

The return address, spoofed or otherwise, is not relevant here.

[jackie46]

Nope, doesnt work.

When a message arrived from a spoof its, kulkujelkjhrl@domain.com and it does not get rejected. But if the message is sent to the domain with the same user and domain name its rejected by :fail:.

[webignition]

Nope, doesnt work.

When a message arrived from a spoof its, kulkujelkjhrl@domain.com and it does not get rejected. But if the message is sent to the domain with the same user and domain name its rejected by :fail:.

What's the To: address in such cases?

[jackie46]

An example is to: kulkujelkjhrl@domain.com. domain.com exists on the server but user kulkujelkjhrl does not so what im saying is :fail: does nothing in this instance and its sent to the queue.

But if i send a message directly to kulkujelkjhrl@domain.com then its rejected.

[Infopro]

I'm seeing this as well. Got 5 of them this weekend.

[sparek-3]

Are you sure the messages aren't CC's or BCC's? A message may have headers such as:

To: nonexistant@domain.com
Cc: realaddress@domain.com, anotherreal@domain.com

This would mean that realaddress@domain.com and anotherreal@domain.com would receive the messages, but the To: line would still say nonexistant@domain.com. As to why these messages are going to the queue and not to the mailboxes, I don't know. Perhaps the mailboxes are at their individual quota limits.

[jackie46]

Nope, the are bounces from spammers who used ulkujlkjlkj@myusersdomain.com and its bouncing back to our server because the domains exist here but :fail: does not stop them from piling up in the queue even if they are not being delieverd. They are not being delivered because catch-all is turned off for these domains so it goes to the queue.

[WebScHoLaR]

http://www.configserver.com/free/fail.html

Using :fail: the email is never accepted into the server. During the initial SMTP negotiation when the senders SMTP server connects to your SMTP server, the sending SMTP server issues a RCPT command notifying your server which email address the email to follow is intended for. Your server then checks whether the recipient email actually exists on your server (a POP3 account, an alias or a catchall alias) and if it does not, it issues an SMTP DENY which terminates the attempt to deliver the email.

* This saves bandwidth as the email data is never received into your server
* This saves server resources as the email never has to be processed
* This complies with the SMTP RFC's because the sending SMTP server receives the DENY command
* Your server does not send a bounce message (just the DENY command)
* Your server does not send anything to the sender of the email (i.e. the address in the From: line)
* The sending SMTP server is responsible for notifying the original sender

[jackie46]

Webscholar, obviously you didnt read and follow the thread. I already said, :FAIL: is set on all 5 domains!!!!!!!!!!!!!!

I understand the process but fail does not do a thing to stop spoofed mail. The message always arrives from <>. It is addressed to oiuoiuelruk@domain.com and its accepted even if ;fail: is set on the account. Maybe cpanel should look at their code and fix this issue.

So, i rewrote the rules and i havent seen a bounce back to a non existant email address since i added the changes. Spoofed mail is now being denied and so is any ridiculous email address sent to the domain in question via :fail:

[webignition]

So, i rewrote the rules and i havent seen a bounce back to a non existant email address since i added the changes. Spoofed mail is now being denied and so is any ridiculous email address sent to the domain in question via :fail:

Would you mind sharing?

I'd also be interested to see what Chirpy has to say on the matter.

[Infopro]

So would I. My guess is it's due to the mail conversion we did a while back. This is a problem. I've just recieved another 5 of them that should have failed.

[rpmws]

I am seeing this. I have bounces in queue that are destined for fake@my_hosted_domain.com and they did not originate from my box. They came in as a bounce and just sit there. It's not a forwarder or anything special. I am also seeing something weird in this way. I forward my nobody, cpanel and root mail to an address I check. In the last week or so I have been getting emails that seem to be for accounts I host. ..ahh scratch that. I looked in the headers just now and can see "postmaster" as a BCC. I think I have a global postmaster forwarder ..but I can't remember where it is

[webignition]

I think I have a global postmaster forwarder ..but I can't remember where it is

/etc/myaliases, quite possibly.

[serversphere]

Wow, great post jackie46. I have a client who has been a victim of this problem for a couple weeks and I never even noticed that the To: address of non-existant@theirdomain.tld should not even be getting through! This is a DEFINITELY a solution that needs to be shared. So glad you posted this! Hoping you post your rewrite as well...