I getting tired of this: bounced emails clogging the queue

[matt621]

I've been reading these forums and seeing others with similar problems and I believe it's about time someone, (Cpanel?) step up to the plate and resolve this situation.

Here (for about the 6th time posting here) is the problem:

user@domain.com gets ton of spam. He decides to delete user@domain.com and creates user1@domain.com. However the spam keeps coming to user@domain.com, but now bounces, and goes into the queue where it sits... Now multiple that by a few dozen users per account, times 200 accounts per box... and you have a real problem.

Now add:

Every account that the admin or a reseller creates also has with it an email loginid@domain.com associated with it. 99.99% of the users never use that email address, but because spammer use finger (or something else) they always find that login and instantly send millions of spams to it.

Now add:

Many of us used to use the catchall. That was fine in the days of a civilized internet, but today, it's email anarchy and now we get joe1@domain.com joe2@domain.com, joe3@domain.com etc... even totally random names thlj24@domain.com.

Now you add all these together, run top and you see exim sitting there all day long at the top of the chart. You see sever loads going from 1 to 20, even as high as 900 one day, all with multiple runnings of exim.

I completely admit, I don't know the ins and outs of exim, so I need someone, (CPanel?) to step up and find some solution to this.

The first one is simple: if there is no user@domain.com account, just FAIL it. To me that's a no brainer. We don't need to bounce it to the admin to tell him there is no such user.

Second, every email account loginid@domain.com should instantly be set to FAIL. IN fact, why (and how) are we broadcasting this information? it's half the login sequence. Sure makes it easier for the hackers and creeps.

Third, on catchalls... we need something, but frankly I don't know what. Maybe someone here has an idea. Perhaps a checkbox system where the admin could log in and either "confirm" or "fail" and email address. If they are confirmed, they pass thru, if they fail, everything to that address just goes away.

In the 12 hours since I last cleared the queue, there are now over 5000 email sitting in there. And I have it set to flush every 24 hours. I can't imagine how much better all of our servers would run if there would be an end to these "lower than pig sh*t" spammers.

The situation, imo, is completely out of hand and all network administrators are wasting untold hours fighting something that should not exist in the first place.

[Izzee]

...The first one is simple: if there is no user@domain.com account, just FAIL it. To me that's a no brainer. We don't need to bounce it to the admin to tell him there is no such user.

If you use :fail: email bounces and joins the queue and the system gets an email.
If you use :blackhole: the mail will go into oblivian and not join any queues and the system gets no emails.

Quote from cPanel: 'Default Address/Set Default Address' Hint: You can enter :blackhole: to discard all incoming unrouted mail or :fail: no such address here to bounce it.
HTH

[matt621]

Originally posted by Izzee
If you use :fail: email bounces and joins the queue and the system gets an email.
If you use :blackhole: the mail will go into oblivian and not join any queues and the system gets no emails.

Quote from cPanel: 'Default Address/Set Default Address' Hint: You can enter :blackhole: to discard all incoming unrouted mail or :fail: no such address here to bounce it.
HTH

But here's the problem: When a client (of which we have hundreds) "gets rid of" their old email address, they just delete the "user" from their control panel and creates a new one. They do not go the next step forward and log into the forwarders and setup "oldemail@domain.com" to "blackhole."

The "default" address, what I'm refering to is: login-id@domain.com. That is never used. If I set the "default" to "blackhole" I do not think this applies to "loginid@domain.com" because that's a valid account as far as the server is concerned.

Am I wrong in that belief?

[Izzee]

Please follow me as its the only way I can explain this. You will know what to do and I appreciate that but if you can follow this you will get rid of your queues and your hassles. I have no queues unless a client makes a mistake, which is very rare.

Open up a cPanel and go to E-mail/Manage Accounts.

You will now be in the Mail Account Maintenance screen.

First entry is your infamous login-id@domain.com marked as Main Account with Login as login-id and ReadWebmail only.

The next entry will be a user account user@domain.com with:
Account - user@domain.com Login - user+domain.com - Delete - Read Webmail - Change Quota - Change Pass

There will usually be many others, we only nead to worry about 1 account as the rest is just a duplication. Note we have not refered to a default account yet.

Note the Main Account is never used as you say.

Now lets go back to the main cPanel menu.

Go to E-mail/Default Address.

You will now be in the Default Address Maintenance screen.

All unrouted mail will be sent to:

This will be blank if you have the catchall enabled. We will now remove the catchall and define a default address. Here now is where this default address comes into play.

Select Set Default Address.

Up comes the Default Address Maintenance screen.

Have it do this:
Send all unrouted e-mail for: domain.com to: :blackhole: Click Select

If you go back to the Default Address Maintenance screen you should now see:

All unrouted mail will be sent to: domain.com
This is what is now called the Default Address

We have now got rid of our catchall and any mail that is addressed to anyemailaddress@domain.com other than user@domain.com will be blackholed never to be heard of again.

This applies to any clients deleted e-mail accounts. No need to forward anything. It is taken care of by this one process we have just completed above.

You need then to go WHM and delete all the mail in the queue that you can and then keep your eye on it for a while. If you start to get the queue again look at the email and it will tell you in the header which account is having problems. It will say something like blogs@thisdomain.com FAILED no such address here (this is the clue). Get the owner of that account to set up Default Address like above and not to use :fail: but to use :blackhole: instead. That will be one less in the queue in future.
I don't know of a quicker way but someone might. I do this right from the start so I don't have a huge build up before I have to do something about it.
HTH

[matt621]

Thank you for your explanation. But am I reading this correctly? You want me to do this for every account on the box?

[wimp]

problem is that we have to go and add this changes manually to every account...

[matt621]

Originally posted by wimp
problem is that we have to go and add this changes manually to every account...

Not only that, but how am I supposed to log into my customers accounts to do this?

[Izzee]

In WHM under Account Functions/List Accounts click on the cPanel logo in the column between the Domain and the IP of the account you want to access.

Then when asked for user/pass copy the clients users name, which is also very handy, into the text field then use your root password in the other text field.

You should now have access to your clients cPanel.
HTH

[dory36]

You'l have to figure out what to do about your existing customers -- that is tricky from a customer relations point of view, although you can login to their cpanel with their user name (as seen in whm) and your root or reseller password.

For future customers, go to /scripts/wwwacct and search for "*:" $user (or something like that) and change it to read "*: :blackhole:" -- then new accounts' default will be to discared mail to unknown users.

Thanks to whoever posted that fix here a while back.

Bill

[Izzee]

Originally posted by dory36
...For future customers, go to /scripts/wwwacct and search for "*:" $user (or something like that) and change it to read "*: :blackhole:" -- then new accounts' default will be to discared mail to unknown users.

Thanks to whoever posted that fix here a while back.

Bill

That is minus the "" and edit the /scripts/wwwactt not run it.
So should read like this:
edit /scripts/wwwacct and arround line 1108 find *: $user and replace it with *: :blackhole:

Find:
1106 open(VALIAS,">/etc/valiases/$domain");
1107 print VALIAS <<EOM;
1108 *: $user
1109 EOM
1110 close(VALIAS);
Edited:
1106 open(VALIAS,">/etc/valiases/$domain");
1107 print VALIAS <<EOM;
1108 *: :blackhole:
1109 EOM
1110 close(VALIAS);

Thats how I interpreted Bill's post above. Would that be right?
And this is only relevant for new clients as wwwacct is the account set up script.

With regard to PR of current clients, a broadcast email to the effect that bulk spam is clogging up the works and slowing the servers down, but a fix that can be activated from within clients cPanels by admin can be achieved, yadda yadda... May help to overcome any PR issues. Nobody likes that 4 letter word spam.

[dory36]

Yep - that's what I meant.

If you install or uninstall cPanel Pro or perhaps update it, you might find that wwwacct gets overwritten, so it is worth checking every once in a while. I just do grep blackhole /scripts/wwacct after any action that I suspect might update that file.

Bill

[matt621]

thanks for the info.

There is still the issue of the "other" default email address. The above works for for "undefined" but by default when you setup an account on an cpanel server, it creates a valid email account: UsersLoginID@UsersDomain.com. That is NOT "unrouted" email because cpanel creates that email address when you setup the account, and so far, I can't find a way to set that to :blackhole:

[dory36]

It looks to me like the place where you set the :blackhole: in wwwacct is where it is writing the /etc/valiases file for the new account.

I wonder if you could so something like $user: :blackhole: on the next line?

Bill

[matt621]

Here's a new twist to this problem:

I had my customer :blackhole: a junk email address and got this now:


A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

webmaster@customersdomain.com
error in redirect data: missing or malformed local part (expected word or "<") in ":blackhole":
retry timeout exceeded



I just logged into his account to chk how it set it up and he's got it right. :blackhole:

could this be a bug in cpanel?

[projectandrew]

Open up an ssh session and check the file /etc/valiases/customersdomain.com

Check the last line reads:

*: :blackhole:

This is the file that cpanel refers to, just in case there is a bug in the interface.