Spam reports from AOL

[4u123]

Has anyone else experenced this problem with Exim ?

We have setup a feedback loop with AOL for our IP range so they they can tell us of reported spam coming from domains on our servers.

We are currently getting quite a lot each day but I dont think the email is originating from our servers...

Here is an example...

Received: from rly-yi01.mx.aol.com (rly-yi01.mail.aol.com [172.18.180.129]) by air-yi03.mail.aol.com (v108_r1_b1.2) with ESMTP id MAILINYI33-7aa43d3bbaa51; Sun, 22 Jan 2006 12:07:23 -0500
Received: from OUR.SERVER.com (OUR.SERVER.com [OUR.ip.ip.67]) by rly-yi01.mx.aol.com (v108_r1_b1.2) with ESMTP id MAILRELAYINYI16-7aa43d3bbaa51; Sun, 22 Jan 2006 12:06:51 -0500
Received: from [24.205.143.38] (helo=-1212051672)
by OUR.SERVER.com with smtp (Exim 4.52)
id 1F0ifn-0007q2-4u
for hello@domainonourserver.com; Sun, 22 Jan 2006 17:06:39 +0000
Received: from giantmark.com (-1220421984 [-1220145744])
by 24-205-143-38.dhcp.psdn.ca.charter.com (Qmailv1) with ESMTP id D8AF9414AA
for <hello@domainonOURserver.com>; Sun, 22 Jan 2006 10:59:40 -0500
Date: Sun, 22 Jan 2006 10:59:40 -0500
From: "Chinatowns C. Paymasters" <GFEDA@giantmark.com>
X-Mailer: The Bat! (v2.00.5) Personal
X-Priority: 3
Message-ID: <5734924973.20060122105940@giantmark.com>
To: <Undisclosed Recipients>
Subject: Software
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.5; AVE: 6.17.0.2; VDF: 6.17.0.5; host: 24-205-143-38.dhcp.psdn.ca.charter.com)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - OUR.SERVER.com
X-AntiAbuse: Original Domain - domainonourserver.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - giantmark.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-AOL-IP: OUR.ip.ip.67

This almost looks like its being somehow relayed through our server. I spoke to someone who said the messag ID isnt even an Exim one and it couldnt have originated from our server at all.

A common factor in these I have identified is that the domains Ive looked into that have been reported to have been sending the spam on our servers ALL have mailto links on their main pages - now I dont know if this confuses things somewhat but I'm guessing the domain name and hostname are being spidered and then somehow spoofed or faked ? Would this make sense ?

Incidentally, on these domains that are being reported I could find no evidence of any mailing software or vunerable scripts that could be used to send mail by third parties.

[Jimmyftw]

Check for any forwarders setup. We've run into cases where user's have setup their mail to forward to an aol address and they then report the mail as spam there (which since it came from our/your server last actually reports your server as sending spam) or the AOL system simply picks it up as spam.

[4u123]

The emails being sent are spam without any doubt.

[simplybe]

Looks like one of your customers is forwarding their mail to aol and then reporting it as spam.

X-AntiAbuse: Original Domain - domainonourserver.com

that will be the domain that is forwarding. Login to their cpanel and check their forwarders and default address.

[4u123]

Thanks guys,

Yes, I think this is the problem. Either they are forwarding all mail - or they are forwarding on individual mails to report as spam.

[kmpman]

We had exactly this issue and fixed it - several customers with a forwarder on email to their AOL account. THEN they reported any spam and we got tons of the AOL loopback reports.

We identified who it was from the headers and asked them to either use a POP account with us or simply stop reporting the spam via AOL as it was leading AOL to consider us as a spammer since ours was the last server sending the email to their account.

All the customers did so quite happily and the loopback reports stopped completely.

[electric]

Is there a way to automatically find any forwarders that are sending emails to AOL? ie: is there a forwarding file where we can just do a "grep aol" or something to see what forwarders are configured to send to aol?

We're getting this problem, too... and I'd like to find out what account(s) are forwarding to aol...

[sparek-3]

Try this script. Just upload this script to your server, then via SSH (as root) do:

Code:

 mv find_aol.txt find_aol.pl
chmod 700 find_aol.pl
./find_aol.pl

This will give a list of domains that have an aol.com forwarder. The format of the output is:

<main domain name> - <domain name with forwarder> - <address that is forwarding> - <aol address>

The <main domain name> refers to the main domain name of the account. Normally this would match <domain name with forwarder> but if <domain name with forwarder> is a parked or addon domain, then it might be different. Special cases exist for when <address that is forwarding> is referring to the domain's default box.

[electric]

Try this script. Just upload this script to your server, then via SSH (as root) do:

That's great! Thanks!

Do you know if it would be possible to adjust this script to automatically send out an email to the cpanel contact address and/or the @aol.com email address that is the forward target?

This way, we can let them know that their forwarder needs to be removed within xyz hours or else we'll do it for them, etc...

That would make it perfect!

Oh wait.. also to make it even better.. would be to figure out what reseller owns the domain and use that contact email. We wouldn't want to send an email directly to the reseller's client...

[sparek-3]

I have modified the script to include the reseller's domain name. This file is attached as find_aol2.txt. Again the same instructions apply:

Code:

mv find_aol2.txt find_aol2.pl
chmod 700 find_aol2.pl
./find_aol2.pl

This time the syntax of the output is:

<reseller domain name> - <main domain name> - <domain name with forwarder> - <address that is forwarding> - <aol address>

As far as actually writing the users, I believe this would be better served if this was done by yourself. We use this script to collect the AOL forwarders, and then we have another script that connects with our billing system and parses the output from this script and retrieves the e-mail address and other information from the billing system. Our billing system is an in-house developed project. You would likely need to develop your own script to interact with your billing system. Or you may just need to write each individual account separately.