Spammers spoofing the heck out of a domain

[Snowman30]

ive got a domain which has been hammered to death by clever clowns in china and taiwan that are using non existent addresses at this domain as the from address, so of course i get thousands of bounces per day

ive reported to spamcop, setup an spf record for the domain set up exim filters to filer out a lot of the bounce stuff but i really want to put an end to this crap....

anyone offer any suggestions (short of my going to these countries with a baseball bat)

[AndyReed]

ive got a domain which has been hammered to death by clever clowns in china and taiwan that are using non existent addresses at this domain as the from address, so of course i get thousands of bounces per day

ive reported to spamcop, setup an spf record for the domain set up exim filters to filer out a lot of the bounce stuff but i really want to put an end to this crap.

First, remove all the culprit files. Upgrade Addons to the latest edition(s), secure your server by installing APF, BFD, and mod_security. You might also want to Twaek the settings of your WHM.

[kris1351]

Make sure the default address is set to :Fail: also, this will eliminate all of those bounces coming back to the main account. It could be someone with a virus on their computer as some worms have been known to attach <user>@domain.com and blast emails out of their boxes and they never know about it.

[Snowman30]

I might not have explained myself properly...

the emails arent coming from our server or domain, they are coming from IP sources in China and Taiwan pretending to be from non existent email addresses at our domain

Our servers are locked down tight however i owuld prefer not to set the catchall to :fail: as we have a webmail service runnign on it that relies on it (hivemail)

Im just looking for ways to try and stop the spammers from spoofing our domain so that the affected domain cant get some of its former credibility back

Obviously the ISP's involved dont listen or it would have been stammped out ages ago....

[myrem]

well, if your clients are willing to go along with you on this (require them to send ALL outbound EMAIL through your server(s)).

In exim.conf, somewhere down in your check_recipient acl (past the sections of accepting authenticated, relayhosts, and mailman):

Code:

drop condition   = ${if match_domain{$sender_address_domain}\
                       {$primary_hostname:+local_domains:+relay_domains}\
                       {true}{false}}
          message  = You are not us -- Go Away!!

I use a variation of that check (not a fail, just add a header which spamassassin scores against the message). If you want to stop all the inbound forgeries, that will do it.

You'd need to implement more trickying methods to block bounces of forged emails. (such as 'signed' return-paths, which we do for select accounts - again, requires your client sends all their email through your server).

[forlinuxsupport]

hi

Have a look at GEOIP (google it) .
It lists which countires own which blocks of ip addresses.
you can use it in your firewall rules to block all traffic from e.g. China, or whereever you like.

cheers
andy

[hergy80]

hi

Have a look at GEOIP (google it) .
It lists which countires own which blocks of ip addresses.
you can use it in your firewall rules to block all traffic from e.g. China, or whereever you like.

cheers
andy

I think the problem they are having is not that the forged e-mails are going to his account, but when ISPs like MSN or Yahoo (or usually other mail servers) reject the e-mail, they get the bounce (since those ISPs think they are the ones who sent it) instead of the people spamming. I had the same problem and just set my defaults to fail (which won't work here). But I'm interested too if there are any other ways to prevent this from happening. Therefore, blocking IPs wouldn't work since it's not the the spammers who are sending the bounces which are clogging his mailbox.

[chirpy]

IMX, there's little you can do about blowback from spam and/or viruses. Either waiting out the storm or setting up a myriad of email filters is usually the only way out. It is indeed made worse when you need the features of a catchall address.

[GTFO]

Anyone found a way to flat out stop mail from coming to a specific domain? (oddly enough, removing MX records does not do it, mail still traces and makes it to the server).

[myrem]

Anyone found a way to flat out stop mail from coming to a specific domain? (oddly enough, removing MX records does not do it, mail still traces and makes it to the server).

You don't want any mail at all being processed for that domain?

Remove that domain name from /etc/localdomains and exim will reject all email sent to it.

[ramprage]

Yeah or maybe you could setup a filter that just says *
discard.

[chirpy]

You don't want any mail at all being processed for that domain?

Remove that domain name from /etc/localdomains and exim will reject all email sent to it.

If you do that, you should also add the domain to /etc/remotedomains (create the file if it doesn't exist) otherwise you'll find the domain getting put back into /etc/localdomains by cPanel.

Removing the MX record won't work, as you found. That's because the SMTP protocol allows for the use of the A record if it cannot resolve the MX record for a domain.

[TBear]

Anyone found a way to flat out stop mail from coming to a specific domain? (oddly enough, removing MX records does not do it, mail still traces and makes it to the server).

That's one I've not heard before

You could set up a "spam" filter which would send all mail to the domain to discard.

Header contains yourdomain.com to discard.