1000s of "Mail delivery deferred" messages for emails from non-existent addresses

[Sharcupine]

Hello,

A client of mine has a website hosted with GoDaddy and they are currently having difficulty sending out emails because the server is sending out thousands of "Mail delivery deferred" emails.

When I look at the email headers of the deferred messages, they show that they are being sent from a variety of email addresses with the client's domain, but the specific email addresses don't actually exist. Is the server compromised, or is this what's called "spoofing"?

I was looking into adding an SPF record, but unfortunately another party holds the account that the domain is registered to. Attempts to get in touch have failed and even worse, he just died so it may be a lot longer before I can add the record.

In lieu of that, what else can I do? Is there a way to stop "Mail delivery deferred" messages from being sent out? Any other ideas or thoughts on what the problem is and how to solve it?

Thanks,
Scott

 

[cPanelLauren]

Hello,

To clarify you are receiving thousands of emails to addresses that don't exist on your server or you are sending them?

 

[Sharcupine]

Hi Lauren,

I'm receiving thousands of "Mail Delivery Deferred" emails from "Mail Delivery System" <[email protected]> to one of the client's inboxes. Inside those emails it reads:

"This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a temporary error. The following address(es) deferred:

[xxxx]@gmail.com
Domain [my client's domain] has exceeded the max emails per hour (506/500 (101%)) allowed. Message will be reattempted later

------- This is a copy of the message, including all the headers. ------"

Then the copied messages below that line vary, including the "From" email address in the header. However, the "From" emails all of have the client's domain name, but the actual email addresses don't exist on the server.

I hope that makes sense.

-Scott

 

[keat63]

Could this be caused by the following scenario.

Spammer sends 1000's of emails to [email protected]
Your server responds with 'no such user here'
Godaddy maybe has a sending per hour limitation
and now all those bounce messages are stuck in a queue.

If so then maybe consider, in Cpanel > Email > Default User > Advanced Options
Setting the default to 'Discard'

It's not recommended purely because its not RFC complaint.
However, it won't have any adverse effect as it's not policed.

The only adverse effect it might have is if someone send to an email and does a typo.
Sends to 'jon.doe' instead of 'john.doe', he wouldn't get a bounce back.

Or a similar situation where GreyListing is invoked

 

[cPanelLauren]

Hi Lauren,

I'm receiving thousands of "Mail Delivery Deferred" emails from "Mail Delivery System" <[email protected]> to one of the client's inboxes. Inside those emails it reads:

"This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a temporary error. The following address(es) deferred:

[xxxx]@gmail.com
Domain [my client's domain] has exceeded the max emails per hour (506/500 (101%)) allowed. Message will be reattempted later

------- This is a copy of the message, including all the headers. ------"

Then the copied messages below that line vary, including the "From" email address in the header. However, the "From" emails all of have the client's domain name, but the actual email addresses don't exist on the server.

I hope that makes sense.

-Scott

Ok that's why I clarified, one user is receiving bounceback for a large amount of mail that the didn't send correct? I would suggest that this user immediately change their password or you do it for them as this appears to be on the surface (from the information I have thus far) to be a password compromise.

 

[Sharcupine]

Could this be caused by the following scenario.

Spammer sends 1000's of emails to [email protected]
Your server responds with 'no such user here'
Godaddy maybe has a sending per hour limitation
and now all those bounce messages are stuck in a queue.

If so then maybe consider, in Cpanel > Email > Default User > Advanced Options
Setting the default to 'Discard'

It's not recommended purely because its not RFC complaint.
However, it won't have any adverse effect as it's not policed.

The only adverse effect it might have is if someone send to an email and does a typo.
Sends to 'jon.doe' instead of 'john.doe', he wouldn't get a bounce back.

Or a similar situation where GreyListing is invoked

You described the situation perfectly, but the default was already set to "Discard." Thank you for the idea though.

 

[Sharcupine]

Ok that's why I clarified, one user is receiving bounceback for a large amount of mail that the didn't send correct? I would suggest that this user immediately change their password or you do it for them as this appears to be on the surface (from the information I have thus far) to be a password compromise.

Thanks Lauren. Yes, it is the one email address that is receiving a large amount of bounceback messages for emails no one had sent.

I've gone ahead and deleted the email address altogether, as it wasn't actively being used anyway. So far it seems to have unclogged the pipes, as legitimate emails are finally going out without a problem. Hopefully, things continues to run smoothly.

Thanks again,
Scott