blacklisted server because of a single email bounce.

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
I really don't get this at all.

I just discovered that one of our servers is blacklisted at Lashback due to just one single bounced email.

Here's the part of the header that they provided as a reason for the bounce. (I have changed the addresses for our protection):

Code:
---------------------
Received: from our.server.com (HELO our.server.com) (222.222.222.22) by Thunder53 (qpsmtpd/0.84) with ESMTP; Sun, 18 Jan 2015 07:28:34 -0800 Received: from mailnull by our.server.com with local (Exim 4.84) id 1YCrp0-003WNo-6q for [REDACTED]; Sun, 18 Jan 2015 09:31:26 -0600 X-Failed-Recipients: [email protected] Auto-Submitted: auto-replied From: Mail Delivery System [REDACTED] To: [REDACTED] Subject: Mail delivery failed: returning message to sender Message-Id: <[email protected]> Date: Sun, 18 Jan 2015 09:31:26 -0600 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - our.server.com X-AntiAbuse: Original Domain - [REDACTED] X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - X-Get-Message-Sender-Via: our.server.com: none  
---------------------
So obviously its a bounce, but why on earth should this incur a blacklisting when:

- Our customer is NOT using Boxtrapper
- Our customers have no autoresponders established.
- EXIM has been tweaked to NOT return the original subject line, nor any of the body copy (in the bounced message).
- And other routines have been establsihed (e.g. using antivirus.exim, to assure that none of the original spam is bounced back to any address, per backscatter.

Thus NDR spam is not possible.

So apparently simply because it's a bounce and hit hits one of their honeypots, we're shot down, at least in so far as having servers which are absolutely clean of any blacklists.

The only solution I have thought of is to filter out any email with "X-Failed-Recipients", but doesn't this lead to non RFC compliant email servers, e.g. servers that do not allow poorly addressed email to bounce back to the recipient.

Anyone have a clue about this kind of thing?

Thanks much!
 
Last edited by a moderator:

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
re: blacklisted server because of a single email bounce.

By the way, the bounce occurred due to this:

R=virtual_user_maildir_overquota: Mailbox quota exceeded


And to reiterate, I have exim configure thus:


bounce_return_body: false
bounce_return_message: false


So the question becomes, I guess we just shut down ALL bounces (period) in order to prevent blacklistings? Huh?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello :)

You may want to reach out to the third-party blacklist provider to determine if there is a delisting process. In "WHM Home » Service Configuration » Exim Configuration Manager", under the "Mail" tab, you can disable the following option:

"Bounce email for users over quota"

This will keep the messages in the queue instead of bouncing it to the sender.

Thank you.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Lashback requires payment for more than a single delisting per month, which, IMHO is a conflict of interest, of not an outright SCAM if ever there was one. However, we were delisted without having to shell out bucks, which of course we would never do.

Thanks for pointing out the "Bounce email for users over quota" feature in WHM, somehow I missed that. So I do appreciate your pointing this out.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Hi,

"Bounce email for users over quota" has long been switched off, yet we are still getting hit with this for one particular server.

The core of the header they are showing us is this:

[REDACTED]; Thu, 30 Apr 2015 21:23:41 -0500 X-Failed-Recipients: [email protected] Auto-Submitted: auto-replied From: Mail Delivery System [REDACTED] To: [REDACTED] Subject: Mail delivery failed: returning message to sender Message-Id: <[email protected]> Date: Thu, 30 Apr 2015 21:23:41 -0500

I have only replaced the actual email account address with "[email protected]". and the server address in the above.

Any other advice, anyone?

Thanks much.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

What entry do you see in /var/log/exim_mainlog or /var/log/exim_rejectlog for that message? Also, does the message body indicate the reason for the bounce?

Thank you.