The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dinged for NDR spam, how to prevent the body copy from included in the bounce?

Discussion in 'E-mail Discussions' started by jols, Feb 28, 2014.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hi,

    We've recently been put on a RBL for NDR spam. And sure enough when email is sent to a non-existant email address for an account we host, the message with "No Such User Here" bounces, but the problem is, the entire original body copy is included with the bounce. Hence:

    -----------------------
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    name@domainhere.com
    No Such User Here"

    ------ This is a copy of the message, including all the headers. ------


    -----------------------

    I would really like to know how to, as the RBL recommends:

    The spammer were using your mail server which enabled NDR feature to deliver their spam. For this issue, you should directly reject this kinds of request during the incoming SMTP session as returning 5.x error code to them instead of keeping mails and bounce back later. They are always sent to the non-existed mail account first and you should easily to turn them down.


    Anyone? This has become a rather urgent issue.

    By the way, this particular email address is NOT using BoxTrapper, and they have their default email address setting set to:
    ------------------
    Current Setting: :fail: No Such User Here

    Discard with error to sender (at SMTP time)

    Failure Message (seen by sender):
    ------------------

    I'd rather not set all misrouted email to blackhole, but if I can't prevent the entire message from bouncing to some innocent individual via spammer spoofing, then I may not have any choice.

    Anyone?
     
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    Found it.

    In case anyone is interested. You can easily prevent any part of the original message from being included in the bounce if you do this:

    whm » Service Configuration » Exim Configuration Manager

    Click:
    Add additional configuration setting

    bounce_return_message = false


    Presto! No more NDR spam.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    I am happy to see you were able to find a solution. Thank you for updating us with the outcome.
     
  4. serichards

    serichards Well-Known Member

    Joined:
    Dec 11, 2012
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    Brilliant. I'll think I will add that in to mine too!
     
  5. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    FYI...

    bounce_return_message = false

    removes both the headers and body while...

    bounce_return_body = false

    will just remove the body but keep the headers.
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    Seems like a bandaid to me. Messages to unknown users should be rejected at SMTP time, not accepted and then bounced.

    Mike
     
  7. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    Hello,

    There are lots of messages sent out daily where the sender simply made a typo. If the messages were discarded/rejected at SMTP time, the sender would never know that the message wasn't delivered. The message would simply be discarded and then both parties would never know the message wasn't sent/delivered.

    That is against RFC 821 which states that messages must/should bounce with an error message.

    The settings mentioned above simply stop the message headers/body from being sent back.
     
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    Peter,

    There is a difference between accepting / bouncing vs rejecting-during-smtp

    Scenario 1: mail.recipientmailserver.com accepts / bounces
    Scenario 2: mail.recipientmailserver.com rejects-during-smtp

    In scenario #1, I send a message [or a thousand] with a forged FROM address of bill@microsoft.com [relaying through mail.somedomain.com] to r2d2@recipientmailserver.com. Assuming r2d2@recipientmailserver.com is not valid, mail.recipientmailserver.com still accepts the mail and then bounces it back to the reported [forged] sender of bill@microsoft.com. Bill never sent it. Microsoft blacklists mail.recipientmailserver.com for bouncing back spam / backscatter. The server that actually relayed it has no clue.

    In scenario #2, I sent a message [or a thousand] with a forged FROM address of bill@microsoft.com [relaying through mail.somedomain.com] to r2d2@recipientmailserver.com. Assuming r2d2@recipientmailserver.com is not valid, mail.recipientmailserver.com rejects during SMTP, thus leaving the burden on mail.somedomain.com to generate an NDR. And that's how it should be. The spam is being sent through mail.somedomain.com, not mail.recipientmailserver.com. So you don't want mail.recipientmailserver.com having to take on the task of processing the mail AND getting blacklist. Let the sending server [which needs to be aware that spam is being sent through it] deal with the additional processing [generating an NDR / getting blacklisted].

    And for a completely valid email transaction:

    Under scenario #1, I send an email to pricklypete@cpanel.net [I thought it was your address, but I was wrong]. It gets relayed through mail.somedomain.com. cPanel's mailserver accepts it, generates a bounce, and sends that bounce back to my email address. Hey, I guess that's okay. But, under scenario #2, if I send the email to pricklypete@cpanel.net, via mail.somedomain.com, cPanel's server uses less resources by rejecting during SMTP [leaving the responsibility to mail.somedomain.com to generate the NDR back to me].

    Accept/Bounce hasn't been a recommended practice in internet mail for ages. Why would you suggest that it is? Anybody wanting to make sure that their mailservers remain as reputatable as possible [stay off of blacklists, etc] do not want to accept / bounce mail, since most mail that it would accept and bounce would be spam with a forged sender.

    So, that is why the recommended way is to reject during SMTP. In the Exim configuration in cPanel, you can do either. I have never in my life set up a mailserver in a configuration that would accept/bounce mail that was sent to a nonexistent user. That's just, well, crazy.

    Mike
     
    Chuckee likes this.
  9. serichards

    serichards Well-Known Member

    Joined:
    Dec 11, 2012
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    For the non experts what are the recommended settings to have within the whm/exim basic configuration that will reduce the possibility of having fake senders and fake recipients being processed by your mail server rather than being dealt with as per recommended practice?

    I have turned sender verify on so I'd assume the fake sender issue is dealt with that way.
    I see emails bounce to non existent recipients 'with no such user' type of errors. Is that correct? If I already have sender verification on will that not stop these kind of attacks dead in their tracks as they can't be bounced to a fake sender?

    From addresses are not always from addresses. How does exim distinguish between the from, return path and envelope sender correctly? One of those is the genuine 'from' address. As long as the bounce goes to that actual address then it doesn't matter if some spammer has decided to put bill@microsoft as the from address as it isn't returned there in the first place.

    All the cpanel basic setting defaults should be for a secure and reliable mail server that isn't fooled by these basic tricks.
     
  10. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    One would think.

    Otherwise we've often had complaints when sender verify was switched on. For some reason, too much legitimate email comes from servers that are either misconfigured, or I don't know what, which will not be delivered with sender verify switched on.
     
  11. serichards

    serichards Well-Known Member

    Joined:
    Dec 11, 2012
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    It's generally bulk marketing mails and forum software automatic subscriptions that are trapped by sender verify.

    You can add their smtp server ip into the whitelist so it won't check them. I have done that with a few as it is easier to do that than it is to switch off sender verify and be swamped with rubbish.
     
  12. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?


    We just got dinged again for NDR. Question, what if both of these settings are set to FALSE, will the latter override the former?

    - - - Updated - - -

    Or visa-versa?
     
  13. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Now of course we have MAPS, a.k.a. Backlash telling us that we should not allow the original subject lines in the bounced messages. But overall they seem to be suggesting that messages do not bounce at all. I really don't get these guys. We are already extracting the body copy on a bounce, so what exactly is there problem I wonder. Here's the message I just received today about some message that went out last August 22:

    ------
    Based on the spam on file, ###.###.###.### appeared to be running a misconfigured mail server. Currently it accepts mails from
    various domains and attempts to deliver it locally later. When it cannot deliver it (user unknown , message with spam, mailbox full,
    etc), you create an NDR appending the original message and forward it to the From: field. All spam uses forged From: field, and
    this turns ###.###.###.### into an effective NDR spam engine(backster), and forwarding spam to unrelated third parties.
    ------

    Yeah, sure but the bounced message never contains the original body copy. So what is is with these guys?

    - - - Updated - - -

    And I've just added this in my note to them:

    To be honest, this seems like you are just trying to extract fees per your Lashback RBL organization based on policy that is NOT within RFC compliance. I am right?

    Indeed they charge fees for de-listing more than once per month, so I am getting very suspicious that this organization may be no better than the spammers they profess to be against.
     
  14. sigmanetpro

    sigmanetpro Member

    Joined:
    Feb 9, 2009
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

    I can't find " Add additional configuration setting"

    Under "whm » Service Configuration » Exim Configuration Manager"

    Anyone can tell me where is it?


     
  15. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Under "Exim Configuration Manager" you need to switch to the "Advanced Editor" at the top first.
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Browse to the "Advanced Editor" tab. Use your browser search feature to search for "Section: BEGINACL" and you will see the blue text box just above this to add an additional configuration setting.

    Thank you.
     
  17. Chuckee

    Chuckee Registered

    Joined:
    Jul 23, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Website Owner
    So, what setting do you actually use to reject during SMTP?
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    This is actually configured under the "Default Address" option in cPanel for the individual account with the "Discard the email while your server processes it by SMTP time with an error message" setting.

    Thank you.
     
Loading...

Share This Page