Dinged for NDR spam, how to prevent the body copy from included in the bounce?

[jols]

Hi,

We've recently been put on a RBL for NDR spam. And sure enough when email is sent to a non-existant email address for an account we host, the message with "No Such User Here" bounces, but the problem is, the entire original body copy is included with the bounce. Hence:

-----------------------
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
No Such User Here"

------ This is a copy of the message, including all the headers. ------


-----------------------

I would really like to know how to, as the RBL recommends:

The spammer were using your mail server which enabled NDR feature to deliver their spam. For this issue, you should directly reject this kinds of request during the incoming SMTP session as returning 5.x error code to them instead of keeping mails and bounce back later. They are always sent to the non-existed mail account first and you should easily to turn them down.


Anyone? This has become a rather urgent issue.

By the way, this particular email address is NOT using BoxTrapper, and they have their default email address setting set to:
------------------
Current Setting: :fail: No Such User Here

Discard with error to sender (at SMTP time)

Failure Message (seen by sender):
------------------

I'd rather not set all misrouted email to blackhole, but if I can't prevent the entire message from bouncing to some innocent individual via spammer spoofing, then I may not have any choice.

Anyone?

 

[jols]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

Found it.

In case anyone is interested. You can easily prevent any part of the original message from being included in the bounce if you do this:

whm » Service Configuration » Exim Configuration Manager

Click:
Add additional configuration setting

bounce_return_message = false


Presto! No more NDR spam.

 

[cPanelMichael]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

I am happy to see you were able to find a solution. Thank you for updating us with the outcome.

 

[serichards]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

Brilliant. I'll think I will add that in to mine too!

 

[kdean]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

FYI...

bounce_return_message = false

removes both the headers and body while...

bounce_return_body = false

will just remove the body but keep the headers.

 

[mtindor]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

Found it.

In case anyone is interested. You can easily prevent any part of the original message from being included in the bounce if you do this:

whm » Service Configuration » Exim Configuration Manager

Click:
Add additional configuration setting

bounce_return_message = false


Presto! No more NDR spam.

Seems like a bandaid to me. Messages to unknown users should be rejected at SMTP time, not accepted and then bounced.

Mike

 

[cPanelPeter]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

Hello,

There are lots of messages sent out daily where the sender simply made a typo. If the messages were discarded/rejected at SMTP time, the sender would never know that the message wasn't delivered. The message would simply be discarded and then both parties would never know the message wasn't sent/delivered.

That is against RFC 821 which states that messages must/should bounce with an error message.

The settings mentioned above simply stop the message headers/body from being sent back.

 

[mtindor]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

Peter,

There is a difference between accepting / bouncing vs rejecting-during-smtp

Scenario 1: mail.recipientmailserver.com accepts / bounces
Scenario 2: mail.recipientmailserver.com rejects-during-smtp

In scenario #1, I send a message [or a thousand] with a forged FROM address of [email protected] [relaying through mail.somedomain.com] to [email protected] Assuming [email protected] is not valid, mail.recipientmailserver.com still accepts the mail and then bounces it back to the reported [forged] sender of [email protected] Bill never sent it. Microsoft blacklists mail.recipientmailserver.com for bouncing back spam / backscatter. The server that actually relayed it has no clue.

In scenario #2, I sent a message [or a thousand] with a forged FROM address of [email protected] [relaying through mail.somedomain.com] to [email protected] Assuming [email protected] is not valid, mail.recipientmailserver.com rejects during SMTP, thus leaving the burden on mail.somedomain.com to generate an NDR. And that's how it should be. The spam is being sent through mail.somedomain.com, not mail.recipientmailserver.com. So you don't want mail.recipientmailserver.com having to take on the task of processing the mail AND getting blacklist. Let the sending server [which needs to be aware that spam is being sent through it] deal with the additional processing [generating an NDR / getting blacklisted].

And for a completely valid email transaction:

Under scenario #1, I send an email to [email protected] [I thought it was your address, but I was wrong]. It gets relayed through mail.somedomain.com. cPanel's mailserver accepts it, generates a bounce, and sends that bounce back to my email address. Hey, I guess that's okay. But, under scenario #2, if I send the email to [email protected], via mail.somedomain.com, cPanel's server uses less resources by rejecting during SMTP [leaving the responsibility to mail.somedomain.com to generate the NDR back to me].

Accept/Bounce hasn't been a recommended practice in internet mail for ages. Why would you suggest that it is? Anybody wanting to make sure that their mailservers remain as reputatable as possible [stay off of blacklists, etc] do not want to accept / bounce mail, since most mail that it would accept and bounce would be spam with a forged sender.

So, that is why the recommended way is to reject during SMTP. In the Exim configuration in cPanel, you can do either. I have never in my life set up a mailserver in a configuration that would accept/bounce mail that was sent to a nonexistent user. That's just, well, crazy.

Mike

 

[serichards]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

For the non experts what are the recommended settings to have within the whm/exim basic configuration that will reduce the possibility of having fake senders and fake recipients being processed by your mail server rather than being dealt with as per recommended practice?

I have turned sender verify on so I'd assume the fake sender issue is dealt with that way.
I see emails bounce to non existent recipients 'with no such user' type of errors. Is that correct? If I already have sender verification on will that not stop these kind of attacks dead in their tracks as they can't be bounced to a fake sender?

From addresses are not always from addresses. How does exim distinguish between the from, return path and envelope sender correctly? One of those is the genuine 'from' address. As long as the bounce goes to that actual address then it doesn't matter if some spammer has decided to put [email protected] as the from address as it isn't returned there in the first place.

All the cpanel basic setting defaults should be for a secure and reliable mail server that isn't fooled by these basic tricks.

 

[jols]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

All the cpanel basic setting defaults should be for a secure and reliable mail server that isn't fooled by these basic tricks.

One would think.

Otherwise we've often had complaints when sender verify was switched on. For some reason, too much legitimate email comes from servers that are either misconfigured, or I don't know what, which will not be delivered with sender verify switched on.

 

[serichards]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

It's generally bulk marketing mails and forum software automatic subscriptions that are trapped by sender verify.

You can add their smtp server ip into the whitelist so it won't check them. I have done that with a few as it is easier to do that than it is to switch off sender verify and be swamped with rubbish.

 

[jols]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

FYI...

bounce_return_message = false

removes both the headers and body while...

bounce_return_body = false

will just remove the body but keep the headers.

We just got dinged again for NDR. Question, what if both of these settings are set to FALSE, will the latter override the former?

- - - Updated - - -

We just got dinged again for NDR. Question, what if both of these settings are set to FALSE, will the latter override the former?

Or visa-versa?

 

[jols]

Now of course we have MAPS, a.k.a. Backlash telling us that we should not allow the original subject lines in the bounced messages. But overall they seem to be suggesting that messages do not bounce at all. I really don't get these guys. We are already extracting the body copy on a bounce, so what exactly is there problem I wonder. Here's the message I just received today about some message that went out last August 22:

------
Based on the spam on file, ###.###.###.### appeared to be running a misconfigured mail server. Currently it accepts mails from
various domains and attempts to deliver it locally later. When it cannot deliver it (user unknown , message with spam, mailbox full,
etc), you create an NDR appending the original message and forward it to the From: field. All spam uses forged From: field, and
this turns ###.###.###.### into an effective NDR spam engine(backster), and forwarding spam to unrelated third parties.
------

Yeah, sure but the bounced message never contains the original body copy. So what is is with these guys?

- - - Updated - - -

And I've just added this in my note to them:

To be honest, this seems like you are just trying to extract fees per your Lashback RBL organization based on policy that is NOT within RFC compliance. I am right?

Indeed they charge fees for de-listing more than once per month, so I am getting very suspicious that this organization may be no better than the spammers they profess to be against.

 

[sigmanetpro]

Re: Dinged for NDR spam, how to prevet the body copy from included in the bounce?

I can't find " Add additional configuration setting"

Under "whm » Service Configuration » Exim Configuration Manager"

Anyone can tell me where is it?

Found it.

In case anyone is interested. You can easily prevent any part of the original message from being included in the bounce if you do this:

whm » Service Configuration » Exim Configuration Manager

Click:
Add additional configuration setting

bounce_return_message = false


Presto! No more NDR spam.

 

[kdean]

Under "Exim Configuration Manager" you need to switch to the "Advanced Editor" at the top first.

 

[cPanelMichael]

Browse to the "Advanced Editor" tab. Use your browser search feature to search for "Section: BEGINACL" and you will see the blue text box just above this to add an additional configuration setting.

Thank you.

 

[Chuckee]

So, that is why the recommended way is to reject during SMTP. In the Exim configuration in cPanel, you can do either. I have never in my life set up a mailserver in a configuration that would accept/bounce mail that was sent to a nonexistent user.

So, what setting do you actually use to reject during SMTP?

 

[cPanelMichael]

So, what setting do you actually use to reject during SMTP?

Hello

This is actually configured under the "Default Address" option in cPanel for the individual account with the "Discard the email while your server processes it by SMTP time with an error message" setting.

Thank you.