The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I stop mail from "mailnull"

Discussion in 'E-mail Discussions' started by davidmxs, Oct 19, 2003.

  1. davidmxs

    davidmxs Member

    Joined:
    Dec 28, 2002
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    My server is used for send spam, sometimes the message is generated from a faked IP (Ip allowed in my relayhosts).

    I cannot block this Ip because is legitime. The spammer is faking his real IP using a client's IP. (I do not how :confused: )

    Other times, the spam messages are coming from mailnull.

    I NEED STOP THESE SPAMEERS! PLEASDE HELP
     
    #1 davidmxs, Oct 19, 2003
    Last edited: Oct 19, 2003
  2. mickeymouse

    mickeymouse Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    389
    Likes Received:
    0
    Trophy Points:
    16
    RE: How can I stop mail from \"mailnull\"

    Dear davidmxs,

    Try to add the following line in /etc/exim.conf:

    rbl_domains = rbl.maps.vix.com/reject :eek:utputs.orbs.org/warn : \\
    spamsource-netblocks.orbs.org/reject : blackholes.mail-abuse.org/reject\\:relays.mail-abuse.org/warn : inputs.orbs.org/warn : manual.orbs.org : \\spamsources.orbs.org/reject

    I hope this will help you to solve your problem.

    Regards,
     
  3. khoonchee

    khoonchee Well-Known Member
    PartnerNOC

    Joined:
    Oct 2, 2002
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    our servers are exploit by some scripts I guess as the mailnull have a high rate and there are lots of the return mail :

    1AVcT5-0004iP-6J-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    itzsoftball4me@aol.com
    SMTP error from remote mailer after initial connection:
    host mailin-04.mx.aol.com [205.188.156.249]: 554- (RTR:SC) The information presently available to AOL indicates
    554- that this server has been repeatedly used to transmit unsolicited
    554- bulk e-mail to AOL. Based on AOL's e-mail policies at
    554- http://postmaster.info.aol.com/standards.html, AOL cannot accept
    554- further e-mail transactions from this server for an extended
    554- period of time. Please have your ISP/ASP contact AOL to resolve


    ------ This is a copy of the message, including all the headers. ------

    Return-path: <sierra@hostdomino.com>
    Received: from nobody by vision.abc.net with local (Exim 4.24)
    id 1AVcT4-0004iH-PH
    for itzsoftball4me@aol.com; Sun, 14 Dec 2003 13:03:54 -0700
    To: itzsoftball4me@aol.com
    Subject: Live g1rls fuc king and suc king
    From: Sierra <sierra@hostdomino.com>
    Reply-To: sierra@hostdomino.com
    Errors-To: <sierra@hostdomino.com>
    MIME-Version: 1.0
    X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
    Content-type: text/html; charset=iso-8859-1
    Message-Id: <E1AVcT4-0004iH-PH@vision.secure-dns.net>
    Date: Sun, 14 Dec 2003 13:03:54 -0700


    <html><body bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000"><table border="0" cellspacing="0" cellpadding="0" align="center"><tr><td align="center"><a href="http://www.meteorize.com/fa1/QA9fQDKKSYpVqqqx7mgx.html" target="_new"><img src="http://www.meteorize.com/fa1/QA9fQDKKSYpVqqqx7mgx.png" border="0"></a></td></tr><tr><td align="center"><a href="http://www.meteorize.com/_QA9fQDKKSYpVqqqx7mgx.php"><img src="http://www.meteorize.com/_QA9fQDKKSYpVqqqx7mgx/re.jpg" border="0"></a></td></tr></table><p><center><font size="1">QA9fQDKKSYpVqqqx7mgx</font></center></body></html>


    I guess the spammer has compiled the script and using either a CSV file or database to randomize the mail activity.Each time , the email header, To and From will be different.However, the message body have a similar criteria containing one domain ("meteorize.com")

    I am trying to trace out this user. Any guided method for this ?

    Thanks,
     
  4. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    What's happening is known as "eMail Spoofing" which means, someone is using your Domain name (or your Client's) as the 'From' eMail address. This way, if it bounces it does not go back to the Spammer, but instead, to whatever 'From' header was used.

    Nothing one can do about this as an eMail can anyones Domain name. This is known to Spammers and they take advantage of it.
     
  5. zenpig66

    zenpig66 Active Member

    Joined:
    Nov 16, 2002
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    I've had this issue for awhile now though sporadic. Every once in awhile the bastards decide to spoof one of my server names and 10,000+ emails in the queue(bounces) later, it's got to be cleaned up. hostdomino.com is one I see often, btw.

    What I'm curious about is how anyone here feels about exim rewriting the headers when it receives one of these messages with a known spammer email in it(I imagine it can be done though not familiar with the intricacies of exim rewrite rules...yet;hehe) so it returns to another mail server after the initial bounce fails again. Preferably the mail server would be the one used for the spammers MX or the webmaster to the site they are advertising. I have no problem with the morality of it though I imagine one can tag themselves as a spammer rather quickly if this was done. I'm just tired of it and seeking payback :)
     
  6. NetX

    NetX Well-Known Member

    Joined:
    Jun 18, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    I tried to uncomment in /etc/exim.conf the line:

    # rbl_domains = rbl.maps.vix.com

    But, when exim restarts, I get this error:

    Exim configuration error in line 184: Dec 25 15:45:47 host exim: main option "rbl_domains" unknown

    Any ideas?
     
Loading...

Share This Page