Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to block hundreds of incoming mails to not existing accounts

Discussion in 'E-mail Discussion' started by Gino Viroli, Jun 12, 2019.

  1. Gino Viroli

    Gino Viroli Well-Known Member

    Joined:
    Oct 2, 2007
    Messages:
    66
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    I'm receiving hundreds of incoming mails to not existing accounts.

    My WHM/EXIM mail server replies "No such user here" which is correct.

    All these incoming mail are obvioulsy spam attempts. They are annoying because they fill pages and pages of my "WHM > Email > Mail Delivery Reports" log, see screenshot.

    Is there a way to block this kind of junk at firewall level or at mail server level ?
    I would like to keep my Mail Delivery Reports log as clean as possible.

    Capture.PNG
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    you could start by adding a number of custom blacklists in exim config.
    I use these. (attached)

    You could also potentially blacklist them in CSF firewall if:

    1. you have CSF installed
    2. The IP's are the same or fall within a class C.
     

    Attached Files:

    Gino Viroli likes this.
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Actually, I have something very similar going on.
    I checked over 500 IP's and there is little to no pattern going on in there.

    The only difference between what you posted and what's going on on mine is my RBL's are blocking most of them and any that get through go in to a black hole.

    Look at the time stamps and notice the pattern.
    Mine are coming at 11 seconds past every minute, with sometimes as many as 6 each time.
     
    #3 keat63, Jun 12, 2019
    Last edited: Jun 12, 2019
  4. Gino Viroli

    Gino Viroli Well-Known Member

    Joined:
    Oct 2, 2007
    Messages:
    66
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    The IP sending these mails are:

    185.222.211.10
    185.222.211.11
    185.222.211.12

    The fun part is they are all listed in SPAMHAUS SBL, that is turned on in my "WHM > Service Configuration > Exim Configuration Manager > Manage Custom RBLs" but apparently EXIM does not reject them.
    Capture.PNG
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Yours is an easy fix.
    Add 185.222.211.0/24 to your CSF deny IP list.
    if they come back when the list has rotated add: '# do not delete' to the end.

    Mine is looking impossible but i have a plan.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Gino Viroli,

    Do you mind opening a support ticket so we can take a closer look at your server? While I don't see anything in your post to indicate the emails sent to your server were an attempt to exploit your server (see Exim CVE-2019-10149), our Technical Analysts can take a closer look to confirm that's the case. You can post the ticket number here once it's opened and I'll link this thread to it.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Gino Viroli

    Gino Viroli Well-Known Member

    Joined:
    Oct 2, 2007
    Messages:
    66
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    "Your Support Request ID is: 12571987"

    FYI:
    # rpm -q exim
    exim-4.92-1.cp1178.x86_64
     
    cPanelMichael likes this.
  8. Gino Viroli

    Gino Viroli Well-Known Member

    Joined:
    Oct 2, 2007
    Messages:
    66
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    The
    They told me server is fine and safe.
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    do you have CSF firewall installed ?
     
  10. Gino Viroli

    Gino Viroli Well-Known Member

    Joined:
    Oct 2, 2007
    Messages:
    66
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Yes, why?
    I have already blocked the IPs that send these junk messages, I just thought the mail server would understand that is extreme junk and reject it without even logging it. I was wrong, it rejects it, but it still logs it filling pages of log. :-D

    Now that I banned the IP via the Firewall they obviously can't even contact my server, but they can use another IP and start over.

    It would have been useful a cPanel alert, because I found out about this spammer only when I looked at the WHM Mail log.
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,291
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    There's a CSF forum with a few custom regex rules, maybe there's something in there you could modify.
    A new rule based on traffic volumes or such like.
    Only trouble is, don't expect any help from that forum.
    You've more chance of having someone help with a custom regex on this forum.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice