How to block hundreds of incoming mails to not existing accounts

Gino Viroli

Well-Known Member
Oct 2, 2007
97
10
58
cPanel Access Level
Root Administrator
I'm receiving hundreds of incoming mails to not existing accounts.

My WHM/EXIM mail server replies "No such user here" which is correct.

All these incoming mail are obvioulsy spam attempts. They are annoying because they fill pages and pages of my "WHM > Email > Mail Delivery Reports" log, see screenshot.

Is there a way to block this kind of junk at firewall level or at mail server level ?
I would like to keep my Mail Delivery Reports log as clean as possible.

Capture.PNG
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
you could start by adding a number of custom blacklists in exim config.
I use these. (attached)

You could also potentially blacklist them in CSF firewall if:

1. you have CSF installed
2. The IP's are the same or fall within a class C.
 

Attachments

  • Like
Reactions: Gino Viroli

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Actually, I have something very similar going on.
I checked over 500 IP's and there is little to no pattern going on in there.

The only difference between what you posted and what's going on on mine is my RBL's are blocking most of them and any that get through go in to a black hole.

Look at the time stamps and notice the pattern.
Mine are coming at 11 seconds past every minute, with sometimes as many as 6 each time.
 
Last edited:

Gino Viroli

Well-Known Member
Oct 2, 2007
97
10
58
cPanel Access Level
Root Administrator
The IP sending these mails are:

185.222.211.10
185.222.211.11
185.222.211.12

The fun part is they are all listed in SPAMHAUS SBL, that is turned on in my "WHM > Service Configuration > Exim Configuration Manager > Manage Custom RBLs" but apparently EXIM does not reject them.
Capture.PNG
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Yours is an easy fix.
Add 185.222.211.0/24 to your CSF deny IP list.
if they come back when the list has rotated add: '# do not delete' to the end.

Mine is looking impossible but i have a plan.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello @Gino Viroli,

Do you mind opening a support ticket so we can take a closer look at your server? While I don't see anything in your post to indicate the emails sent to your server were an attempt to exploit your server (see Exim CVE-2019-10149), our Technical Analysts can take a closer look to confirm that's the case. You can post the ticket number here once it's opened and I'll link this thread to it.

Thank you.
 

Gino Viroli

Well-Known Member
Oct 2, 2007
97
10
58
cPanel Access Level
Root Administrator
Hello @Gino Viroli,

Do you mind opening a support ticket so we can take a closer look at your server? While I don't see anything in your post to indicate the emails sent to your server were an attempt to exploit your server (see Exim CVE-2019-10149), our Technical Analysts can take a closer look to confirm that's the case. You can post the ticket number here once it's opened and I'll link this thread to it.

Thank you.
"Your Support Request ID is: 12571987"

FYI:
# rpm -q exim
exim-4.92-1.cp1178.x86_64
 
  • Like
Reactions: cPanelMichael

Gino Viroli

Well-Known Member
Oct 2, 2007
97
10
58
cPanel Access Level
Root Administrator
do you have CSF firewall installed ?
Yes, why?
I have already blocked the IPs that send these junk messages, I just thought the mail server would understand that is extreme junk and reject it without even logging it. I was wrong, it rejects it, but it still logs it filling pages of log. :-D

Now that I banned the IP via the Firewall they obviously can't even contact my server, but they can use another IP and start over.

It would have been useful a cPanel alert, because I found out about this spammer only when I looked at the WHM Mail log.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
There's a CSF forum with a few custom regex rules, maybe there's something in there you could modify.
A new rule based on traffic volumes or such like.
Only trouble is, don't expect any help from that forum.
You've more chance of having someone help with a custom regex on this forum.
 

kamello

Registered
Aug 8, 2019
4
2
3
Santiago
cPanel Access Level
Root Administrator
Have the same problem... the ips changes and its difficult to block this kind of attack. I think we need to make some filter like: <<if an ip send more than x mails to unexistent mail users, make an automatic block.>> If somebody knows how to do it, please help us. Thanks in advance!