How to block hundreds of incoming mails to not existing accounts

[Gino Viroli]

I'm receiving hundreds of incoming mails to not existing accounts.

My WHM/EXIM mail server replies "No such user here" which is correct.

All these incoming mail are obvioulsy spam attempts. They are annoying because they fill pages and pages of my "WHM > Email > Mail Delivery Reports" log, see screenshot.

Is there a way to block this kind of junk at firewall level or at mail server level ?
I would like to keep my Mail Delivery Reports log as clean as possible.

 

[keat63]

you could start by adding a number of custom blacklists in exim config.
I use these. (attached)

You could also potentially blacklist them in CSF firewall if:

1. you have CSF installed
2. The IP's are the same or fall within a class C.

 

[keat63]

Actually, I have something very similar going on.
I checked over 500 IP's and there is little to no pattern going on in there.

The only difference between what you posted and what's going on on mine is my RBL's are blocking most of them and any that get through go in to a black hole.

Look at the time stamps and notice the pattern.
Mine are coming at 11 seconds past every minute, with sometimes as many as 6 each time.

 

[Gino Viroli]

The IP sending these mails are:

185.222.211.10
185.222.211.11
185.222.211.12

The fun part is they are all listed in SPAMHAUS SBL, that is turned on in my "WHM > Service Configuration > Exim Configuration Manager > Manage Custom RBLs" but apparently EXIM does not reject them.

 

[keat63]

Yours is an easy fix.
Add 185.222.211.0/24 to your CSF deny IP list.
if they come back when the list has rotated add: '# do not delete' to the end.

Mine is looking impossible but i have a plan.

 

[cPanelMichael]

Hello @Gino Viroli,

Do you mind opening a support ticket so we can take a closer look at your server? While I don't see anything in your post to indicate the emails sent to your server were an attempt to exploit your server (see Exim CVE-2019-10149), our Technical Analysts can take a closer look to confirm that's the case. You can post the ticket number here once it's opened and I'll link this thread to it.

Thank you.

 

[Gino Viroli]

Hello @Gino Viroli,

Do you mind opening a support ticket so we can take a closer look at your server? While I don't see anything in your post to indicate the emails sent to your server were an attempt to exploit your server (see Exim CVE-2019-10149), our Technical Analysts can take a closer look to confirm that's the case. You can post the ticket number here once it's opened and I'll link this thread to it.

Thank you.

"Your Support Request ID is: 12571987"

FYI:
# rpm -q exim
exim-4.92-1.cp1178.x86_64

 

[Gino Viroli]

The

"Your Support Request ID is: 12571987"

FYI:
# rpm -q exim
exim-4.92-1.cp1178.x86_64

They told me server is fine and safe.

 

[keat63]

do you have CSF firewall installed ?

 

[Gino Viroli]

do you have CSF firewall installed ?

Yes, why?
I have already blocked the IPs that send these junk messages, I just thought the mail server would understand that is extreme junk and reject it without even logging it. I was wrong, it rejects it, but it still logs it filling pages of log.

Now that I banned the IP via the Firewall they obviously can't even contact my server, but they can use another IP and start over.

It would have been useful a cPanel alert, because I found out about this spammer only when I looked at the WHM Mail log.

 

[keat63]

There's a CSF forum with a few custom regex rules, maybe there's something in there you could modify.
A new rule based on traffic volumes or such like.
Only trouble is, don't expect any help from that forum.
You've more chance of having someone help with a custom regex on this forum.

 

[kamello]

Have the same problem... the ips changes and its difficult to block this kind of attack. I think we need to make some filter like: <<if an ip send more than x mails to unexistent mail users, make an automatic block.>> If somebody knows how to do it, please help us. Thanks in advance!