How to get Cpanel/Exim to reject email from bogus invalid hostnames?

[eurorocco]

One user is getting spam from a distributed sender, from hundreds of different IPs, but the HELO hostnames are invalid. Here is one example...

------ In /var/log/exim_main.log one line...

2014-02-09 05:30:25 1WCSab-0003Fp-E0 <= spamtitle @ domain.com H=(0023f2f2.domain.com) [198.20.98.91]:39483 P=esmtp S=11354 id=741152355880742221
60109 @ q4j3frgw9.domain.com T="Need Financing?" for [email protected]

------ Then I check if the hostname is good, but it's not...
2014-02-09 05:30:25 1WCSab-0003Fp-E0 <= spamtitle @ domain.com H=(0023f2f2.domain.com) [198.20.98.91]:39483 P=esmtp S=11354 id=741152355880742221
[email protected] T="Need spam?" for [email protected]

------ Then I check if the hostname is good, but it's not...

# dig -x 0023f2f2.domain.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> -x 0023f2f2.domain.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18758
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;com.domain.0023f2f2.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
in-addr.arpa. 3192 IN SOA b.in-addr-servers.arpa. nstld.iana.org. 2014012551 1800 900 604800 3600

;; Query time: 20 msec
;; SERVER: A.B.C.D#53(A.B.C.D)
;; WHEN: Wed Feb 12 14:46:00 2014
;; MSG SIZE rcvd: 117

#

------- How can I configure Cpanel/Exim to reject email coming from bogus invalid hostnames? I thought the default was to do this. Perhaps my mailserver is misconfigured, but I cannot find the specific option in "Mailserver configuration, Basic or Advanced" to do this.

I see Sender Verification Callouts, which are a different thing and do cause some problems, so we have disabled on purpose. I also have both RBLs on, but they're not filtering this particular spammer out.

Your help is greatly appreciated!

Thanks!

ER

 

[cPanelMichael]

Hello

You can make sure the following options are enabled under "ACL Options" in "WHM Home » Service Configuration » Exim Configuration Manager":

"Require HELO before MAIL"
"Require RFC-compliant HELO"

However, the "Sender Verification Callouts" option might be the best way to avoid emails like this. What issues do you experience with it enabled?

Thank you.

 

[eurorocco]

Had the two options ON...
"Require HELO before MAIL" ON
"Require RFC-compliant HELO" ON

Enabled "Sender Verification Callouts". Was off. Now ON.

I'm trying to remember the exact situation that pushed us to disable "Sender Verification Callouts". Let me try this again.

Thanks a lot for your help!

ER

 

[sajanNOPPIX]

Enabling Sender Verification Callouts can up your risk of being listed on RBLs. We also leave it off.

 

[eurorocco]

Thanks for the hint on the negative side-effect of enabling "Sender Verification".

In /etc/exim.conf ... another thing I had to try was to uncomment

#host_lookup = 0.0.0.0/0

To get exim to check the incoming IP has a reverse-dns-lookup value.

Thanks!

ER

 

[serichards]

Enabling Sender Verification Callouts can up your risk of being listed on RBLs. We also leave it off.

Why would it get you put on RBLs? It seems totally unfair that one of the most effective tools against the deluge of crud out there would get the person using it in trouble. Having that enabled stops about 90%+ of the spam I get.

 

[eurorocco]

Some email addresses are hooks or triggers of RBLs, so yes, there is a chance "full mailboxes" and "sender verification callouts" can have the server RBL-blocked. I did enable "sender verification callouts" though, opted to run take the risk. Something being unfair doesn't prevent it from happening, unfortunately. Probably the risk of getting blacklisted is higher if the antispam is less astringent, less strict and bounces and passes through more spam. THANKS! ER

 

[serichards]

I did have issues with sender verify previously with I think google. I think they either blocked me from their dns or checking with them about their apparent senders as I was getting so much junk from gmail accounts. I just blacklisted all gmail addresses in the end.