The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to get Cpanel/Exim to reject email from bogus invalid hostnames?

Discussion in 'E-mail Discussions' started by eurorocco, Feb 12, 2014.

  1. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    One user is getting spam from a distributed sender, from hundreds of different IPs, but the HELO hostnames are invalid. Here is one example...

    ------ In /var/log/exim_main.log one line...

    Code:
    2014-02-09 05:30:25 1WCSab-0003Fp-E0 <= spamtitle @ domain.com H=(0023f2f2.domain.com) [198.20.98.91]:39483 P=esmtp S=11354 id=741152355880742221
    60109 @ q4j3frgw9.domain.com T="Need Financing?" for XXX@YYYY
    
    ------ Then I check if the hostname is good, but it's not...
    2014-02-09 05:30:25 1WCSab-0003Fp-E0 <= spamtitle @ domain.com H=(0023f2f2.domain.com) [198.20.98.91]:39483 P=esmtp S=11354 id=741152355880742221
    60109@q4j3frgw9.domain.com T="Need spam?" for XXX@YYYY
    
    ------ Then I check if the hostname is good, but it's not...
    
    # dig -x 0023f2f2.domain.com
    
    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> -x 0023f2f2.domain.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18758
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;com.domain.0023f2f2.in-addr.arpa. IN PTR
    
    ;; AUTHORITY SECTION:
    in-addr.arpa. 3192 IN SOA b.in-addr-servers.arpa. nstld.iana.org. 2014012551 1800 900 604800 3600
    
    ;; Query time: 20 msec
    ;; SERVER: A.B.C.D#53(A.B.C.D)
    ;; WHEN: Wed Feb 12 14:46:00 2014
    ;; MSG SIZE rcvd: 117
    
    #
    ------- How can I configure Cpanel/Exim to reject email coming from bogus invalid hostnames? I thought the default was to do this. Perhaps my mailserver is misconfigured, but I cannot find the specific option in "Mailserver configuration, Basic or Advanced" to do this.

    I see Sender Verification Callouts, which are a different thing and do cause some problems, so we have disabled on purpose. I also have both RBLs on, but they're not filtering this particular spammer out.

    Your help is greatly appreciated!

    Thanks!

    ER
     
    #1 eurorocco, Feb 12, 2014
    Last edited by a moderator: Feb 12, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can make sure the following options are enabled under "ACL Options" in "WHM Home » Service Configuration » Exim Configuration Manager":

    "Require HELO before MAIL"
    "Require RFC-compliant HELO"

    However, the "Sender Verification Callouts" option might be the best way to avoid emails like this. What issues do you experience with it enabled?

    Thank you.
     
  3. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Had the two options ON...
    "Require HELO before MAIL" ON
    "Require RFC-compliant HELO" ON

    Enabled "Sender Verification Callouts". Was off. Now ON.

    I'm trying to remember the exact situation that pushed us to disable "Sender Verification Callouts". Let me try this again.

    Thanks a lot for your help!

    ER
     
  4. sajanNOPPIX

    sajanNOPPIX Member

    Joined:
    May 30, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Enabling Sender Verification Callouts can up your risk of being listed on RBLs. We also leave it off.
     
  5. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the hint on the negative side-effect of enabling "Sender Verification".

    In /etc/exim.conf ... another thing I had to try was to uncomment

    #host_lookup = 0.0.0.0/0

    To get exim to check the incoming IP has a reverse-dns-lookup value.

    Thanks!

    ER
     
  6. serichards

    serichards Well-Known Member

    Joined:
    Dec 11, 2012
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Why would it get you put on RBLs? It seems totally unfair that one of the most effective tools against the deluge of crud out there would get the person using it in trouble. Having that enabled stops about 90%+ of the spam I get.
     
  7. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Some email addresses are hooks or triggers of RBLs, so yes, there is a chance "full mailboxes" and "sender verification callouts" can have the server RBL-blocked. I did enable "sender verification callouts" though, opted to run take the risk. Something being unfair doesn't prevent it from happening, unfortunately. Probably the risk of getting blacklisted is higher if the antispam is less astringent, less strict and bounces and passes through more spam. THANKS! ER
     
  8. serichards

    serichards Well-Known Member

    Joined:
    Dec 11, 2012
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    I did have issues with sender verify previously with I think google. I think they either blocked me from their dns or checking with them about their apparent senders as I was getting so much junk from gmail accounts. I just blacklisted all gmail addresses in the end.
     
Loading...

Share This Page