The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to Handle Spooging Bounces

Discussion in 'E-mail Discussions' started by slinky, Jun 1, 2008.

  1. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    We have some very important email accounts that apparently someone has decided to use for spoofing a few local valid email addresses and sending spam to thousands of European and South American addresses. It results in roughly 68,000 bounced emails every day to each specific valid email address from domains stating that there is no such email address there, box full, etc. Obviously the spammer is using a list and using these email addresses as the "from" field. The email addresses on our server cannot be deleted to bounce these messages as they have too many important items connected and this won't necessarily solve the problem of emails being sent in our direction as a result of the spoofed address.

    A couple of things we can do but I'm not sure how or if they are possible. I'm looking for suggestions in addition to what I've tried to do. (1) I'm thinking blocking email by originating country would be optimal but not sure if this is possible. (2) Tried entering in the filters If the From or Subject equals "Undeliverable" or other variations then the emails should bounce or be discarded - those filters don't seem to work. (3) There are tons of postmaster emails and not sure if bouncing those is a good idea as the accounts won't get their own postmaster and also whether you could have trouble as a result of bouncing email from other postmaster accounts back at them.

    I know this is not the first time it has happened and appreciate all assistance from those with experience.
     
    #1 slinky, Jun 1, 2008
    Last edited: Jun 1, 2008
  2. Amit Deshmukh

    Amit Deshmukh Well-Known Member

    Joined:
    Jul 1, 2007
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    simple

    which mail server are you using ?

    pico /etc/valiases/domain.com

    Or try it this way

    edit: /scripts/wwwacct
    find: *:
    remove: $user
    replace with: :blackhole:
    new line should read: *: :blackhole:
    Save & Close
    chattr +ai /scripts/wwwacct


    your issue should be resolved.

    Regards,
    Amit
     
  3. Amit Deshmukh

    Amit Deshmukh Well-Known Member

    Joined:
    Jul 1, 2007
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Hi

    Also, please let me know which mail server are using for further assistance.

    Regards,
    Amit
     
  4. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Amit - thanks for the reply. I'm not sure I understand how and why this resolves the issue. The problem is that the email address for all the bounces are valid. The spammer has used valid email addresses as the Return Path address is where I'm nailed. This is what I see:

    1K2p35-0003XT-UZ-H
    mailnull 47 12
    <>
    1212332443 0
    -helo_name access.vtsnet.ru
    -host_address 81.27.48.143.46414
    -interface_address (MY HOST IMP ADDRESS)
    -received_protocol esmtps
    -aclm 0 1
    1
    -aclm 1 7
    mycpanelaccountname
    -body_linecount 57
    -max_received_linelength 103
    -frozen 1212332451
    -host_lookup_failed
    -spam_score_int -23
    -tls_cipher TLSv1:AES256-SHA:256
    NY /dev/null:validname@mydomain.com
    NN validname@mydomain.com
    1
    validname@mydomain.com

    211P Received: from [81.27.48.143] (helo=access.vtsnet.ru)
    by my.nameserver.comwith esmtps (TLSv1:AES256-SHA:256)
    (Exim 4.68)
    id 1K2p35-0003XT-UZ
    for validname@mydomain.com; Sun, 01 Jun 2008 11:00:28 -0400
    134P Received: from localhost (localhost)
    by access.vtsnet.ru (8.13.4/8.13.4/Debian-3) id m51F0gT9021310;
    Sun, 1 Jun 2008 19:00:42 +0400
    037 Date: Sun, 1 Jun 2008 19:00:42 +0400
    063F From: Mail Delivery Subsystem <MAILER-DAEMON@access.vtsnet.ru>
    059I Message-Id: <200806011500.m51F0gT9021310@access.vtsnet.ru>
    025T To: <validname@mydomain.com>
    018 MIME-Version: 1.0
    116 Content-Type: multipart/report; report-type=delivery-status;
    boundary="m51F0gT9021310.1212332442/access.vtsnet.ru"
    051 Subject: Returned mail: see transcript for details
    041 Auto-Submitted: auto-generated (failure)
    030 X-Spam-Status: No, score=-2.4
    018 X-Spam-Score: -23
    015 X-Spam-Bar: --
    016 X-Spam-Flag: NO


    1K2p35-0003XT-UZ-D
    This is a MIME-encapsulated message

    --m51F0gT9021310.1212332442/access.vtsnet.ru

    The original message was received at Sun, 1 Jun 2008 19:00:38 +0400
    from 89-109-63-104.dynamic.mts-nn.ru [89.109.63.104]

    ----- The following addresses had permanent fatal errors -----
    <1134962288.20041020093824@vtsnet.ru>
    (reason: 550 5.1.1 <1134962288.20041020093824@vtsnet.ru>... User unknown)

    ----- Transcript of session follows -----
    ... while talking to relay-1.vtsnet.ru.:
    >>> DATA
    <<< 550 5.1.1 <1134962288.20041020093824@vtsnet.ru>... User unknown
    550 5.1.1 <1134962288.20041020093824@vtsnet.ru>... User unknown
    <<< 503 5.0.0 Need RCPT (recipient)

    --m51F0gT9021310.1212332442/access.vtsnet.ru
    Content-Type: message/delivery-status

    Reporting-MTA: dns; access.vtsnet.ru
    Received-From-MTA: DNS; 89-109-63-104.dynamic.mts-nn.ru
    Arrival-Date: Sun, 1 Jun 2008 19:00:38 +0400

    Final-Recipient: RFC822; 1134962288.20041020093824@vtsnet.ru
    Action: failed
    Status: 5.1.1
    Remote-MTA: DNS; relay-1.vtsnet.ru
    Diagnostic-Code: SMTP; 550 5.1.1 <1134962288.20041020093824@vtsnet.ru>... User unknown
    Last-Attempt-Date: Sun, 1 Jun 2008 19:00:42 +0400

    --m51F0gT9021310.1212332442/access.vtsnet.ru
    Content-Type: text/rfc822-headers

    Return-Path: <validname@mydomain.com>
    Received: from mx.mts-nn.ru (89-109-63-104.dynamic.mts-nn.ru [89.109.63.104])
    by access.vtsnet.ru (8.13.4/8.13.4/Debian-3) with ESMTP id m51F0bT9021291
    for <1134962288.20041020093824@vtsnet.ru>; Sun, 1 Jun 2008 19:00:38 +0400
    Message-Id: <200806011500.m51F0bT9021291@access.vtsnet.ru>
    Received: from [192.168.76.99] ([192.168.76.99]) by 89.109.63.104 with Microsoft SMTPSVC(6.0.3790.1830)
    1 Jun 2008 17:38:36 +0300
    From: =?windows-1251?B?w+Xt7eDk6OkgxOzo8vDo5eLo9w==?= <parfenova@mts-nn.ru>
    To: <1134962288.20041020093824@vtsnet.ru>
    Subject: =?windows-1251?B?Mu7uOOMuIC0gx+Dw7+vg8uAg4iDB5evz/g==?=
    Date: 1 Jun 2008 17:38:36 +0300
    MIME-Version: 1.0
    Content-Type: multipart/related;
    boundary="----=_NextPart_000_0007_01C8C3F8.0279B3FA"
    X-Priority: 3
    X-MimeOLE: Produced By Microsoft Exchange V6.5
    X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0274], KAS30/Release
    X-SpamTest-Info: Not protected
    X-Spam: Not detected

    --m51F0gT9021310.1212332442/access.vtsnet.ru--
     
  5. Amit Deshmukh

    Amit Deshmukh Well-Known Member

    Joined:
    Jul 1, 2007
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Hello

    Simply, check the # pico /etc/valiases/domain.com
    file and replace "fail" or "blackhole" with a valid email account on that domain.

    Then restart exim on server.

    or this Url will help you : http://www.configserver.com/free/fail.html

    Let us know if you need any further assistance.

    Regards,
    Amit
     
  6. joand

    joand Registered

    Joined:
    Jul 6, 2003
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    i am having the same problem with one of my clients, and I also do not understand what the above solution is supposed to be doing (but I don't understand command line processing at the best of times! I am really looking for a solution through cPanel or WHM). As with slinky the bounced emails are coming to a valid email address and the default for the domain is set to :fail:
     
Loading...

Share This Page