The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to stop this Spam mail ? postmaster@xxx.com

Discussion in 'E-mail Discussions' started by claven177, May 29, 2006.

  1. claven177

    claven177 Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Taipei
    How to stop this Spam mail? To:postmaster@xxx.com auto-generated e-mail nowhere to go

    Over the past 10 days we are concerned about the security in exim.

    Spammers have been successfully relaying messages as postmaster@CUSTOMERDOMAIN.COM and postmaster@CUSTOMERDOMAIN.COM to the CUSTOMERDOMAIN.COM

    They are not using any authentication and Exim willing accepts the message.


    Althought I have set all CUSTOMERDOMAIN.COM's mail box Default catch-all/default addressas as :fail: ,
    but this spam mail reserved in Exim Mail Queue.


    How to stop this Spam mail ?


    I think when spamer send spam to this e-mail postmaster@mmmtravel.com (no this mail box)

    from: postmaster@mmmtravel.com
    To: postmaster@mmmtravel.com

    but no such user here (To: postmaster@mmmtravel.com)
    my mail server Mailer-Daemon@p2006.xoomo.com auto send a mail to postmaster@mmmtravel.com
    to imform sender no such user here


    therefore in exim mail queue, this auto-generated e-mail nowhere to go.

    How to prevent this problem?



    ex.
    =========================================================
    Code:
    1FkH8X-0005wD-Pl-H
    mailnull 47 12
    <>
    1148806837 0
    -ident mailnull
    -received_protocol local
    -body_linecount 27
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1148922040
    -localerror
    -manual_thaw
    XX
    1
    [email]postmaster@mmmtravel.com[/email]
    
    148P Received: from mailnull by p2006.xoomo.com with local (Exim 4.52)
    	id 1FkH8X-0005wD-Pl
    	for [email]postmaster@mmmtravel.com[/email]; Sun, 28 May 2006 17:00:37 +0800
    045  X-Failed-Recipients: [email]postmaster@mmmtravel.com[/email]
    031  Auto-Submitted: auto-generated
    058F From: Mail Delivery System <Mailer-Daemon@p2006.xoomo.com>
    028T To: [email]postmaster@mmmtravel.com[/email]
    059  Subject: Mail delivery failed: returning message to sender
    047I Message-Id: <E1FkH8X-0005wD-Pl@p2006.xoomo.com>
    038  Date: Sun, 28 May 2006 17:00:37 +0800
    
     
    1FkH8X-0005wD-Pl-D
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      [email]postmaster@mmmtravel.com[/email]
        
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <postmaster@mmmtravel.com>
    Received: from [211.227.141.214] (helo=66.55.23.83)
    	by p2006.xoomo.com with smtp (Exim 4.52)
    	id 1FkH8W-0005vz-P8
    	for [email]postmaster@mmmtravel.com[/email]; Sun, 28 May 2006 17:00:37 +0800
    To: [email]postmaster@mmmtravel.com[/email]
    
    email advertise your web site to 8,000,000 people for free
    [url]http://www.broadcastemailcorporation.org[/url]
    
    
    
    
    
    this non-commercial offer is solely intended for non-commercial 
    charities only.  press charity info option on site for details.
    this email offer is not a commercial service for sale/lease/trade.
     
    #1 claven177, May 29, 2006
    Last edited: Jun 2, 2006
  2. antec1981

    antec1981 Registered

    Joined:
    Aug 20, 2003
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    In your exim.conf file configs find...

    Code:
    begin acl
     
     
     
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    #**#
    #**# RBL List Begin
    #**#
    #
    # Always accept mail to postmaster & abuse for any local domain
    #
    accept domains = +local_domains

    then chance it to be ....

    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    #**#
    #**# RBL List Begin
    #**#
    #
    # Always accept mail to postmaster & abuse for any local domain
    #
    accept domains = +local_domains
    require verify = sender 

    In thoery if the username does not exsist on the system it will deny the message. Problem being you might block legitmate email being sent "care of"
     
  3. docenta

    docenta Well-Known Member

    Joined:
    May 9, 2006
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    Hello in my .conf it is:


    require verify = sender
    accept domains = +local_domains


    mean in different order is this a problem ?
     
  4. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    the order does not matter. perhaps you may setup a filter to drop all emails by postmaster@ as the sender to your customerdomain.com
     
  5. docenta

    docenta Well-Known Member

    Joined:
    May 9, 2006
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    I have activated that postmaster and abuse to be accepted for all localdomains cause of www.dnsreport.com gives error. I have got this from one good post here. This seems cause some spam to pass the server but ...
     
  6. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi

    Are you sure CUSTOMERDOMAIN.COM is not in your spam whitelist.

    I had that problem, so anyone pretending to send me email from my own domain would come through.

    cheers
    andy
     
  7. claven177

    claven177 Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Taipei



    I already add require verify = sender (see below RED),
    but get same problem.



    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    
    #**#
    #**# RBL List Begin
    #**#
    #
    # Always accept mail to postmaster & abuse for any local domain
    #
    [COLOR="red"]accept domains = +local_domains[/COLOR]
    local_parts = postmaster:abuse
    #
    # Check sending hosts against DNS black lists.
    # Accept all locally generated messages
    # Reject message if address listed in blacklist.
    deny message = Message rejected because $sender_fullhost \
    is blacklisted at $dnslist_domain see $dnslist_text
    !hosts = +relay_hosts
    !authenticated = *
    dnslists = dnsbl.njabl.org : \
    bl.spamcop.net : \
    cblless.anti-spam.org.cn : \
    sbl.spamhaus.org : \
    list.dsbl.org : \ 
    cbl.abuseat.org : \
    relays.ordb.org
    # RBL Bypass Local Domain List
    !domains = +rbl_bypass
    # RBL Whitelist incoming hosts
    !hosts = +rbl_whitelist 
    #**#
    #**# RBL List End
    #**# 
    
    
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      #if it gets here it isn't mailman
                                                                                                                                               
      #sender verifications are required for all messages that are not sent to lists
                                                                                                                                               
      [COLOR="Red"]require verify = sender/callout[/COLOR]
      accept  domains = +local_domains
    
    #**#
    #**# Reject Email to Invalid Recipient
    #**#
    endpass
    message = unknown user
    verify = recipient
    #**#
    
      endpass
                                                                                                                                               
      #recipient verifications are required for all messages that are not sent to the local machine
      #this was done at multiple users requests
                                                                                                                                               
      message = "The recipient cannot be verified.  Please check all recipients of this message to verify they are valid."
      verify = recipient
                                                                                                                                               
      accept  domains = +relay_domains
    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
            hosts = +relay_hosts
      accept  hosts = +relay_hosts
                                                                                    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
            condition = ${perl{checkrelayhost}{$sender_host_address}}
      accept  condition = ${perl{checkrelayhost}{$sender_host_address}}
    
      accept  hosts = +auth_relay_hosts
              endpass
              message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
              authenticated = *
    
      deny    message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
    
    
    #!!# ACL that is used after the DATA command
    check_message:
    #  Enabling this will make the server non-rfc compliant
    #  require verify = header_sender
      accept
     
  8. claven177

    claven177 Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Taipei

    thanks

    I am sure CUSTOMERDOMAIN.COM is not in my spam whitelist, because I did not add any domain to /etc/rblwhitelist.

    another,

    Code:
    WHM >Server Configuration>Mail>Default catch-all/default address behavior for new accounts. 
    (1)localuser(2)blackhole(3)fail ,fail will generally save the most CPU time.
    and I have manual set catch-all/default address as :fail:no such user here for all acoounts.


    I think when spamer send spam to this e-mail postmaster@mmmtravel.com (no this mail box)

    from: postmaster@mmmtravel.com
    To: postmaster@mmmtravel.com

    but no such user here (To: postmaster@mmmtravel.com)
    my mail server Mailer-Daemon@p2006.xoomo.com auto send a mail to postmaster@mmmtravel.com
    to imform sender no such user here

    therefore in exim mail queue, this auto-generated e-mail nowhere to go.
     
    #8 claven177, Jun 2, 2006
    Last edited: Jun 2, 2006
Loading...

Share This Page