How to stop this Spam mail ? [email protected]

C

claven177

Well-Known Member
Sep 3, 2003
61
0
156
Taipei
How to stop this Spam mail? To:[email protected] auto-generated e-mail nowhere to go

Over the past 10 days we are concerned about the security in exim.

Spammers have been successfully relaying messages as [email protected] and [email protected] to the CUSTOMERDOMAIN.COM

They are not using any authentication and Exim willing accepts the message.


Althought I have set all CUSTOMERDOMAIN.COM's mail box Default catch-all/default addressas as :fail: ,
but this spam mail reserved in Exim Mail Queue.


How to stop this Spam mail ?


I think when spamer send spam to this e-mail [email protected] (no this mail box)

from: [email protected]
To: [email protected]

but no such user here (To: [email protected])
my mail server [email protected] auto send a mail to [email protected]
to imform sender no such user here

therefore in exim mail queue, this auto-generated e-mail nowhere to go.

How to prevent this problem?



ex.
=========================================================
Code: 
1FkH8X-0005wD-Pl-H
mailnull 47 12
<>
1148806837 0
-ident mailnull
-received_protocol local
-body_linecount 27
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1148922040
-localerror
-manual_thaw
XX
1
[email][email protected][/email]

148P Received: from mailnull by p2006.xoomo.com with local (Exim 4.52)
	id 1FkH8X-0005wD-Pl
	for [email][email protected][/email]; Sun, 28 May 2006 17:00:37 +0800
045  X-Failed-Recipients: [email][email protected][/email]
031  Auto-Submitted: auto-generated
058F From: Mail Delivery System <[email protected]>
028T To: [email][email protected][/email]
059  Subject: Mail delivery failed: returning message to sender
047I Message-Id: <[email protected]>
038  Date: Sun, 28 May 2006 17:00:37 +0800

 
1FkH8X-0005wD-Pl-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email][email protected][/email]
    

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [211.227.141.214] (helo=66.55.23.83)
	by p2006.xoomo.com with smtp (Exim 4.52)
	id 1FkH8W-0005vz-P8
	for [email]p[email protected][/email]; Sun, 28 May 2006 17:00:37 +0800
To: [email][email protected][/email]

email advertise your web site to 8,000,000 people for free
[url]http://www.broadcastemailcorporation.org[/url]





this non-commercial offer is solely intended for non-commercial 
charities only.  press charity info option on site for details.
this email offer is not a commercial service for sale/lease/trade.
 
Last edited:
A

antec1981

Registered
Aug 20, 2003
2
0
151
In your exim.conf file configs find...

Code: 
begin acl
 
 
 
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains

then chance it to be ....

Code: 
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
require verify = sender

In thoery if the username does not exsist on the system it will deny the message. Problem being you might block legitmate email being sent "care of"
 
D

docenta

Well-Known Member
May 9, 2006
64
0
156
Hello in my .conf it is:


require verify = sender
accept domains = +local_domains


mean in different order is this a problem ?
 
T

tweakservers

Well-Known Member
Mar 30, 2006
379
0
166
the order does not matter. perhaps you may setup a filter to drop all emails by postmaster@ as the sender to your customerdomain.com
 
D

docenta

Well-Known Member
May 9, 2006
64
0
156
I have activated that postmaster and abuse to be accepted for all localdomains cause of www.dnsreport.com gives error. I have got this from one good post here. This seems cause some spam to pass the server but ...
 
C

claven177

Well-Known Member
Sep 3, 2003
61
0
156
Taipei
antec1981 said:
In your exim.conf file configs find...

Code: 
begin acl
 
 

 
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains

then chance it to be ....

Code: 
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
require verify = sender

In thoery if the username does not exsist on the system it will deny the message. Problem being you might block legitmate email being sent "care of"
Click to expand...



I already add require verify = sender (see below RED),
but get same problem.



Code: 
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :

#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
[COLOR="red"]accept domains = +local_domains[/COLOR]
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Accept all locally generated messages
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org : \
bl.spamcop.net : \
cblless.anti-spam.org.cn : \
sbl.spamhaus.org : \
list.dsbl.org : \ 
cbl.abuseat.org : \
relays.ordb.org
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist 
#**#
#**# RBL List End
#**# 




  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  #if it gets here it isn't mailman
                                                                                                                                           
  #sender verifications are required for all messages that are not sent to lists
                                                                                                                                           
  [COLOR="Red"]require verify = sender/callout[/COLOR]
  accept  domains = +local_domains

#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#

  endpass
                                                                                                                                           
  #recipient verifications are required for all messages that are not sent to the local machine
  #this was done at multiple users requests
                                                                                                                                           
  message = "The recipient cannot be verified.  Please check all recipients of this message to verify they are valid."
  verify = recipient
                                                                                                                                           
  accept  domains = +relay_domains

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
        hosts = +relay_hosts
  accept  hosts = +relay_hosts
                                                                                
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.
          authenticated = *

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
#  Enabling this will make the server non-rfc compliant
#  require verify = header_sender
  accept
 
C

claven177

Well-Known Member
Sep 3, 2003
61
0
156
Taipei
forlinuxsupport said:
Hi

Are you sure CUSTOMERDOMAIN.COM is not in your spam whitelist.

I had that problem, so anyone pretending to send me email from my own domain would come through.

cheers
andy
Click to expand...

thanks

I am sure CUSTOMERDOMAIN.COM is not in my spam whitelist, because I did not add any domain to /etc/rblwhitelist.

another,

Code: 
WHM >Server Configuration>Mail>Default catch-all/default address behavior for new accounts. 
(1)localuser(2)blackhole(3)fail ,fail will generally save the most CPU time.
and I have manual set catch-all/default address as :fail:no such user here for all acoounts.


I think when spamer send spam to this e-mail [email protected] (no this mail box)

from: [email protected]
To: [email protected]

but no such user here (To: [email protected])
my mail server [email protected] auto send a mail to [email protected]
to imform sender no such user here

therefore in exim mail queue, this auto-generated e-mail nowhere to go.
 
Last edited:
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
S How can I stop my account from sending spam emails? Email 3
T How to stop "hotmail" spam in my inbox? Email 3
A How to stop Spam emails in the inbox Email 2
cPanelMichael Incoming email stops working after v76 upgrade when using third-party Anti-spam DNSBL plugin Email 0
Mauritz Stop sendmail spam Email 2
Similar threads
How can I stop my account from sending spam emails?
How to stop "hotmail" spam in my inbox?
How to stop Spam emails in the inbox
Incoming email stops working after v76 upgrade when using third-party Anti-spam DNSBL plugin
Stop sendmail spam
Top Bottom