claven177

Well-Known Member
Sep 3, 2003
61
0
156
Taipei
How to stop this Spam mail? To:[email protected] auto-generated e-mail nowhere to go

Over the past 10 days we are concerned about the security in exim.

Spammers have been successfully relaying messages as [email protected] and [email protected] to the CUSTOMERDOMAIN.COM

They are not using any authentication and Exim willing accepts the message.


Althought I have set all CUSTOMERDOMAIN.COM's mail box Default catch-all/default addressas as :fail: ,
but this spam mail reserved in Exim Mail Queue.


How to stop this Spam mail ?


I think when spamer send spam to this e-mail [email protected] (no this mail box)

from: [email protected]
To: [email protected]

but no such user here (To: [email protected])
my mail server [email protected] auto send a mail to [email protected]
to imform sender no such user here


therefore in exim mail queue, this auto-generated e-mail nowhere to go.

How to prevent this problem?



ex.
=========================================================
Code:
1FkH8X-0005wD-Pl-H
mailnull 47 12
<>
1148806837 0
-ident mailnull
-received_protocol local
-body_linecount 27
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1148922040
-localerror
-manual_thaw
XX
1
[email][email protected][/email]

148P Received: from mailnull by p2006.xoomo.com with local (Exim 4.52)
	id 1FkH8X-0005wD-Pl
	for [email][email protected][/email]; Sun, 28 May 2006 17:00:37 +0800
045  X-Failed-Recipients: [email][email protected][/email]
031  Auto-Submitted: auto-generated
058F From: Mail Delivery System <[email protected]>
028T To: [email][email protected][/email]
059  Subject: Mail delivery failed: returning message to sender
047I Message-Id: <[email protected]>
038  Date: Sun, 28 May 2006 17:00:37 +0800

 
1FkH8X-0005wD-Pl-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email][email protected][/email]
    

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [211.227.141.214] (helo=66.55.23.83)
	by p2006.xoomo.com with smtp (Exim 4.52)
	id 1FkH8W-0005vz-P8
	for [email][email protected][/email]; Sun, 28 May 2006 17:00:37 +0800
To: [email][email protected][/email]

email advertise your web site to 8,000,000 people for free
[url]http://www.broadcastemailcorporation.org[/url]





this non-commercial offer is solely intended for non-commercial 
charities only.  press charity info option on site for details.
this email offer is not a commercial service for sale/lease/trade.
 
Last edited:

antec1981

Registered
Aug 20, 2003
2
0
151
In your exim.conf file configs find...

Code:
begin acl
 
 
 
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains

then chance it to be ....

Code:
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
require verify = sender

In thoery if the username does not exsist on the system it will deny the message. Problem being you might block legitmate email being sent "care of"
 

docenta

Well-Known Member
May 9, 2006
64
0
156
Hello in my .conf it is:


require verify = sender
accept domains = +local_domains


mean in different order is this a problem ?
 

tweakservers

Well-Known Member
Mar 30, 2006
379
0
166
the order does not matter. perhaps you may setup a filter to drop all emails by [email protected] as the sender to your customerdomain.com
 

docenta

Well-Known Member
May 9, 2006
64
0
156
I have activated that postmaster and abuse to be accepted for all localdomains cause of www.dnsreport.com gives error. I have got this from one good post here. This seems cause some spam to pass the server but ...
 

claven177

Well-Known Member
Sep 3, 2003
61
0
156
Taipei
antec1981 said:
In your exim.conf file configs find...

Code:
begin acl
 
 

 
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains

then chance it to be ....

Code:
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
require verify = sender

In thoery if the username does not exsist on the system it will deny the message. Problem being you might block legitmate email being sent "care of"



I already add require verify = sender (see below RED),
but get same problem.



Code:
#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :

#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
[COLOR="red"]accept domains = +local_domains[/COLOR]
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Accept all locally generated messages
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org : \
bl.spamcop.net : \
cblless.anti-spam.org.cn : \
sbl.spamhaus.org : \
list.dsbl.org : \ 
cbl.abuseat.org : \
relays.ordb.org
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist 
#**#
#**# RBL List End
#**# 




  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  #if it gets here it isn't mailman
                                                                                                                                           
  #sender verifications are required for all messages that are not sent to lists
                                                                                                                                           
  [COLOR="Red"]require verify = sender/callout[/COLOR]
  accept  domains = +local_domains

#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#

  endpass
                                                                                                                                           
  #recipient verifications are required for all messages that are not sent to the local machine
  #this was done at multiple users requests
                                                                                                                                           
  message = "The recipient cannot be verified.  Please check all recipients of this message to verify they are valid."
  verify = recipient
                                                                                                                                           
  accept  domains = +relay_domains

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
        hosts = +relay_hosts
  accept  hosts = +relay_hosts
                                                                                
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.
          authenticated = *

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
#  Enabling this will make the server non-rfc compliant
#  require verify = header_sender
  accept
 

claven177

Well-Known Member
Sep 3, 2003
61
0
156
Taipei
forlinuxsupport said:
Hi

Are you sure CUSTOMERDOMAIN.COM is not in your spam whitelist.

I had that problem, so anyone pretending to send me email from my own domain would come through.

cheers
andy

thanks

I am sure CUSTOMERDOMAIN.COM is not in my spam whitelist, because I did not add any domain to /etc/rblwhitelist.

another,

Code:
WHM >Server Configuration>Mail>Default catch-all/default address behavior for new accounts. 
(1)localuser(2)blackhole(3)fail ,fail will generally save the most CPU time.
and I have manual set catch-all/default address as :fail:no such user here for all acoounts.


I think when spamer send spam to this e-mail [email protected] (no this mail box)

from: [email protected]
To: [email protected]

but no such user here (To: [email protected])
my mail server [email protected] auto send a mail to [email protected]
to imform sender no such user here

therefore in exim mail queue, this auto-generated e-mail nowhere to go.
 
Last edited: