Mailbombing with fake mail

rsutc

Well-Known Member
Oct 8, 2002
85
0
156
I use Mailscanner with the configerver front end. Accounts are set up with a default mail address of :fail:
Yet someone with a lot of IP addresses is mailbombing an account on my box with thousands of emails addressed to nonexistent mailboxes on that account and the mail is not being :fail:ed (rejected) but accepted, not scanned, and bounced. Since the return addresses are mostly gmail accounts (which also don't exist) gmail rejects it as spam and blocks my server.

I have examined the settings carefully and cannot see how this could be happening. Most of the email has a subject something like
"Environmental representative needed" or words to that effect (they vary)
Banning IP addresses only works until they switch to another one.

Given the way :fail: is supposed to work, I don't see how these are getting in.

Moreover, I went into mailwatch and selected many of these, then marked them as spam. This had no effect. The system said they were being checked for tokens, but the next batch of such messages came in also without apparently being checked. MailScanner says it is running, and other messages are indeed being scored and pink, red, or black listed appropriately, but not these. The DC said outgoing messages were not being scanned and that they had set that setting, yet it was (apparently, according to the MSFE) already set. Moreover, these messages are incoming, not outgoing.

Is anyone else seeing this? Surely if must be more widespread than just my box. At the h=eight of the attacks I was getting over 10 000 messages like this a day, all with fake gmail or google.com return addresses. Many (perhaps all, I haven't checked) say the domain lookup has failed. At the suggestion of the DC I instituted mandatory DKIM checks, and thius seemed to reduce the problem, but in the last couple of days it is heating up again.

Any suggestions from mail experts?

Rick
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
Hello :)

The emails sent to non-existent email addresses should bounce before delivery if you have set the default address to:

Discard with error to sender (at SMTP time)

Make sure this is configured for not just the primary domain name, but addon and subdomains under the account. It's also possible that MailScanner is interfering with this setting, so you may want to see if the issue continues with MailScanner temporarily disabled.

Thank you.
 

rsutc

Well-Known Member
Oct 8, 2002
85
0
156
Don't quite follow the answer. I have it set by default to just :fail: on all accounts.
Surely the line
Discard with error to sender (at SMTP time) :)fail
isn't a legitimate command in itself, or do you mean to mention only part of it with the rest being commentary?

But here is more info:
1. I temporarily solved the problem by enabling MCP and putting in content filters for the subjects and bodies.
2. The mail had false TO: and the same addresses in the From: field so presumably the system thought they were legit local mail.
3. The mails had fake ReplyTo: addresses on gmail and were being bounced there, causing us to be blacklisted.
4. Multiple IPs were used, switching after every few hundred messages. These may have been faked too.

igging around on the net for help revealed a suggestion that I put the following in an Exim ACL:
deny senders = :
condition = ${if ! eq{$recipients_count}{1}{1}}
message = Bounces must have only a single recipient
log_message = Another denied due to backscatter-Single Recipient

which denies a message being sent (a bounce included I assume as that is the point) if the message has multiple senders, which most of the m did. I have seen other ACL suggestions as well.

Unfortunately, these suggestions were all based on previous versions of Exim, with no recent indication of where to put this in the CPanel configuration page--which ACL would it go into?

I'd like to have
- deny receipt if multiple senders
- don't send if multiple senders
- don't send or receive if To = From <>ReplyTo
- don't bounce to gmail or google.com

Any ideas on these]--writing and location? I'm not sure on the syntax and specific suggestions are thin on the Internet ground and all seemingly targeted at previous versions of Exim and/or non cPanel environments.

Rick
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
Yes, :fail: was noted as commentary. It's the same thing as using "Discard with error to sender (at SMTP time)". It's not part of the actual entry that you select. You can add custom ACL rules via "WHM Home » Service Configuration » Exim Configuration Manager » Advanced Editor". You can scroll down to "Add Additional Configuration Setting" to add new entries. However, if you prefer to use standard options, the "Reject SPF failures" and "Reject DKIM failures" options in "ACL Options" may be helpful in your case. Searching for "backscatter" on these forums will also bring up further discussions on the issue.

Thank you.
 

rsutc

Well-Known Member
Oct 8, 2002
85
0
156
Well, in the last couple of weeks I have learned much about this issue that I never wanted to know. One of the things I did was enable MCP and enter a number of rules to kill messages off for their content. Another was to enable more spam lists. Hopwever, notwithstanding the answer above, which I knew, my questions boil down to these:
Suppose I try to deny multiple from with

========
deny message = Content Policy Restriction: Multiple from addresses are not accepted here.
condition = ${if match{$header_from:}{@.+@.+@}}

(supposedly in the DATA ACL -- but what box is that in the cpanel interface?)
=======
and also do reverse DNS lookup to deny fakes with:

drop message = Client Policy Restriction: No (consistent) reverse DNS set.
!verify = reverse_host_lookup

supposedly in the RCPT section -- but in exactly which box in the cpanel interface)
=========
1. are the two rules I have put in the message above correct, and will they help?

2. In exactly what box in the cpanel interface to the exim config under the advanced editor would the two rules I have mentioned be placed. All the examples I have found around the net assume a different setup than this , and the exim config filrle is not organizaed the way they say, so its not clear exactly where (which box in the cpanel ACL interface) the above would now go.

Rick
 
Last edited: