The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help in keeping our mail server from sending out junk like this...

Discussion in 'E-mail Discussions' started by jols, Jul 1, 2012.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hi. I need help to keep exim from sending out stuff like the sample below, I am finding masses of these in the delivery queue, and our server has been listed in the backscatter RBL once again.

    If I could, I would like to kill all Delivery Delayed email from going out. I think spammers are just bouncing email off the server to deliver their spam in the form of bounces like these.

    Any advice? Thanks much.

    -----------------------------------------------------------

    Headers spool file

    1SlGOl-0007ve-OA-H
    mailnull 47 12
    <>
    1341134695 0
    -ident mailnull
    -received_protocol local
    -body_linecount 17
    -max_received_linelength 76
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1341134696
    -localerror
    XX
    1
    someguy@somedomain.com

    163P Received: from mailnull by oursever.ourdomain.com with local (Exim 4.77)
    id 1SlGOl-0007ve-OA
    for someguy@somedomain.com; Sun, 01 Jul 2012 04:24:55 -0500
    029 Auto-Submitted: auto-replied
    066F From: Mail Delivery System <Mailer-Daemon@oursever.ourdomain.com>
    035T To: someguy@somedomain.com
    061 Subject: Warning: message 1ShdS4-0001ik-N0 delayed 240 hours
    055I Message-Id: <E1SlGOl-0007ve-OA@oursever.ourdomain.com>
    038 Date: Sun, 01 Jul 2012 04:24:55 -0500

    Data spool file

    1SlGOl-0007ve-OA-D
    This message was created automatically by mail delivery software.
    A message that you sent has not yet been delivered to one or more of its
    recipients after more than 240 hours on the queue on oursever.ourdomain.com.

    The message identifier is: 1ShdS4-0001ik-N0
    The subject of the message is: Buy Phentermine 37.5mg 90 Pills $289!! g2rlav
    The date of the message is: Thu, 21 Jun 2012 12:10:50 +0200

    The address to which the message has not yet been delivered is:

    save to /dev/null
    generated by system-filter

    No action is required on your part. Delivery attempts will continue for
    some time, and this warning may be repeated at intervals if the message
    remains undelivered. Eventually the mail delivery software will give up,
    and when that happens, the message will be returned to you.
     
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Anyone? We just found out we were given a bad reputation rating at mailspike over this exact issue.
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I believe this is the same issue you'd posted onto another thread. If so, the suggestion if you believe these are due to fail being used was to change to blackhole instead so non-delivery emails are discarded.
     
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks.

    Yes, but blackhole would become the spam magnet you mentioned.

    The first solution I came up with, I believe, would have blackholed all such email by adding the following at the top of the antivirus.exim filter:

    if not first_delivery then finish endif

    Thus we blackhole all non-deliverable email. Right?

    But then I "think" I found a better solution by adding this in the exim.conf file:

    delay_warning_condition = false

    This would at least keep the repeated "delivery delay warning" messages from bouncing, which is what got is into this backscatter mess, or so it would appear.
     
  5. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    Better a blackhole list being a spam magnet than your customers, and you could symb link it to /dev/null or make some rules to rule out the expected ones.

    Thanks!
     
  6. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Jols, where did you add "delay_warning_condition = false" in exim.conf? I couldn't find any references to it, so I don't know if it needs to be in a specific section, or just plugged at the top or bottom.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Yes, but I later discovered that this did not work. So I ended up creating a rule to handle this in antivirus.exim. As follows:

    if $header_subject: contains "Warning: message" then if $header_subject: contains "delayed" then save "/dev/null" 660 endif endif


    One would think that one could put in a setting somewhere in WHM or the exim.conf that would just switch off these kinds of "delayed" email bounces, but I searched and experimented for a good two days before finally giving up.

    Overall, misdirected bounces (i.e. typical spam bounces) are starting to get us in hot soup with Cloudmark. Backscatter.org and others. I wish we had more ready-made tools to manage this kind of stuff right in WHM as it is kinda, sorta important to keep off of blacklists these days, but if wishes were fishes...
     
  8. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks for the info. I'm in a similar position with Backscatterer, but haven't been able to track down the culprit, so I'm more or less just throwing things at the server to see if something sticks.
     
Loading...

Share This Page