Preventing backscatter

[shpanda]

There are a number of articles about this already but I've spent several days going through them and I can't find a definitive answer that works for us. cPanel is sending bounce emails to forged FROM addresses. I can't enable hard SPF checked because we'd lose genuine mail. I have enabled other incoming and outgoing spam checks, disabled sender callouts, removed forwarders and removed the content of bounced messages from the bounce messages.

I can't find a definitive answer for how to fail incoming messages to nonexistent accounts at the SMTP level. I saw this and similar articles: cPanel & WHM with Exim SMTP Setup but adding the following 3 lines breaks Exim:

endpass
message = unknown user
verify = recipient

This is mostly about the Backscatterer extortion list.

 

[cPanelMichael]

Hello

Have you considered using the Greylisting feature available in cPanel since version 11.50? It's documented at:

Greylisting - Documentation - cPanel Documentation

This might be a suitable alternative to help prevent SPAM, while reducing backscatter.

Thank you.

 

[shpanda]

Thanks, Michael. This doesn't get to the root of the problem though - can we verify that an address exists on the server during the SMTP connection and reject mail at that point if the address doesn't exist?

 

[keat63]

I'm of the understanding that SPF will check that the sending server has authority to send for that domain, but there are no checks to verify that the actual email account exists.

Also, I'm not even convinced that Greylisting would erridicate it completely.
I thought the whole point of Greylisting was for the sending server to verify it's self by having to send a retry before the mail was released. So even if someone spoofed an email address, the sending server could potentially retry any way, negating Greylisting.

 

[cPanelMichael]

SPF verification is the best option to prevent forged headers, but since that's blocking legitimate mail on your system, then Greylisting is the next best alternative. It's uncommon for a server that's sending SPAM to make the retry attempts after the initial message is deferred.

Thank you.

 

[acenetgeorge]

Easiest way to eliminate backscatter is to set "Initial default/catch-all forwarder destination" in Tweak Settings to Blackhole instead of Fail. Fail will generate a non-deliverablility report (NDS), which is basically what most backscatter is. Blackhole just routes then to /dev/null and no NDR is generated.

Technically, I believe Fail is what the RFC (Request For Comments) calls for, but the exim RFC did not take spam into account.

 

[shpanda]

Easiest way to eliminate backscatter is to set "Initial default/catch-all forwarder destination" in Tweak Settings to Blackhole instead of Fail. Fail will generate a non-deliverablility report (NDS), which is basically what most backscatter is. Blackhole just routes then to /dev/null and no NDR is generated.

Technically, I believe Fail is what the RFC (Request For Comments) calls for, but the exim RFC did not take spam into account.

I think this is the best solution - thanks.