Preventing backscatter

shpanda

Registered
Dec 8, 2015
3
0
1
UK
cPanel Access Level
Root Administrator
There are a number of articles about this already but I've spent several days going through them and I can't find a definitive answer that works for us. cPanel is sending bounce emails to forged FROM addresses. I can't enable hard SPF checked because we'd lose genuine mail. I have enabled other incoming and outgoing spam checks, disabled sender callouts, removed forwarders and removed the content of bounced messages from the bounce messages.

I can't find a definitive answer for how to fail incoming messages to nonexistent accounts at the SMTP level. I saw this and similar articles: cPanel & WHM with Exim SMTP Setup but adding the following 3 lines breaks Exim:

endpass
message = unknown user
verify = recipient


This is mostly about the Backscatterer extortion list.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello :)

Have you considered using the Greylisting feature available in cPanel since version 11.50? It's documented at:

Greylisting - Documentation - cPanel Documentation

This might be a suitable alternative to help prevent SPAM, while reducing backscatter.

Thank you.
 

shpanda

Registered
Dec 8, 2015
3
0
1
UK
cPanel Access Level
Root Administrator
Thanks, Michael. This doesn't get to the root of the problem though - can we verify that an address exists on the server during the SMTP connection and reject mail at that point if the address doesn't exist?
 

keat63

Well-Known Member
Nov 20, 2014
1,959
266
113
cPanel Access Level
Root Administrator
I'm of the understanding that SPF will check that the sending server has authority to send for that domain, but there are no checks to verify that the actual email account exists.

Also, I'm not even convinced that Greylisting would erridicate it completely.
I thought the whole point of Greylisting was for the sending server to verify it's self by having to send a retry before the mail was released. So even if someone spoofed an email address, the sending server could potentially retry any way, negating Greylisting.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
SPF verification is the best option to prevent forged headers, but since that's blocking legitimate mail on your system, then Greylisting is the next best alternative. It's uncommon for a server that's sending SPAM to make the retry attempts after the initial message is deferred.

Thank you.
 

acenetgeorge

Well-Known Member
PartnerNOC
Mar 6, 2008
68
4
58
Southfield, MI
cPanel Access Level
DataCenter Provider
Easiest way to eliminate backscatter is to set "Initial default/catch-all forwarder destination" in Tweak Settings to Blackhole instead of Fail. Fail will generate a non-deliverablility report (NDS), which is basically what most backscatter is. Blackhole just routes then to /dev/null and no NDR is generated.

Technically, I believe Fail is what the RFC (Request For Comments) calls for, but the exim RFC did not take spam into account.
 

shpanda

Registered
Dec 8, 2015
3
0
1
UK
cPanel Access Level
Root Administrator
Easiest way to eliminate backscatter is to set "Initial default/catch-all forwarder destination" in Tweak Settings to Blackhole instead of Fail. Fail will generate a non-deliverablility report (NDS), which is basically what most backscatter is. Blackhole just routes then to /dev/null and no NDR is generated.

Technically, I believe Fail is what the RFC (Request For Comments) calls for, but the exim RFC did not take spam into account.
I think this is the best solution - thanks.