SSy

Active Member
May 10, 2016
29
0
1
cPanel Access Level
Root Administrator
Hi there - in the last few days I'm getting lots of spam to the Mailer-Daemon email address - these are not bounces but rather emails sent directly to it. How do I disable this?

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @SSy,

Can you provide the output from /var/log/exim_mainlog for one of the offending emails? EX:

Code:
exigrep Subject /var/log/exim_mainlog
Replace "Subject" with the subject of one of the offending messages. Ensure to paste the output in CODE tags and to remove references to real domain names and IP addresses.

Thank you.
 

SSy

Active Member
May 10, 2016
29
0
1
cPanel Access Level
Root Administrator
Code:
2018-07-26 00:09:42 1fiXav-002d0m-8r <= [email protected] H=(domain.com) [IP.IP.IP.IP]:58358 P=smtp S=6394 [email protected] T="8\345\277\253\345\277\253 \345\212\240\344\274\201\351\271\2051960009745 \345\205\215\350\264\271\351\200\201188\347\266\265\351\207\221 \345\234\260\345\235\200554638 \345\205\270C0M               \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r" for [email protected]
2018-07-26 00:09:42 1fiXav-002d0m-8r SMTP connection identification D= [email protected] [email protected] M=1fiXav-002d0m-8r U=root ID=0 B=redirect_resolver
2018-07-26 00:09:42 1fiXav-002d0m-8r check_mail_permissions could not determine the sender domain [routed_domain=gmail.com message_exim_id=1fiXav-002d0m-8r sender_host_address=IP.IP.IP.IP recipients_count=1]
2018-07-26 00:09:43 1fiXav-002d0m-8r => me ([email protected], [email protected]) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> 4Z2RBIdJWVvRjQkAMSDWvQ Saved"
2018-07-26 00:09:43 1fiXav-002d0m-8r ** [email protected] ([email protected], [email protected]) <[email protected]> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [209.85.232.26] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after end of data: 550-5.7.1 This message does not have authentication information or fails to pass\n550-5.7.1 authentication checks. To best protect our users from spam, the\n550-5.7.1 message has been blocked. Please visit\n550-5.7.1  https://support.google.com/mail/answer/81126#authentication for more\n550 5.7.1 information. y51-v6si299404qth.95 - gsmtp
2018-07-26 00:09:43 1fiXav-002d0m-8r Completed
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @SSy,

If the SPAM is targeted towards a specific domain name, then you can setup a global email filter to discard or reject the emails sent to [email protected]. Here's some documentation to help with this:

Global Email Filters - Version 72 Documentation - cPanel Documentation
How to Configure Mail Filters - cPanel Knowledge Base - cPanel Documentation

That said, a better approach is to attempt to prevent the server from receiving the SPAM in the first place. Do you use the Greylisting feature? I often see reports from customers noting it's effectiveness at stopping SPAM:

Greylisting - Version 72 Documentation - cPanel Documentation

Let me know if this helps.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hi Michael - I'm confused - why is the server accepting external mail for that and routing it to me to begin with?
Hello,

Can you confirm what you configured for the domain name receiving those emails under the Default Address option in cPanel?

Thank you.
 

SSy

Active Member
May 10, 2016
29
0
1
cPanel Access Level
Root Administrator
This is not a domain in cPanel - this is my whole WHM server hostname. So if my hostname is server.net it is sending to [email protected] and routing it to my contact email in WHM settings. How do I disable this? I can't add this as a domain either as it is my hostname.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @SSy,

Thank you for clarifying.

Here's a recent answer from a support ticket where the same question was asked:

The best way to manage incoming Mailer-Daemon is to use a system Exim filter. The filter would be placed in a filename of your choice in /usr/local/cpanel/etc/exim/sysfilter/options/. A file of /usr/local/cpanel/etc/exim/sysfilter/options/postmaster would be an example.

Then in that file, you would place the filter. Please keep in mind that we do not write filters but the following is provided as a courtesy. Any modifications would need to be done by you or a systems administrator you've obtained.

if
$h_to: contains "[email protected]"
and $h_from: does not contain "[email protected]"
then
save "/dev/null" 660
endif

This filter will take any email that is to Mailer-Daemon and not from [email protected] and delete that email.

Once this file is created in /usr/local/cpanel/etc/exim/sysfilter/options/ you can log into WHM and then go to "Exim Configuration Manager" and make sure that custom filter is enabled and then scroll down and save.

This should get those emails filtered our and not be delivered.
Documentation on the system filter file is available at:

How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation

Thank you.
 

AndyB78

Well-Known Member
Oct 7, 2003
70
2
158
Romania
Hi,

Thank you for the filter above but the mails filtered by it remain in the queue with this error:

/dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset

Any suggestions? Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
/dev/null <system-filter> routing defer (-1): system_filter_file_transport is unset
Hello @AndyB78,

Try changing the following section of the filter rule:

Code:
then
 save "/dev/null" 660
endif
To:

Code:
then noerror seen finish
endif
Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @AndyB78,

Yes, it discards the message without notification (blackhole). Here's a link to Exim's documentation on this rule:

3. Exim filter files

Thank you.