Reject mail sent to server's hostname

NikRB

Member
May 21, 2015
10
0
1
Perth, Australia
cPanel Access Level
Root Administrator
Hi,
I am running SpamExperts through WHMCS for some of my domains. It works well except some spammers are sending directly to my server's hostname - my.server.com
This is then routed to the correct inbox, bypassing the SpamExperts MX records.
I need to stop this from happening.

There is a setting in Exim Configuration Manager that says "Reject remote mail sent to the server's hostname", if I enable this will it resolve this issue?

Cheers
Nik
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @NikRB

The exim configuration setting should do exactly as indicated reject any mail sent to the hostname and enabling it should resolve the issue you're experiencing.

Thanks!
 

NikRB

Member
May 21, 2015
10
0
1
Perth, Australia
cPanel Access Level
Root Administrator
Hi @cPanelLauren,
I enabled this setting but it seems email is bypassing the MX records. This is the headers of one of the emails, how can I block this type of email that is bypassing my MX records?

Code:
Content-Type: ⁨text/plain; charset="cp-850"⁩
Mime-Version: ⁨1.0⁩
Envelope-To: ⁨[email protected]⁩
Return-Path: ⁨<[email protected]>⁩
Return-Path: ⁨<[email protected]>⁩
X-Mailer: ⁨Microsoft Office Outlook 11⁩
email-Index: ⁨Ac9d99ieoum0kk999d99ieoum0kk99==⁩
X-Mimeole: ⁨Produced By Microsoft MimeOLE V6.1.7601.17514⁩
Content-Transfer-Encoding: ⁨8bit⁩
Delivery-Date: ⁨Tue, 14 Aug 2018 04:32:35 +0800⁩
⁨<[email protected]>⁩
Received: ⁨from my.fqdm.com by my.fqdm.com with LMTP id MJ7eB+PqcVt2fgAAn+cfxg for <[email protected]>; Tue, 14 Aug 2018 04:32:35 +0800⁩
Received: ⁨from [191.52.242.189] (port=27916) by my.fqdm.com with esmtp (Exim 4.91) (envelope-from <[email protected]>) id 1fpJVy-0008Po-IN for [email protected]; Tue, 14 Aug 2018 04:32:35 +0800⁩
Delivered-To: ⁨[email protected]
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston

NikRB

Member
May 21, 2015
10
0
1
Perth, Australia
cPanel Access Level
Root Administrator
Hi @cPanelLauren,
[email protected] exists, [email protected] redirects to [email protected]

This is another example without any redirected mail

Code:
Content-Type: ⁨text/plain; charset="cp-850"⁩
Mime-Version: ⁨1.0⁩
Envelope-To: ⁨[email protected]⁩
Return-Path: ⁨<[email protected]>⁩
Return-Path: ⁨<[email protected]>⁩
X-Mailer: ⁨Microsoft Office Outlook 11⁩
Thread-Index: ⁨Acsxwf839594330dsxwf839594330d==⁩
X-Mimeole: ⁨Produced By Microsoft MimeOLE V6.1.7601.17514⁩
Content-Transfer-Encoding: ⁨8bit⁩
Delivery-Date: ⁨Tue, 14 Aug 2018 11:59:26 +0800⁩
⁨<[email protected]>⁩
Received: ⁨from my.fqdm.com by my.fqdm.com with LMTP id QHpHA55TclsnXgAAn+cfxg for <[email protected]>; Tue, 14 Aug 2018 11:59:26 +0800⁩
Received: ⁨from [103.58.116.30] (port=19551) by my.fqdm.com with esmtp (Exim 4.91) (envelope-from <[email protected]>) id 1fpQUP-0006GX-Cx for [email protected]; Tue, 14 Aug 2018 11:59:25 +0800⁩
Delivered-To: ⁨[email protected]
Thanks again
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @NikRB

And the entry in the exim logs? You can find that with the following:

Code:
exigrep 1fpQUP-0006GX-Cx /var/log/exim_mainlog
The following thread may also be useful for you if you don't want to accept any inbound mail except from SpamExperts:

Stop Incoming Email Except from External Spam Filter
 

NikRB

Member
May 21, 2015
10
0
1
Perth, Australia
cPanel Access Level
Root Administrator
This is the output of the logs
Code:
2018-08-14 11:59:25 1fpQUP-0006GX-Cx H=([103.58.116.30]) [103.58.116.30]:19551 Warning: Message has been scanned: no virus or other harmful content was found
2018-08-14 11:59:25 1fpQUP-0006GX-Cx <= [email protected] H=([103.58.116.30]) [103.58.116.30]:19551 P=esmtp S=701 [email protected] T="Play with me!" for [email protected]
2018-08-14 11:59:26 1fpQUP-0006GX-Cx => nik <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> QHpHA55TclsnXgAAn+cfxg Saved"
2018-08-14 11:59:26 1fpQUP-0006GX-Cx Completed
The solution above is tricky as all the accounts are not running SpamExperts so they still need to receive normally.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @NikRB


That's not the full output for the transaction, is it? Based on this it doesn't look like (if that's your actual domain) you have an SPF or DKIM is that correct?


Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
HI @NikRB


What's happening here it looks like is that mail isn't going to the server's hostname but rather bypassing the domain's MX records and sending directly to the IP address not necessarily the hostname of the server unless you have something else that shows that, nothing in the logs you've provided indicates that it's using the hostname.
resolving this is much more tricky in this instance because the mail is bypassing the mx records which would otherwise filter it. Do you use SpamAssassin on the server (I realize you're using SpamExperts as a filter already) if you do my assumption is that this mail content would be flagged as spam pretty easily.


No sorry, I should have mentioned that is not the correct domain.
I have SPF and DKIM setup for the domain in question
That's fine, I removed the actual domain name from the post as well.
 

NikRB

Member
May 21, 2015
10
0
1
Perth, Australia
cPanel Access Level
Root Administrator
Hi @cPanelLauren,
Correct, I did turn off SpamAssassin on the account as I didn't want to deal with more than one filter.
Could I create Global Email Filter in the following way:
Any Header > does not contain
Authentication-Results:
Discard Message
As far as I can see Authentication-Results: is in every SpamExperts email but not in any of the issue emails.
Would this work without SpamAssassin enabled?