Reject mail sent to server's hostname

[NikRB]

Hi,
I am running SpamExperts through WHMCS for some of my domains. It works well except some spammers are sending directly to my server's hostname - my.server.com
This is then routed to the correct inbox, bypassing the SpamExperts MX records.
I need to stop this from happening.

There is a setting in Exim Configuration Manager that says "Reject remote mail sent to the server's hostname", if I enable this will it resolve this issue?

Cheers
Nik

 

[cPanelLauren]

Hi @NikRB

The exim configuration setting should do exactly as indicated reject any mail sent to the hostname and enabling it should resolve the issue you're experiencing.

Thanks!

 

[NikRB]

Hi @cPanelLauren,
I enabled this setting but it seems email is bypassing the MX records. This is the headers of one of the emails, how can I block this type of email that is bypassing my MX records?

Content-Type: ⁨text/plain; charset="cp-850"⁩
Mime-Version: ⁨1.0⁩
Envelope-To: ⁨[email protected]⁩
Return-Path: ⁨<[email protected]>⁩
Return-Path: ⁨<[email protected]>⁩
X-Mailer: ⁨Microsoft Office Outlook 11⁩
email-Index: ⁨Ac9d99ieoum0kk999d99ieoum0kk99==⁩
X-Mimeole: ⁨Produced By Microsoft MimeOLE V6.1.7601.17514⁩
Content-Transfer-Encoding: ⁨8bit⁩
Delivery-Date: ⁨Tue, 14 Aug 2018 04:32:35 +0800⁩
⁨<[email protected]>⁩
Received: ⁨from my.fqdm.com by my.fqdm.com with LMTP id MJ7eB+PqcVt2fgAAn+cfxg for <[email protected]>; Tue, 14 Aug 2018 04:32:35 +0800⁩
Received: ⁨from [191.52.242.189] (port=27916) by my.fqdm.com with esmtp (Exim 4.91) (envelope-from <[email protected]>) id 1fpJVy-0008Po-IN for [email protected]; Tue, 14 Aug 2018 04:32:35 +0800⁩
Delivered-To: ⁨[email protected]⁩

 

[cPanelLauren]

Hi @NikRB

Do the [email protected] and [email protected] email addresses actually exist or is mail being routed to [email protected] because [email protected] doesn't exist?


Thanks!

 

[NikRB]

Hi @cPanelLauren,
[email protected] exists, [email protected] redirects to [email protected]

This is another example without any redirected mail

Content-Type: ⁨text/plain; charset="cp-850"⁩
Mime-Version: ⁨1.0⁩
Envelope-To: ⁨[email protected]⁩
Return-Path: ⁨<[email protected]>⁩
Return-Path: ⁨<[email protected]>⁩
X-Mailer: ⁨Microsoft Office Outlook 11⁩
Thread-Index: ⁨Acsxwf839594330dsxwf839594330d==⁩
X-Mimeole: ⁨Produced By Microsoft MimeOLE V6.1.7601.17514⁩
Content-Transfer-Encoding: ⁨8bit⁩
Delivery-Date: ⁨Tue, 14 Aug 2018 11:59:26 +0800⁩
⁨<[email protected]>⁩
Received: ⁨from my.fqdm.com by my.fqdm.com with LMTP id QHpHA55TclsnXgAAn+cfxg for <[email protected]>; Tue, 14 Aug 2018 11:59:26 +0800⁩
Received: ⁨from [103.58.116.30] (port=19551) by my.fqdm.com with esmtp (Exim 4.91) (envelope-from <[email protected]>) id 1fpQUP-0006GX-Cx for [email protected]; Tue, 14 Aug 2018 11:59:25 +0800⁩
Delivered-To: ⁨[email protected]⁩

Thanks again

 

[cPanelLauren]

Hi @NikRB

And the entry in the exim logs? You can find that with the following:

exigrep 1fpQUP-0006GX-Cx /var/log/exim_mainlog

The following thread may also be useful for you if you don't want to accept any inbound mail except from SpamExperts:

Stop Incoming Email Except from External Spam Filter

 

[NikRB]

This is the output of the logs

2018-08-14 11:59:25 1fpQUP-0006GX-Cx H=([103.58.116.30]) [103.58.116.30]:19551 Warning: Message has been scanned: no virus or other harmful content was found
2018-08-14 11:59:25 1fpQUP-0006GX-Cx <= [email protected] H=([103.58.116.30]) [103.58.116.30]:19551 P=esmtp S=701 [email protected] T="Play with me!" for [email protected]
2018-08-14 11:59:26 1fpQUP-0006GX-Cx => nik <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> QHpHA55TclsnXgAAn+cfxg Saved"
2018-08-14 11:59:26 1fpQUP-0006GX-Cx Completed

The solution above is tricky as all the accounts are not running SpamExperts so they still need to receive normally.

 

[cPanelLauren]

Hi @NikRB


That's not the full output for the transaction, is it? Based on this it doesn't look like (if that's your actual domain) you have an SPF or DKIM is that correct?


Thanks!

 

[NikRB]

Hi @cPanelLauren,
No sorry, I should have mentioned that is not the correct domain.
I have SPF and DKIM setup for the domain in question

 

[cPanelLauren]

HI @NikRB


What's happening here it looks like is that mail isn't going to the server's hostname but rather bypassing the domain's MX records and sending directly to the IP address not necessarily the hostname of the server unless you have something else that shows that, nothing in the logs you've provided indicates that it's using the hostname.
resolving this is much more tricky in this instance because the mail is bypassing the mx records which would otherwise filter it. Do you use SpamAssassin on the server (I realize you're using SpamExperts as a filter already) if you do my assumption is that this mail content would be flagged as spam pretty easily.

No sorry, I should have mentioned that is not the correct domain.
I have SPF and DKIM setup for the domain in question

That's fine, I removed the actual domain name from the post as well.

 

[NikRB]

Hi @cPanelLauren,
Correct, I did turn off SpamAssassin on the account as I didn't want to deal with more than one filter.
Could I create Global Email Filter in the following way:
Any Header > does not contain
Authentication-Results:
Discard Message
As far as I can see Authentication-Results: is in every SpamExperts email but not in any of the issue emails.
Would this work without SpamAssassin enabled?

 

[cPanelLauren]

Hi @NikRB

You could most definitely do that, the global filters are not dependent on SpamAssassin in any way.