Spam emails from mailnull

[JamesKemp]

Hi,

There are thousands of emails pending under Mail Queue Manager being sent out from:

from mailnull by hostname.com with local (Exim 4.93)
id 1k3mNa-0000fO-DT
for [email protected]; Mon, 03 Aug 2020 22:08:38 -0400

Please let me know how I can stop mailnull from sending out spam.

Thank you!

 

[cPAdminsMichael]

Hi James,

The mailnull is just the mail service name - it could be "Mail delivery failed" mails.

You could run exigrep "1k3mNa-0000fO-DT" /var/log/exim_mainlog to see more details..

 

[JamesKemp]

Hi Michael,

How do I stop the system from sending out mail delivery failed emails for accounts not hosted on the server?

Please see below:

Subject: Mail delivery failed: returning message to sender

exigrep "1k31FZ-0004BW-GA" /var/log/exim_mainlog
2020-08-04 14:01:21 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1k31FZ-0004BW-GA
2020-08-04 14:04:21 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1k31FZ-0004BW-GA
2020-08-04 14:04:21 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1k31FZ-0004BW-GA
+++ 1k31FZ-0004BW-GA has not completed +++
2020-08-04 14:01:21 1k31FZ-0004BW-GA <= <> R=1k1OuR-00016x-H4 U=mailnull P=local S=5393 T="Mail delivery failed: returning message to sender" for [email protected]
2020-08-04 14:01:21 1k31FZ-0004BW-GA Sender identification U=mailnull D=-system- S=mailnull
2020-08-04 14:01:22 1k31FZ-0004BW-GA ** [email protected] R=dkim_lookuphost T=dkim_remote_smtp: all hosts for 'k-223.cz' have been failing for a long time (and retry time not reached)
2020-08-04 14:01:22 1k31FZ-0004BW-GA Frozen (delivery error message)

Thank you!

 

[cPAdminsMichael]

HI James,

As you can see, this is indeed legit "Mail delivery failed" mails from your mailserver. This is not (directly) spam and I do not recommend disabling these messages.
It might very well be spambots sending mails to non-existing mail accounts on your server.

Instead, worth to investigate:

- Have you enabled DNSBL in Exim Configuration? This would prevent blacklisted ip-addresses sending mails to your server
- Enabling SPF/DKIM on all account on your server? This would prevent spammers to abuse your account's domain names as forged sender address

 

[JamesKemp]

Hi Michael,

I have enabled RBL, Greylisting, and DKIM/SPF Globally.

Is there a way to process all the pending emails in the Mail Queue Manager to delete only the spam emails?

Thank you!

 

[cPanelLauren]

You could do frozen emails, these are emails that your server has attempted to send but could not and is holding on to the mail retry. It looks like the status of the messages based on the log output is frozen as well.

You can do this through the UI at WHM>>Email>>Mail Queue Manager

alternatively you can run the following:

exiqgrep -z -i | xargs exim -Mrm

 

[JamesKemp]

Hi Lauren,

Only few emails are frozen but there are thousands in queue, how can I delete all the emails from mailnull only?

Thank you!

 

[cPanelLauren]

not sure if deleting by user would work with mailnull but you could try the following:

exiqgrep -i -f 'mailnull' | xargs exim -Mrm

 

[JamesKemp]

How do I completely stop the [system] / mailnull as the sender sending out emails?

When I run the following using the Message ID for new emails nothing is showing up but it's showing as Frozen under Mail Queue Manager:
exigrep "1k3mNa-0000fO-DT" /var/log/exim_mainlog

What's happening is the [system] is receiving non-stop emails for non-existent accounts on the server and when failed the [system] is sending the failed email messages to many Recipients email addresses as from/reply-to addresses set by the spammers.

For example:

Received: from mailnull by hostname.com with local (Exim 4.93)

                  id 1k4soL-0005kD-DK

                  for [email protected]; Sun, 09 Aug 2020 17:24:57 -0400


Subject: Mail delivery failed: returning message to sender

[email protected] doesn't exist on the server, not sure why mailnull is even accepting the emails for accounts not hosted on the server and then replying as failed?

or if it's locally being generated by the [system], how do I find the source?

Also it says received from esmtpsa for some of the emails:

Received: from [188.187.18x.24x] (port=60554 helo=hxgr)
    by hostname.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.93)
    (envelope-from <[email protected]>)
    id 1k1Qaf-0001sX-Rs; Fri, 31 Jul 2020 04:40:34 -0400

But the envelope-from address is not hosted on the server.

Thank you!

 

[cPanelLauren]

How do I completely stop the [system] / mailnull as the sender sending out emails?

You cannot stop this behavior without breaking mail entirely.

[email protected] doesn't exist on the server, not sure why mailnull is even accepting the emails for accounts not hosted on the server and then replying as failed?

Your server is not accepting mail for addresses that don't exist, it's failing them with a message, what's happening is that the failure message is unable to be sent.

 

[JamesKemp]

How can I resolve this?

All hosted accounts can't send email because the IP address is now banned everywhere.

I am still getting thousands of spam emails that are failing and the system is then trying to notify reply to addresses which are also failing.

How do I stop the system temporarily to just discard the emails which don't exist on the server?

Thank you!

 

[cPanelLauren]

You can set the account to discard mail rather than send the bounceback by going to cPanel>>Email>>Default Address -> Advanced Options -> Discard

I am though, concerned as to why you're receiving so many of these. Did you have a prior spam issue? To be receiving so much mail for addresses that don't exist on the server seems unusual.

 

[JamesKemp]

No, this is the first time receiving this much spam.

If a local account is sending these emails how do I find the account using the following information?

from mailnull by hostname.com with local (Exim 4.93)
id 1k5dYE-0002ri-U4
for [email protected]; Tue, 11 Aug 2020 19:19:27 -0400

Thank you!

 

[cPanelLauren]

exigrep will be your friend with this:

exigrep 1k5dYE-0002ri-U4 /var/log/exim_mainlog

 

[JamesKemp]

I understand but it's not showing me the hosted account sending the spam:

exigrep 1k5dYE-0002ri-U4 /var/log/exim_mainlog

2020-08-11 19:19:27 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1k5dYE-0002ri-U4

2020-08-11 19:20:36 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1k5dYE-0002ri-U4

2020-08-11 19:20:36 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1k5dYE-0002ri-U4

2020-08-11 19:47:38 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1k5dYE-0002ri-U4

2020-08-11 19:47:38 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1k5dYE-0002ri-U4

2020-08-11 20:40:55 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvh 1k5dYE-0002ri-U4

2020-08-11 20:40:55 cwd=/usr/local/cpanel/whostmgr/docroot 3 args: /usr/sbin/exim -Mvb 1k5dYE-0002ri-U4

2020-08-11 20:45:29 cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -Mrm 1k5dYE-0002ri-U4

2020-08-11 19:19:27 1k5dYE-0002ri-U4 U=mailnull Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.7)"
2020-08-11 19:19:27 1k5dYE-0002ri-U4 <= <> R=1k1P2w-0004J2-5a U=mailnull P=local S=9223 T="Mail delivery failed: returning message to sender" for [email protected]
2020-08-11 19:19:27 1k5dYE-0002ri-U4 Sender identification U=mailnull D=-system- S=mailnull
2020-08-11 19:19:27 1k5dYE-0002ri-U4 ** [email protected] R=dkim_lookuphost T=dkim_remote_smtp: all hosts for 'dreamlifechurch123.com' have been failing for a long time (and retry time not reached)
2020-08-11 19:19:27 1k5dYE-0002ri-U4 Frozen (delivery error message)
2020-08-11 20:45:29 1k5dYE-0002ri-U4 removed by root
2020-08-11 20:45:29 1k5dYE-0002ri-U4 Completed

 

[cPAdminsMichael]

Hi James,
It's because the sender here is the system (mailnull) and not an cPanel account, as this is a system failure message back to the sender.
If I were you I would temporary:
- Block IP/domains if there are a certain pattern in the original sender's domain/IP
- As @cPanelLauren suggests, set cPanel to discard mails to non-existing mail addresses - at least temporary. If this is a systemwide issue, you can also do that from WHM's Tweak Settings at "Initial default/catch-all forwarder destination", by setting it to "blackhole". Again I recommend only setting this temporary until the "storm" has passed