The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam trying to send failed message to sender

Discussion in 'E-mail Discussions' started by wswd, Apr 2, 2008.

  1. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi all,

    Some time within the last few cPanel updates (this didn't happen until recently), spam being received by our server is attempting to send bounce messages back to the senders. Since the sender addresses don't exist in most instances, these are all getting stuck in the mail queue.

    I originally had mail marked as spam to :fail:; I then changed it to the $h_X-Spam-Status: begins "Yes" Discard, and neither change how the mail is being handled.

    Here is a copy of the message the server is trying to send back to these guys:


    Is there any way to stop the server from trying to bounce the spam messages, and just delete them?
     
  2. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Just to add. The failed attempts are also appearing under the "List of Errors" under the mail statistics in WHM. There are hundreds of entries listed at the bottom of the stats page.
     
  3. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Nobody knows the answer to this? :( Ah well.
     
  4. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi, it's not so clear your explanation.

    Your customers are receiving bounces for mails that they never sent? If that's the situation, the spammers are using your users account as return-path and in such case "I BELIEVE" that's no way to stop it since if you setup a filter on the server, will probably filter legitimate bounces too, and we don't want this ti happen.

    How much email accounts are affected? One posible solution is to assign new email addresses to them affected and delete the ones receiving that colateral spam damage. :cool:
     
  5. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Kent, sorry for the explanation, but I couldn't think of a good way to make it clear.

    Let me try to explain it better:


    For example, an email account on our server receives normal plain ol' spam, from all different people. We'll just call the address address@address.com. What happens is that SpamAssassin flags the received message as spam (which is a good thing!), and it never gets delivered to the intended recipient on our server (also good).

    The problem though is that SpamAssassin (or something on the server) is trying to send a message back to the spammer, saying the address on our system could not receive the message.

    Since the spammers aren't using a real address, the "bounce message" just gets stuck in our mail queue, and the message is obviously never delivered, and also is never deleted from the queue. As a result, over a few days, we have hundreds of these messages stuck in the queue that apparently never get deleted until we delete everything in the queue manually. In doing so, there are also some legitimate messages in there that are being deleted.

    Under the Mail Statistics in WHM, every one of these "bounce messages" also shows up as an error at the bottom of the screen.

    This has not happened until a couple weeks ago, so there has to be some change in cPanel causing this to happen now, I would assume.


    Here's an example of the message the server tries to return to the spammer:



    Thanks in advance!
     
  6. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    I see, ok now. Your server is being used as the trash can by some spammers.

    Your server is answering with a bounce mail because your accounts are set to :fail: I don't know how many domains are compromised, but probably the :blackhole: option would be the better solution to avoid filling your queue with useless garbage. :D
    You can set this in the cPanel of a given account, inside the Forwarding options.

    Setting the :blackhole: option will discard automatically every mail headed to inexistent users in that accounts. Although, activating this option will consume some more resources at MTA time. :(

    Hope to be helpful. :)
     
  7. chrismfz

    chrismfz Well-Known Member

    Joined:
    Jul 4, 2007
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Greece
    cPanel Access Level:
    DataCenter Provider
    I have the same trash can problem :)

    If Iset blackhole to my main account doesnt work.
    i only have the username chris as cpanel for personal use.
    so my email is chris@mydomain.com
    if I set it to blackhole nothing passes.
    Not only in emails that not exists but me too.
     
  8. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    See this page for why you should use :FAIL: and not :BLACKHOLE:

    http://www.configserver.com/free/fail.html

    If you are getting errors and/or your queue is filling with bounce messages, your Exim settings may be incorrect. From the above page, if you set to :fail: ...

    Since it looks like you were custom writing rules, I would check to make sure that you don't have something in place that is superseding the :fail: and creating the bounce before the :fail: ever gets processed.

    Darren
     
  9. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Kent and Darren, thanks for the replies.

    Kent, I tried all sorts of different combinations and none of them would work, unfortunately. :(

    Darren, correct. I'm very familiar with the :fail: and had always previously had it set to fail. Unfortunately, even with fail, the messages were getting sent back, which is what confused me in the first place. Nothing should be getting sent back with :fail: set, but as of about 2 or 3 weeks ago, it just started doing it.

    I'm actually not using any custom writing rules. The "$h_X-Spam-Status: begins "Yes" Discard" thing was actually listed somewhere in cPanel as the recommended method. I just tried it out on a temporary basis, since :fail: wasn't working.

    In any event, I haven't changed a thing, and in the last 2 days, haven't had a single problem. I'm hoping everything just fixed itself, but why it wasn't working in the first place still remains a huge mystery.

    Thanks again guys. I'll let you know if it fixed itself.
     
  10. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    yep, interesting mistery.
    did you tried to reset exim conf to default?
     
  11. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi again Kent. I hadn't tried resetting it to the default.

    The good news, however, is that the problem definitely fixed itself. I'm not sure if it was using "discard" instead of :fail: that did the trick (remember that didn't work at first), or if the server gremlins just decided to be nice to me or what, but I haven't had a single piece of email get stuck in the queue for days.

    Wish I could be more help for anybody else who might come across this problem, but I'm too chicken to go back and change it to :fail: and see if it breaks again. :D

    Thanks again for the ideas, guys.
     
  12. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    The server gremlins have never been nice to me. Never trust them! lol

    Strange that without it set to fail it's not bouncing, but glad it's working now for you. I am curious, did this happen to all accounts or just your one on that account and does that have any forwards set up, like to an AOL or Gmail account?
     
  13. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep, using :blackhole: (discard) is the better solution for this specific kind of problem, but just to be sure, you should wait 3-4 days using :blackhole: and after that time turn things again to :fail: because this is the recommended setting.

    May :blackhole: have done its work? or maybe the spammers abandoned using your server as trash can? don't be chicken and give it a try in 4 days and if the queue becomes stuck again just turn back to discard mode. ;)
     
  14. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Darn you Kent!! ha ha. You convinced me. I will try :fail: again for the greater good. :D:D

    Just to clarify something though...is the "discard" the same as :blackhole:? cPanel actually says discard. I don't actually put in :blackhole:. Again, I'm not sure where exactly I saw the "discard" but it was recommended by cPanel somewhere. That might just be some cPanel alias for :blackhole: to make it easier for non-server admins to understand or something? Who knows...

    Serversphere...it happened with all accounts on the server that were receiving spam, which is why the queue was filling up with hundreds of outgoing emails a day. There are some forwarders set up on some accounts, but only a very small handful. According to the EXIM logs though, the majority of spam was affecting accounts that did not have forwarders. Hope that helps.
     
  15. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    "discard" is the name (or alias) given at cpanel for the admin side config called :blackhole: . Discarding unrouteable emails is more resource consuming because this setting is readed after the message has passed several filters, like Exim MTA, spamAssassin, ACl's, etc. In change, the :fail: setting will make Exim bounce the unrouteable message before being processed by further filtering stages, avoiding in such way a considerable usage of resources.

    You say that "it happened with all accounts on the server". How many domains are affected?
     
  16. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Yeah, I figured that might have just been an internal cPanel alias for :blackhole:. The weird part of that though, is that I tried changing :fail: to :blackhole: originally and I still had the problem. Then again, I had the problem with all 3...:fail:, :blackhole:, and discard. Yikes!

    I'd say there are roughly 20 domains on that server right now. Maybe 75% of them receive some form of spam on at least one account on the domain.
     
  17. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    The problem is still present using "discard"? I understood that setting so solved the problem.


    Every domain in the world receive "some form of spam". Be specific. The form of spam that you asked to solve is happening to the 75% of your hosted domains? It's a weird scenario in which, spammers have known, by any way, that that domains are in the same server...

    For the other forms of spam to be stopped: are you already using Exim RBL's/spamassassin or any antispam product?
     
  18. wswd

    wswd Well-Known Member

    Joined:
    Aug 9, 2005
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    :rolleyes:
    Well, I was referring to what I did originally. Before things fixed themselves, I had tried all 3 methods with absolutely no resolution of the problem. I then left it on discard (since :fail: definitely wasn't working) for a few days and the problem just went away. I assume discard is what did the trick, though I'm not sure I understand why it took days to start working.



    I probably didn't explain that well. In response to Serversphere's question, roughly 75% of the domains on our server get spam. The others are most likely too new to be harvested yet. The stuff that gets stuck in the mail queue, however, is from every piece of spam. That is, there is not some spam that gets returned to the sender and some that doesn't. The server tries to return an unsuccessful delivery for every piece of spam our server receives, so long as it has been caught by Spamassassin.


    ***UPDATE*** I changed the server back to :fail: roughly 30 minutes ago, and now have 2 pieces of stuck mail in the mail queue. That's got to be the problem. I guess I'll just have to turn them all back to :blackhole: for now. :rolleyes:
     
    #18 wswd, Apr 13, 2008
    Last edited: Apr 14, 2008
  19. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    It's as if your set up is backward, lol. I would not be satisfied until I had an answer. There's no rules in /etc/exim.antivirus with a "fail" result, correct? Puzzling! At least you have a working solution for now.
     
  20. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, it seems that unfortunately the best workaround for you is to leave it set to :blackhole: for more than a while (3 months I'll say).
     
Loading...

Share This Page