The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spammers spoofing the heck out of a domain

Discussion in 'General Discussion' started by Snowman30, Dec 13, 2005.

  1. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    ive got a domain which has been hammered to death by clever clowns in china and taiwan that are using non existent addresses at this domain as the from address, so of course i get thousands of bounces per day

    ive reported to spamcop, setup an spf record for the domain set up exim filters to filer out a lot of the bounce stuff but i really want to put an end to this crap....

    anyone offer any suggestions (short of my going to these countries with a baseball bat)
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    First, remove all the culprit files. Upgrade Addons to the latest edition(s), secure your server by installing APF, BFD, and mod_security. You might also want to Twaek the settings of your WHM.
     
  3. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Make sure the default address is set to :Fail: also, this will eliminate all of those bounces coming back to the main account. It could be someone with a virus on their computer as some worms have been known to attach <user>@domain.com and blast emails out of their boxes and they never know about it.
     
  4. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    I might not have explained myself properly...

    the emails arent coming from our server or domain, they are coming from IP sources in China and Taiwan pretending to be from non existent email addresses at our domain

    Our servers are locked down tight however i owuld prefer not to set the catchall to :fail: as we have a webmail service runnign on it that relies on it (hivemail)

    Im just looking for ways to try and stop the spammers from spoofing our domain so that the affected domain cant get some of its former credibility back

    Obviously the ISP's involved dont listen or it would have been stammped out ages ago....
     
  5. myrem

    myrem Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    well, if your clients are willing to go along with you on this (require them to send ALL outbound EMAIL through your server(s)).

    In exim.conf, somewhere down in your check_recipient acl (past the sections of accepting authenticated, relayhosts, and mailman):

    Code:
    drop condition   = ${if match_domain{$sender_address_domain}\
                           {$primary_hostname:+local_domains:+relay_domains}\
                           {true}{false}}
              message  = You are not us -- Go Away!!
    
    I use a variation of that check (not a fail, just add a header which spamassassin scores against the message). If you want to stop all the inbound forgeries, that will do it.

    You'd need to implement more trickying methods to block bounces of forged emails. (such as 'signed' return-paths, which we do for select accounts - again, requires your client sends all their email through your server).
     
    #5 myrem, Dec 14, 2005
    Last edited: Dec 14, 2005
  6. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    hi

    Have a look at GEOIP (google it) .
    It lists which countires own which blocks of ip addresses.
    you can use it in your firewall rules to block all traffic from e.g. China, or whereever you like.

    cheers
    andy
     
  7. hergy80

    hergy80 Well-Known Member

    Joined:
    Sep 4, 2004
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    I think the problem they are having is not that the forged e-mails are going to his account, but when ISPs like MSN or Yahoo (or usually other mail servers) reject the e-mail, they get the bounce (since those ISPs think they are the ones who sent it) instead of the people spamming. I had the same problem and just set my defaults to fail (which won't work here). But I'm interested too if there are any other ways to prevent this from happening. Therefore, blocking IPs wouldn't work since it's not the the spammers who are sending the bounces which are clogging his mailbox.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IMX, there's little you can do about blowback from spam and/or viruses. Either waiting out the storm or setting up a myriad of email filters is usually the only way out. It is indeed made worse when you need the features of a catchall address.
     
  9. GTFO

    GTFO Active Member

    Joined:
    Aug 8, 2005
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Anyone found a way to flat out stop mail from coming to a specific domain? (oddly enough, removing MX records does not do it, mail still traces and makes it to the server).
     
  10. myrem

    myrem Well-Known Member

    Joined:
    Jul 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    You don't want any mail at all being processed for that domain?

    Remove that domain name from /etc/localdomains and exim will reject all email sent to it.
     
  11. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Yeah or maybe you could setup a filter that just says *
    discard.
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you do that, you should also add the domain to /etc/remotedomains (create the file if it doesn't exist) otherwise you'll find the domain getting put back into /etc/localdomains by cPanel.

    Removing the MX record won't work, as you found. That's because the SMTP protocol allows for the use of the A record if it cannot resolve the MX record for a domain.
     
  13. TBear

    TBear Registered

    Joined:
    Jul 3, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Arizona
    That's one I've not heard before :rolleyes:

    You could set up a "spam" filter which would send all mail to the domain to discard.

    Header contains yourdomain.com to discard.
     

Share This Page