The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stop forged headers?

Discussion in 'General Discussion' started by kris1351, Sep 7, 2003.

  1. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    We have some smartass spammer out there that thought it would be cute to spoof sales@wwm.net as the sender of emails. Though these don't actually touch our system the bounce backs are coming to our sales address. Is there anything that can be done about this? Please please make it legal to track spammers down and beat them with a stick.

    cPanel.net Support Ticket Number:
     
  2. ciphervendor

    ciphervendor Well-Known Member

    Joined:
    Aug 26, 2002
    Messages:
    1,052
    Likes Received:
    0
    Trophy Points:
    36
    setup a filter to discard the bounced emails.

    cPanel.net Support Ticket Number:
     
  3. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    I know this is an old discussion but there doesnt seem to be much diiscussion about spoofing on the forums and i have a site that is getting hammered with bounce backs because someone is spoofing all sorts of non-existent email usernames at one of my domains.

    Ive setup over 100 filters to try and deal with it but the problem is im getting hit with over 20,000 bounces a day.

    I dropped the MX record of the domain to 0.0.0.0. for 2 weeks hoping that this would dry things up but alas that has failed.

    is there anything else i can do to prevent this sort of thing happening?

    All the bounces are coming thru to my catchall account, however i cant :blackhole: this account as i have a Hivemail service setup on it.

    Im also concerned by the loads its been putting on exim as well.

    Is there a way to filter out these bounces before they hit the mail queue?

    any advice would be greatly appreciated.

    TIA
     
  4. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    I should also metion the emails appear to be coming from China :(

    heres the source from one of my bounces :

     
  5. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    If you don't have any Chinese customers and don't plan on selling hosting to anyone who does, just ban all Chinese IPs.
     
  6. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    I too have been battling with this same problem. it's totally out of control.

    You can't just bann all Chinese IPs because the bounces don't come from chinese IPs. The orignal spam does, but what happens is the spam bounces to the original receipt. and then the spammer uses forges a bogus return address which happens to be on his (or my or your) servers. That's the problem.

    I have the same problem with SpamAssassin. SA detects spam and then bounces the email. Which either bounces back or it comes from another server using SpamAssassin in which case it bounces to the admin of the site, which is me.

    I can't figure out why more people are not up and arms about this problem in that it's totally out of control.
     
  7. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    You're right. I wasn't thinking. In that case the only thing I can think of is what ciphervendor mentioned, i.e. to create a filter to discard the e-mails.

    I believe the only way to truly defend yourself is to delete all accounts that have been registered by spammers and set your default account to :fail:. That is what I have had to do.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I agree with casey - there is very little indeed that you can do. You should disable catchall accounts whereever you can. The only other solution is what you've already done, which is to use filters to ditch bounces.

    It's a particularly nasty part of the whole spam issue, and one that is usally forgotten about.
     
  9. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    The unfortunate thing about bounces is that when you get over 20,000 an hour to all sorts of random obscure email adresses @yourdomain.com it becomes very hard to filter them...

    especially in my case when im running a hivemail system on the catchall ive been affected on the most :(
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I know from personal experience what an issue that can be with web-based email products (we produce our own) that use the catchall alias.

    At what point are you filtering out the emails? Are you matching on the header/body content and just quietly ignoring those emails?

    I wonder if there is a more efficient way to filter them out using ACL's in Exim. I'll pop over to their site to see, though posting on the Exim list might be a good idea.
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It would appear that the best way to filter the mail would be to look into system filters:
    http://www.exim.org/exim-html-4.30/doc/html/spec_40.html#CHAP40

    I believe that this is what /etc/antivirus.exim is, so modifying that file with anti-bounce filters to just queitly drop the files could be more efficient than doing it outside of Exim.
     
  12. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Thanks for the advice

    Exim filters are all jibberish to me

    i dont suppose someone could post an example of a filter to block bounces as an example so that i can work about creating more for each thing i want to block...
     
  13. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    i need to block the following from hitting the server for this particular domain:


    Heres what my vfilters file for the particular domain has in it:
    unfortunately it loads up exim and doesnt seem to /dev/null the emails.

    can anyone suggest how i can stop these before they get to exim?

    or as an alternative is there any way of stopping the F^$(&)#r who is sending out thousands opf spam emails with my domain as the return addrress???

    i also have the following type of filter in CPanel setup as well:

    my guess is the email addys are being created randomly and i cant keep up with blocking them
     
    #13 Snowman30, Jun 8, 2004
    Last edited: Jun 8, 2004
  14. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    can anyone offer any further advice on how to stop this?

    I cant take the domain down and cant afford the downtime for my mail accoutn users...

    currently i have all mail to this domain going to 0.0.0.0

    maybe i should bounce all mail for the domain back at these ^%#$%^#^%$ in China???

    My big issue is that its cflaring my exim loads up and down like a yoyo and cpu usage is often jumoing to 99% which in turn is spiking up the loads on the server way over 20 on occassions.

    surely there must be a way to filter these out before they hit exim?

    can anyone offer any further advice?
     
  15. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    I know I'll catch all sorts of hell for this, but I blame the people who originated this system of sending mail. Why forged headers are even possible is beyond logic to me. If it says it's from xyzdomain.com and it's not coming from xyzdomain.com, it should be dropped immediately by anyone that comes in contact with it.

    If this problem of forged headers was solved, 99% of the spam email out there I think would disappear.

    So why isn't someone doing something about that, instead of putting the burden on the millions of system admins who are the ones suffering thru this mess?
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    People are working on solutions. The problem,as you're probably aware, is completely historic. The SMTP protocols were written long before the concept of "spam" and deceit were envisioned - their responsibility was to ensure correct flow of information with eash stage adhering to the proscribed protocol.

    Unfortunately, changing that to account for current requirements is exceedingly difficult. As an example, just have a look at the snail-pace of IPv6 as a replacement for IPv4.

    Changing the SMTP protocol is going to require en-masse changes with all MTA's and all servers. That's no easy task and would require backwards compatability with the current system for a long long time. So, even if a solution were found today, it's stll not going to resolve the situation for many years.

    This is why the onus is on us system administrators having to deal with a protocol that was written for a different era and bolt on tools around it.
     
  17. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    My wonderfull spammer is again hammering the crap out of this domain.

    anyone have any new solutions to stop these bounce messages murdering exim?

    My valias file now looks like:

    Code:
    # Exim filter
    
    if error_message then finish endif
    
    if
     $header_subject: contains "Delivery Status Notification (Failure)"
     or $header_subject: contains "Delivery Status Notification"
     or $header_subject: contains "Delivery failure"
     or $header_subject: contains "Mail Delivery Failure"
     or $header_subject: contains "Mail System Error - Returned Mail"
     or $header_subject: contains "Mail delivery failed: returning message to sender"
     or $header_subject: contains "Message status - undeliverable"
     or $header_subject: contains "Returned mail: User unknown"
     or $header_subject: contains "Undeliverable Mail"
     or $header_subject: contains "Undelivered Mail Returned to Sender"
     or $header_subject: contains "Undelivered mail"
     or $header_subject: contains "failure notice"
     or $header_subject: contains "Mail System Error - Returned Mail"  
     or $header_subject: contains "Mail delivery failed: returning message to sender"  
     or $header_subject: contains "Message status - undeliverable"  
     or $header_subject: contains "Returned mail: User unknown"  
     or $header_subject: contains "Undeliverable Mail"  
     or $header_subject: contains "Undelivered Mail Returned to Sender"  
     or $header_subject: contains "Undelivered mail"  
     or $header_subject: contains "failure notice"    
     or $header_subject: contains "Returned mail: see transcript for details"  
     or $header_subject: contains "[No Subject]"  
     or $header_subject: contains "Unable to deliver your message"  
     or $header_subject: contains "Mail delivery: reception refused"  
     or $header_subject: contains "failure delivery"
     or $header_subject: contains "Mail Delivery Failure" 
     or $header_subject: contains "Your Message Could Not Be Delivered"  
     or $header_subject: contains "Delivery Notification: Delivery has failed"  
     or $header_subject: contains "Returned Mail: Sending Fail"
     or $header_subject: contains "Returned mail: see transcript for details"    
     or $header_subject: contains "Delivery Notification"
     or $header_subject: contains "Undeliverable:"
     or $header_subject: contains "Mail delivery failed: returning message to sender"
     or $header_subject: contains "Message rejected by system" 
     or $header_subject: contains "Notification d'état de la distribution"  
     or $header_subject: contains "Service de distribution du courrier" 
     or $header_subject: contains "Notification d'état de la distribution"  
     or $header_subject: contains "Undeliverable: Your account has been charged successfully"  
     or $header_subject: contains "Re: Your Account #5 has been charged"  
     or $header_subject: contains "Returned Mail: Error During Delivery"  
     or $header_subject: contains "Returned mail - nameserver error report"  
     or $header_subject: contains "Returned mail"  
     or $header_subject: contains "Delivery Status Notification (Failure)"  
     or $header_subject: contains "Returned Mail: Error During Delivery"  
     or $header_subject: contains "Returned mail: see transcript for details"  
     or $header_subject: contains "failure notice"   
     or $header_subject: contains "Undelivered Mail Returned to Sender"
     or $header_subject: contains "Returned mail: Service unavailable" 
     or $header_subject: contains "{Virus?}" 
     or $header_to: is "stevek@snowzone.net.au"
     or $header_to: is "alanaellender@snowzone.net.au"
     or $header_to: is "althatenery@snowzone.net.au"
     or $header_to: is "erinndenn@snowzone.net.au"
     or $header_to: is "evelynmcduffey@snowzone.net.au"
     or $header_to: is "feleciamilles@snowzone.net.au"
     or $header_to: is "ireneseiler@snowzone.net.au"
     or $header_to: is "irinaeargle@snowzone.net.au"
     or $header_to: is "janaslowik@snowzone.net.au"
     or $header_to: is "jesseniachristo@snowzone.net.au"
     or $header_to: is "kathleenbrana@snowzone.net.au"
     or $header_to: is "kellievalasco@snowzone.net.au"
     or $header_to: is "kendalshenefield@snowzone.net.au"
     or $header_to: is "kristiecardinale@snowzone.net.au"
     or $header_to: is "lanellbingman@snowzone.net.au"
     or $header_to: is "leolush@snowzone.net.au"
     or $header_to: is "lucillataecker@snowzone.net.au"
     or $header_to: is "ludiebolan@snowzone.net.au"
     or $header_to: is "margrettrothermel@snowzone.net.au"
     or $header_to: is "mariettemcallen@snowzone.net.au"
     or $header_to: is "marylynlaperle@snowzone.net.au"
     or $header_to: is "maxiedibella@snowzone.net.au"
     or $header_to: is "maxieleota@snowzone.net.au"
     or $header_to: is "mollyhuitron@snowzone.net.au"
     or $header_to: is "nadenekrewson@snowzone.net.au"
     or $header_to: is "pamalastickney@snowzone.net.au"
     or $header_to: is "patrickeberle@snowzone.net.au"
     or $header_to: is "robertmaule@snowzone.net.au"
     or $header_to: is "rosendapekarek@snowzone.net.au"
     or $header_to: is "shelbaeckersley@snowzone.net.au"
     or $header_to: is "signebenyard@snowzone.net.au"
     or $header_to: is "stefanyhagner@snowzone.net.au"
     or $header_to: is "stevek@snowzone.net.au"
     or $header_to: is "sudiefasciano@snowzone.net.au"
     or $header_to: is "sunnikovach@snowzone.net.au"
     or $header_to: is "swlodarczyk@snowzone.net.au"
     or $header_to: is "teresitasimms@snowzone.net.au"
     or $header_to: is "tommycalahan@snowzone.net.au"
     or $header_to: is "velvadoleman@snowzone.net.au"
     or $header_to: is "willaglen@snowzone.net.au"
    then
     save "/dev/null" 660
    endif
    none of these filters seem to be applied for some reason and the account is getting over 10,000 bounce emails an hour....
     
    #17 Snowman30, Sep 20, 2004
    Last edited: Sep 20, 2004
  18. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    You need to remove this line or put it below your bouce filter:
    if error_message then finish endif

    Thats whats causing your filters to be ignored.
    Because its not filtering error messages.
     
  19. slinky

    slinky Well-Known Member

    Joined:
    Jul 26, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    This is a very old thread but I'm encountering this problem as well. Can anyone point me to a solution? Unfortunately setting up the filters locally in cpanel for the affected email address or an account level for the entire domain do not seem to be working. Would appreciate steps on what people do to keep the addresses working (I've disabled catchall) and keep it working.
     
  20. mdelacruz

    mdelacruz Member

    Joined:
    Apr 24, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Forged Email

    Any solution after a long time dealing with this issue? I have searched all over the web and didn't find a solution yet, please any little or big tip would be appreciated.
     
Loading...

Share This Page