Stop forged headers?

setup a filter to discard the bounced emails.

cPanel.net Support Ticket Number:

 

I know this is an old discussion but there doesnt seem to be much diiscussion about spoofing on the forums and i have a site that is getting hammered with bounce backs because someone is spoofing all sorts of non-existent email usernames at one of my domains.

Ive setup over 100 filters to try and deal with it but the problem is im getting hit with over 20,000 bounces a day.

I dropped the MX record of the domain to 0.0.0.0. for 2 weeks hoping that this would dry things up but alas that has failed.

is there anything else i can do to prevent this sort of thing happening?

All the bounces are coming thru to my catchall account, however i cant :blackhole: this account as i have a Hivemail service setup on it.

Im also concerned by the loads its been putting on exim as well.

Is there a way to filter out these bounces before they hit the mail queue?

any advice would be greatly appreciated.

TIA

 

I should also metion the emails appear to be coming from China

heres the source from one of my bounces :

 

If you don't have any Chinese customers and don't plan on selling hosting to anyone who does, just ban all Chinese IPs.

 

I too have been battling with this same problem. it's totally out of control.

You can't just bann all Chinese IPs because the bounces don't come from chinese IPs. The orignal spam does, but what happens is the spam bounces to the original receipt. and then the spammer uses forges a bogus return address which happens to be on his (or my or your) servers. That's the problem.

I have the same problem with SpamAssassin. SA detects spam and then bounces the email. Which either bounces back or it comes from another server using SpamAssassin in which case it bounces to the admin of the site, which is me.

I can't figure out why more people are not up and arms about this problem in that it's totally out of control.

 

You're right. I wasn't thinking. In that case the only thing I can think of is what ciphervendor mentioned, i.e. to create a filter to discard the e-mails.

I believe the only way to truly defend yourself is to delete all accounts that have been registered by spammers and set your default account to :fail:. That is what I have had to do.

 

I agree with casey - there is very little indeed that you can do. You should disable catchall accounts whereever you can. The only other solution is what you've already done, which is to use filters to ditch bounces.

It's a particularly nasty part of the whole spam issue, and one that is usally forgotten about.

 

The unfortunate thing about bounces is that when you get over 20,000 an hour to all sorts of random obscure email adresses @yourdomain.com it becomes very hard to filter them...

especially in my case when im running a hivemail system on the catchall ive been affected on the most

 

I know from personal experience what an issue that can be with web-based email products (we produce our own) that use the catchall alias.

At what point are you filtering out the emails? Are you matching on the header/body content and just quietly ignoring those emails?

I wonder if there is a more efficient way to filter them out using ACL's in Exim. I'll pop over to their site to see, though posting on the Exim list might be a good idea.

 

It would appear that the best way to filter the mail would be to look into system filters:
http://www.exim.org/exim-html-4.30/doc/html/spec_40.html#CHAP40

I believe that this is what /etc/antivirus.exim is, so modifying that file with anti-bounce filters to just queitly drop the files could be more efficient than doing it outside of Exim.

 

Thanks for the advice

Exim filters are all jibberish to me

i dont suppose someone could post an example of a filter to block bounces as an example so that i can work about creating more for each thing i want to block...

 

i need to block the following from hitting the server for this particular domain:


Heres what my vfilters file for the particular domain has in it:

unfortunately it loads up exim and doesnt seem to /dev/null the emails.

can anyone suggest how i can stop these before they get to exim?

or as an alternative is there any way of stopping the F^$(&)#r who is sending out thousands opf spam emails with my domain as the return addrress???

i also have the following type of filter in CPanel setup as well:

my guess is the email addys are being created randomly and i cant keep up with blocking them

 

can anyone offer any further advice on how to stop this?

I cant take the domain down and cant afford the downtime for my mail accoutn users...

currently i have all mail to this domain going to 0.0.0.0

maybe i should bounce all mail for the domain back at these ^%#$%^#^%$ in China???

My big issue is that its cflaring my exim loads up and down like a yoyo and cpu usage is often jumoing to 99% which in turn is spiking up the loads on the server way over 20 on occassions.

surely there must be a way to filter these out before they hit exim?

can anyone offer any further advice?

 

I know I'll catch all sorts of hell for this, but I blame the people who originated this system of sending mail. Why forged headers are even possible is beyond logic to me. If it says it's from xyzdomain.com and it's not coming from xyzdomain.com, it should be dropped immediately by anyone that comes in contact with it.

If this problem of forged headers was solved, 99% of the spam email out there I think would disappear.

So why isn't someone doing something about that, instead of putting the burden on the millions of system admins who are the ones suffering thru this mess?

 

People are working on solutions. The problem,as you're probably aware, is completely historic. The SMTP protocols were written long before the concept of "spam" and deceit were envisioned - their responsibility was to ensure correct flow of information with eash stage adhering to the proscribed protocol.

Unfortunately, changing that to account for current requirements is exceedingly difficult. As an example, just have a look at the snail-pace of IPv6 as a replacement for IPv4.

Changing the SMTP protocol is going to require en-masse changes with all MTA's and all servers. That's no easy task and would require backwards compatability with the current system for a long long time. So, even if a solution were found today, it's stll not going to resolve the situation for many years.

This is why the onus is on us system administrators having to deal with a protocol that was written for a different era and bolt on tools around it.

 

My wonderfull spammer is again hammering the crap out of this domain.

anyone have any new solutions to stop these bounce messages murdering exim?

My valias file now looks like:

Code:

# Exim filter

if error_message then finish endif

if
 $header_subject: contains "Delivery Status Notification (Failure)"
 or $header_subject: contains "Delivery Status Notification"
 or $header_subject: contains "Delivery failure"
 or $header_subject: contains "Mail Delivery Failure"
 or $header_subject: contains "Mail System Error - Returned Mail"
 or $header_subject: contains "Mail delivery failed: returning message to sender"
 or $header_subject: contains "Message status - undeliverable"
 or $header_subject: contains "Returned mail: User unknown"
 or $header_subject: contains "Undeliverable Mail"
 or $header_subject: contains "Undelivered Mail Returned to Sender"
 or $header_subject: contains "Undelivered mail"
 or $header_subject: contains "failure notice"
 or $header_subject: contains "Mail System Error - Returned Mail"  
 or $header_subject: contains "Mail delivery failed: returning message to sender"  
 or $header_subject: contains "Message status - undeliverable"  
 or $header_subject: contains "Returned mail: User unknown"  
 or $header_subject: contains "Undeliverable Mail"  
 or $header_subject: contains "Undelivered Mail Returned to Sender"  
 or $header_subject: contains "Undelivered mail"  
 or $header_subject: contains "failure notice"    
 or $header_subject: contains "Returned mail: see transcript for details"  
 or $header_subject: contains "[No Subject]"  
 or $header_subject: contains "Unable to deliver your message"  
 or $header_subject: contains "Mail delivery: reception refused"  
 or $header_subject: contains "failure delivery"
 or $header_subject: contains "Mail Delivery Failure" 
 or $header_subject: contains "Your Message Could Not Be Delivered"  
 or $header_subject: contains "Delivery Notification: Delivery has failed"  
 or $header_subject: contains "Returned Mail: Sending Fail"
 or $header_subject: contains "Returned mail: see transcript for details"    
 or $header_subject: contains "Delivery Notification"
 or $header_subject: contains "Undeliverable:"
 or $header_subject: contains "Mail delivery failed: returning message to sender"
 or $header_subject: contains "Message rejected by system" 
 or $header_subject: contains "Notification d'état de la distribution"  
 or $header_subject: contains "Service de distribution du courrier" 
 or $header_subject: contains "Notification d'état de la distribution"  
 or $header_subject: contains "Undeliverable: Your account has been charged successfully"  
 or $header_subject: contains "Re: Your Account #5 has been charged"  
 or $header_subject: contains "Returned Mail: Error During Delivery"  
 or $header_subject: contains "Returned mail - nameserver error report"  
 or $header_subject: contains "Returned mail"  
 or $header_subject: contains "Delivery Status Notification (Failure)"  
 or $header_subject: contains "Returned Mail: Error During Delivery"  
 or $header_subject: contains "Returned mail: see transcript for details"  
 or $header_subject: contains "failure notice"   
 or $header_subject: contains "Undelivered Mail Returned to Sender"
 or $header_subject: contains "Returned mail: Service unavailable" 
 or $header_subject: contains "{Virus?}" 
 or $header_to: is "stevek@snowzone.net.au"
 or $header_to: is "alanaellender@snowzone.net.au"
 or $header_to: is "althatenery@snowzone.net.au"
 or $header_to: is "erinndenn@snowzone.net.au"
 or $header_to: is "evelynmcduffey@snowzone.net.au"
 or $header_to: is "feleciamilles@snowzone.net.au"
 or $header_to: is "ireneseiler@snowzone.net.au"
 or $header_to: is "irinaeargle@snowzone.net.au"
 or $header_to: is "janaslowik@snowzone.net.au"
 or $header_to: is "jesseniachristo@snowzone.net.au"
 or $header_to: is "kathleenbrana@snowzone.net.au"
 or $header_to: is "kellievalasco@snowzone.net.au"
 or $header_to: is "kendalshenefield@snowzone.net.au"
 or $header_to: is "kristiecardinale@snowzone.net.au"
 or $header_to: is "lanellbingman@snowzone.net.au"
 or $header_to: is "leolush@snowzone.net.au"
 or $header_to: is "lucillataecker@snowzone.net.au"
 or $header_to: is "ludiebolan@snowzone.net.au"
 or $header_to: is "margrettrothermel@snowzone.net.au"
 or $header_to: is "mariettemcallen@snowzone.net.au"
 or $header_to: is "marylynlaperle@snowzone.net.au"
 or $header_to: is "maxiedibella@snowzone.net.au"
 or $header_to: is "maxieleota@snowzone.net.au"
 or $header_to: is "mollyhuitron@snowzone.net.au"
 or $header_to: is "nadenekrewson@snowzone.net.au"
 or $header_to: is "pamalastickney@snowzone.net.au"
 or $header_to: is "patrickeberle@snowzone.net.au"
 or $header_to: is "robertmaule@snowzone.net.au"
 or $header_to: is "rosendapekarek@snowzone.net.au"
 or $header_to: is "shelbaeckersley@snowzone.net.au"
 or $header_to: is "signebenyard@snowzone.net.au"
 or $header_to: is "stefanyhagner@snowzone.net.au"
 or $header_to: is "stevek@snowzone.net.au"
 or $header_to: is "sudiefasciano@snowzone.net.au"
 or $header_to: is "sunnikovach@snowzone.net.au"
 or $header_to: is "swlodarczyk@snowzone.net.au"
 or $header_to: is "teresitasimms@snowzone.net.au"
 or $header_to: is "tommycalahan@snowzone.net.au"
 or $header_to: is "velvadoleman@snowzone.net.au"
 or $header_to: is "willaglen@snowzone.net.au"
then
 save "/dev/null" 660
endif

none of these filters seem to be applied for some reason and the account is getting over 10,000 bounce emails an hour....

 

You need to remove this line or put it below your bouce filter:
if error_message then finish endif

Thats whats causing your filters to be ignored.
Because its not filtering error messages.

 

This is a very old thread but I'm encountering this problem as well. Can anyone point me to a solution? Unfortunately setting up the filters locally in cpanel for the affected email address or an account level for the entire domain do not seem to be working. Would appreciate steps on what people do to keep the addresses working (I've disabled catchall) and keep it working.

 

Forged Email

Any solution after a long time dealing with this issue? I have searched all over the web and didn't find a solution yet, please any little or big tip would be appreciated.