Reject mail sent to server's hostname

NikRB

• August 11, 2018 08:57

Hi, I am running SpamExperts through WHMCS for some of my domains. It works well except some spammers are sending directly to my server's hostname - my.server.com This is then routed to the correct inbox, bypassing the SpamExperts MX records. I need to stop this from happening. There is a setting in Exim Configuration Manager that says "Reject remote mail sent to the server's hostname", if I enable this will it resolve this issue? Cheers Nik

• 

  cPanelLauren

  • August 13, 2018 19:01

  Hi @NikRB The exim configuration setting should do exactly as indicated reject any mail sent to the hostname and enabling it should resolve the issue you're experiencing. Thanks!

  0
• 

  NikRB

  • August 14, 2018 01:23

  Hi @cPanelLauren, I enabled this setting but it seems email is bypassing the MX records. This is the headers of one of the emails, how can I block this type of email that is bypassing my MX records? Content-Type: ?text/plain; charset="cp-850"? Mime-Version: ?1.0? Envelope-To: ?info@webemail.com.au? Return-Path: ?? Return-Path: ?? X-Mailer: ?Microsoft Office Outlook 11? email-Index: ?Ac9d99ieoum0kk999d99ieoum0kk99==? X-Mimeole: ?Produced By Microsoft MimeOLE V6.1.7601.17514? Content-Transfer-Encoding: ?8bit? Delivery-Date: ?Tue, 14 Aug 2018 04:32:35 +0800? ?<004d01d4332b$031e8ca3$e9efb897$@webemail.com.au>? Received: ?from my.fqdm.com by my.fqdm.com with LMTP id MJ7eB+PqcVt2fgAAn+cfxg for ; Tue, 14 Aug 2018 04:32:35 +0800? Received: ?from [191.52.242.189] (port=27916) by my.fqdm.com with esmtp (Exim 4.91) (envelope-from ) id 1fpJVy-0008Po-IN for info@webemail.com.au; Tue, 14 Aug 2018 04:32:35 +0800? Delivered-To: ?accounts@webemail.com.au?
  

  0
• 

  cPanelLauren

  • August 14, 2018 13:25

  Hi @NikRB Do the acccounts@ and info@ email addresses actually exist or is mail being routed to accounts@ because info@ doesn't exist? Thanks!

  0
• 

  NikRB

  • August 14, 2018 13:52

  Hi @cPanelLauren, accounts@ exists, info@ redirects to accounts@. This is another example without any redirected mail Content-Type: ?text/plain; charset="cp-850"? Mime-Version: ?1.0? Envelope-To: ?nik@webemail.com.au? Return-Path: ?? Return-Path: ?? X-Mailer: ?Microsoft Office Outlook 11? Thread-Index: ?Acsxwf839594330dsxwf839594330d==? X-Mimeole: ?Produced By Microsoft MimeOLE V6.1.7601.17514? Content-Transfer-Encoding: ?8bit? Delivery-Date: ?Tue, 14 Aug 2018 11:59:26 +0800? ?<004001d433b1$01bcea4c$da0feea5$@webemail.com.au>? Received: ?from my.fqdm.com by my.fqdm.com with LMTP id QHpHA55TclsnXgAAn+cfxg for ; Tue, 14 Aug 2018 11:59:26 +0800? Received: ?from [103.58.116.30] (port=19551) by my.fqdm.com with esmtp (Exim 4.91) (envelope-from ) id 1fpQUP-0006GX-Cx for nik@webemail.com.au; Tue, 14 Aug 2018 11:59:25 +0800? Delivered-To: ?nik@webemail.com.au?
  Thanks again

  0
• 

  cPanelLauren

  • August 14, 2018 14:04

  Hi @NikRB And the entry in the exim logs? You can find that with the following: exigrep 1fpQUP-0006GX-Cx /var/log/exim_mainlog
  The following thread may also be useful for you if you don't want to accept any inbound mail except from SpamExperts:

  0
• 

  NikRB

  • August 14, 2018 14:12

  This is the output of the logs 2018-08-14 11:59:25 1fpQUP-0006GX-Cx H=([103.58.116.30]) [103.58.116.30]:19551 Warning: Message has been scanned: no virus or other harmful content was found 2018-08-14 11:59:25 1fpQUP-0006GX-Cx <= nik@webemail.com.au H=([103.58.116.30]) [103.58.116.30]:19551 P=esmtp S=701 id=004001d433b1$01bcea4c$da0feea5$@webemail.com.au T="Play with me!" for nik@webemail.com.au 2018-08-14 11:59:26 1fpQUP-0006GX-Cx => nik R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 QHpHA55TclsnXgAAn+cfxg Saved" 2018-08-14 11:59:26 1fpQUP-0006GX-Cx Completed
  The solution above is tricky as all the accounts are not running SpamExperts so they still need to receive normally.

  0
• 

  cPanelLauren

  • August 14, 2018 14:23

  Hi @NikRB That's not the full output for the transaction, is it? Based on this it doesn't look like (if that's your actual domain) you have an SPF or DKIM is that correct? Thanks!

  0
• 

  NikRB

  • August 14, 2018 14:29

  Hi @cPanelLauren, No sorry, I should have mentioned that is not the correct domain. I have SPF and DKIM setup for the domain in question

  0
• 

  cPanelLauren

  • August 14, 2018 15:03

  HI @NikRB What's happening here it looks like is that mail isn't going to the server's hostname but rather bypassing the domain's MX records and sending directly to the IP address not necessarily the hostname of the server unless you have something else that shows that, nothing in the logs you've provided indicates that it's using the hostname. resolving this is much more tricky in this instance because the mail is bypassing the mx records which would otherwise filter it. Do you use SpamAssassin on the server (I realize you're using SpamExperts as a filter already) if you do my assumption is that this mail content would be flagged as spam pretty easily.

  No sorry, I should have mentioned that is not the correct domain. I have SPF and DKIM setup for the domain in question

  
  That's fine, I removed the actual domain name from the post as well.

  0
• 

  NikRB

  • August 14, 2018 15:40

  Hi @cPanelLauren, Correct, I did turn off SpamAssassin on the account as I didn't want to deal with more than one filter. Could I create Global Email Filter in the following way: Any Header > does not contain Authentication-Results: Discard Message As far as I can see Authentication-Results: is in every SpamExperts email but not in any of the issue emails. Would this work without SpamAssassin enabled?

  0
• 

  cPanelLauren

  • August 14, 2018 16:15

  Hi @NikRB You could most definitely do that, the global filters are not dependent on SpamAssassin in any way.

  0

Please sign in to leave a comment.