Same-domain impersonation increases deferred count, triggering domain-wide blocking

Znuff

• August 13, 2018 06:00

As per title, I'm facing a weird issue lately. I, as many, use the option to block a specific domain from sending e-mail when a large part of their messages are bounced back, in order to minimize the impact on the server when an email account of a client inevitably gets compromised. The thing I'm facing right now is that I'm getting messages from non-existent-user@domain.tld towards another-non-existent-user@domain.tld. These, obviously, get bounced with "sender verify fail for" and technically should be ignored. Unfortunately, this seems that it increases the domains' deferred count (!), thus blocking email traffic for the whole domain if there's no other email traffic (let's say outside business hours) On first hand it sounds like it's a horrible and easy way to cause issues to a whole specific domain. How do I prevent this from happening?

• 

  cPanelLauren

  • August 14, 2018 17:58

  Hi @Znuff On the account/s that are experiencing this issue what is set in cPanel>>Email>>Default Address for unrouted mail? Thanks!

  0
• 

  Znuff

  • August 16, 2018 10:08

  Hello, It's set to discard.

  0
• 

  cPanelLauren

  • August 16, 2018 14:08

  Hi @Znuff If the mail originated from the domain in question though it will definitely count against their sending. Mail for non-existent users will not be accepted by the server per your response, meaning that spoofing in the literal sense of domain name spoofing isn't occurring. This would lead to the assumption that non-existent-user@domain.tld is actually local to your server and more than likely being sent using a PHP script. Do you have any examples of this behavior in the exim mail logs? You can find them at /var/log/exim_mainlog
  Thanks!

  0

Please sign in to leave a comment.