Disable bounce messages in exim
Hello.
I'm trying all day to find a solution, but nothing seems to work.
Recently my server had an email attack to one of my client's domain. The attack was targeting random (and not existing) mail accounts, which had a result of creating tons of bounce emails to the "original" sender. The result was an IP blacklisting.
I tried several ways to stop exim from sending bounce mails, but it keeps sending no matter what I tried. I have set the default action to "balckhole" for the specific domain in order to avoid more bounce mails, but from as far as I have read and understand, the default action should be set to "fail" and unknown recipients should be rejected at SMTP level with no other action (no bounce message). This is what I want, but I can't make it work.
exim log sample:
A valid user sends an e-mail to an invalid account of a valid domain I host, his SMTP gets "No such person at this address." message but then exim decides to return message to sender! Any ideas please? I use cpanel/WHM 11.48 set to work with exim/dovecot on a CentOS 6.6 dedicated server.
2015-02-12 13:06:34 1YLrbM-0005u2-NR ** invaliduser@validlocaldomain.com R=virtual_aliases: No such person at this address.
2015-02-12 13:06:34 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1YLrbM-0005u2-NR
2015-02-12 13:06:34 1YLrbO-0005uZ-9m <= <> R=1YLrbM-0005u2-NR U=mailnull P=local S=735 T="Mail delivery failed: returning message to sender" for validuser@validremotedomain.com
2015-02-12 13:06:34 1YLrbM-0005u2-NR Completed
A valid user sends an e-mail to an invalid account of a valid domain I host, his SMTP gets "No such person at this address." message but then exim decides to return message to sender! Any ideas please? I use cpanel/WHM 11.48 set to work with exim/dovecot on a CentOS 6.6 dedicated server.
-
Hello :) Please post the output from: cat /etc/valiases/$domain
Replace any account identifying information from the output with an example. Thank you.0 -
Hello Content is as following: *: :fail: No such person at this address.
Thank you0 -
If your attack was or is attributed to a particular spammer domain, then there is a little tweak you could apply to exim, which would block said domain. However, it requires you manually creating a blacklist. Reading between the lines, i'd like to think that: Ratelimit incoming SMTP connections that have only sent to failed recipients five seperate connection times in the last hour. in Exim Config >> ACL Options. Would perform what you are trying to achieve, but i'm no expert. No doubt someone will be along shortly. 0 -
]Ratelimit incoming SMTP connections that have only sent to failed recipients five seperate connection times in the last hour.
Thank you, I've already done that but the sender is random every time.0 -
What about Dictionary Attack Protection, DKIM and RBL's 0 -
All these are enabled. I use mailscanner too... 0 -
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Thank you. Ticket number is #6113219 0 -
To update, the user was advised to setup a temporary black hole while the bouncebacks are occurring to avoid this type of attack. Thank you. 0 -
Problem is almost solved, except a minor issue. cPanel support sent me this URL: /http://www.farhad.ca/2006/07/27/how-to-disable-delayed-bounce-back-messages-in-exim/. Actually I have found this information when I was making my own research, but because of a syntax error I got in exim when I tried the filter, and of course the lack of knowledge from my side on exim filter syntax, I didn't try it again. That time I had already 20+ open tabs in my browser trying to find a solution. To make a long story short, Stephen Chaffins from cPanel support mentioned this URL when I opened the ticket and I decided to take a closer look. The problem in the filter was the double quotes in "no", so I removed them, and the permissions of a local file which I fixed, and the filter worked! 2015-02-18 12:27:47 SMTP connection from [209.85.215.45]:41102 (TCP/IP connection count = 1) 2015-02-18 12:27:47 H=mail-la0-f45.google.com [209.85.215.45]:41102 Warning: Sender rate 1.0 / 1h 2015-02-18 12:27:47 1YO1r9-0001op-GS <= mypersonalaccount@gmail.com H=mail-la0-f45.google.com [209.85.215.45]:41102 [....] for invaliduser@validlocaldomain.com 2015-02-18 12:27:47 SMTP connection from mail-la0-f41.google.com [209.85.215.41]:33248 closed by QUIT 2015-02-18 12:27:52 cwd=/var/spool/MailScanner/incoming/32020 6 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1YO1r9-0001op-GS 2015-02-18 12:27:52 1YO1r9-0001op-GS ** invaliduser@validlocaldomain.com R=virtual_aliases: No such person at this address. 2015-02-18 12:27:52 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1YO1r9-0001op-GS 2015-02-18 12:27:52 1YO1rE-0001pf-F5 <= <> R=1YO1r9-0001op-GS U=mailnull P=local S=3609 T="Mail delivery failed: returning message to sender" for mypersonalaccount@gmail.com 2015-02-18 12:27:52 1YO1r9-0001op-GS Completed 2015-02-18 12:27:52 cwd=/var/spool/exim 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1YO1rE-0001pf-F5 2015-02-18 12:27:52 1YO1rE-0001pf-F5 cancelled by system filter: Delayed bounce message ignored 2015-02-18 12:27:52 1YO1rE-0001pf-F5 Completed
So, I sent an email from my personal gmail account to an invalid user at one of my local domains. Exim replied "No such person at this address, created the bounce message and then, wow! the bounce message was ignored! But there is a catch... File /etc/localdomains (which the filter has to read) has permissions 0640 and the filter gets a 'permission denied' message. You can bypass this if you set it to 0644, but cPanel regularly changes it back to 0640 (for example when you press 'save' in WHM Exim configuration or upcp runs).Error in system filter: failed to expand "${lookup{${extract{2}{@}{$recipients}}}lsearch{/etc/localdomains}{yes}{no}}" in filter file: failed to open /etc/localdomains for linear search: Permission ded (euid=32008 egid=510)
I tried to add the 'cpaneleximfilter' user (32008) to 'mail' group (group that /etc/localdomains file belongs) with 'useremod -a -G mail cpaneleximfilter', but permission is still denied (!). I have an open ticket pending with cPanel for this issue (6114895) and this is the minor issue I mentioned in the beginning of this post. You can copy this file to another one, apply the correct permissions, and update it regularly with a cron job. We'll name this file 'localdomains.eximfilter'. Steps 1. Create the file '/etc/cpanel_exim_custom_filter' with the instructions of the above [url=http://www.farhad.ca/2006/07/27/how-to-disable-delayed-bounce-back-messages-in-exim/]url. Remember to delete the double quotes from "no" and place it ABOVE all other filters.if $sender_address is "" then if ${lookup{${extract{2}{@}{$recipients}}}lsearch{/etc/localdomains.eximfilter}{yes}{no}} is no then fail text "Delayed bounce message ignored" seen finish endif endif
You can create the filter with the alternative way mentioned in the url which sends an email to a specific email, so you can avoid searching exim_mainlog in order to check if the filter works. 2. WHM -> Exim Configuration Manager -> Basic editor -> Filters 3. System filter file -> /etc/cpanel_exim_custom_filter if you have no filter enabled, or if you have another setup make the appropriate changes. 4. Don't use the 'Custom filter' option. The filter will be placed last and it will not work. 5. Remember to create /etc/localdomains.eximfilter file with the appropriate permissions. 6. cPanel -> Default address must be set to 'Discard' (/etc/valiases/[domain] must be set to :fail: ) 7. Save and restart exim 8. Test by sending an email to an invalid account of a valid domain on your server. That's it! Special thanks to Farhad Malekpour with his precious information and of course to cPanel support team. If we find a solution regarding the permissions of /etc/localdomains file, I'll let you know.0 -
I am happy to see you were able to address the issue. Feel free to update us with the outcome of ticket number 6114895. Thank you. 0 -
Hi, I have the exact same problem (for one of my domains) as the OP. I am following the instructions but I cannot seem to get Exim to stop the bounce email, in all of my tests sending an email to an invalid account does still result in a bounce back to the original sender. I am running WHM 11.52.1 on CentOS 6.7 on a GoDaddy VPS. Here's what I have tried: (1) cPanel > Default Address (for this domain account) is set to Discard. I've not only verified that in the cPanel for the specific account, but also cat /etc/valiases/$domain
outputs:*: :fail: No Such User Here
(2) I created the custom filter file. I copied the cpanel_exim_system_filter file and put the bounce condition code from Farhad Malekpour on TOP of all filters, so right ABOVE:if not first_delivery then finish endif
I then specified this filter file under WHM > Exim Configuration Manager > Basic Editor > Filters > System Filter File > check radio button and provide path to the custom file. Saved changes. Then verified in exim.conf that the exim filter file has been updated. It was. (3) The copy of the localdomains file, called same as the OP's localdomains.eximfilter was updated with 0644 permissions. (4) restarted Exim not only through WHM but also through SSH. It does NOT work. I do get the return bounce email to my personal email address, every single time. Here's what the exim_mainlog reports for each test transactions:2015-11-27 17:05:03 Start queue run: pid=4393 2015-11-27 17:05:03 End queue run: pid=4393 2015-11-27 17:05:30 SMTP connection from [98.136.216.197]:41059 (TCP/IP connection count = 1) 2015-11-27 17:06:11 H=nm30-vm6.bullet.mail.gq1.yahoo.com [98.136.216.197]:41059 X=TLSv1:AES128-SHA:128 CV=no F= rejected RCPT : No Such User Here 2015-11-27 17:06:11 SMTP connection from nm30-vm6.bullet.mail.gq1.yahoo.com [98.136.216.197]:41059 closed by QUIT
As you can see, it does discard the messages via "No Such User Here", but it does not execute the part of the if condition to not only disregard the bounce but to output "Delayed bounce message ignored"... so I can only assume that Exim does not read the condition correctly..... (?) Here's what else I tried: (5) I used the filter w/ and w/o double quotes around the "no". I made sure all other quotes are standard double quotes. (6) I added a "noerror" before the "fail text", saw that in another thread (7) I changed the group owner of the cpanel_exim_custom_filter file to 'mail', to ensure it has the same group owner as the original cpanel_exim_system_filter file (8) I was assuming that my specified filter file was run as a custom filter lower in the stack, so I implemented the code directly into the original cpanel_exim_system_filter file, again on TOP. Changed WHM back to use that file. I ensured the no-bounce condition stayed in the file, and was not overwritten. (9) Within the code, I used the "localdomains" file directly (set to 0644) instead of the copy "localdomains.eximfilter". All of this did NOT improve things, I still always get the bounce email back to my personal account. Any idea why this is not working for me ? Also, I have 2 questions in regards to the OP instructions: (I.) The OP writes "Don't use the 'Custom filter' option. The filter will be placed last and it will not work.". Where is the custom filter option ? My WHM does not have a custom filter option under Exim Configuration Manager > Basic Editor > Filters > System Filter File... or is the radio button option the "custom filter" ? (II.) The OP writes that he saw that the file /etc/localdomains was giving a permission denied error, so he used a copy of the file. Where would that error be seen ? I checked exim logs and Apache logs but did not see the error. Now I did set all localdomain files to 0644 (maybe that's why I did not see this error) but just curious if I'm missing a log somewwere I should check... Thanks for your help. - Mike0 -
Hi all: I preffer not to bounce messages, but only denying them with a simple SMTP message... the bounce message may be sended to original sender_address by the remote MTA, not my server. So my rule at ACLs.... #**########################################################################## #**# NOT ALLOW BOUNCE MESSAGES FOR RECIPIENT ERRORS (sometimes sender_address does not exists, too) #**# (if recipient does not exists, simple deny without bouncing message. The bounce message would be sended by #**# the remote MTA)(( overloads and 30000 emails at spooler tails for this bouncing stupid problem..)) #**########################################################################## deny message = RECIPIENT error: destination mail address does not exists around here. log_message = RECIPIENT error: destination mail address does not exists around here. !authenticated = * !verify = recipient
0 -
so yesterday, we were trying to implement this approach (that the OP posted) on another server, WHM with CentOS 6.7 as well, host on this one is LiquidWeb... same problem, it does NOT execute the discard of the bounce... contacted support, they tried to implement it for 1.5 hours with the exact steps outlined in this thread and they could not get it done as well... Any idea why this is not working ? Thanks. - Mike 0 -
I think we finally got this working... we had to reboot the server, just rebooting Exim and spamd did not do anything... we're on a VPS, not on our own private box, so that may be the difference... we're finally now seeing the custom fail text message in the Exim mainlog... so, I have 2 remaining questions: (1) can somebody please explain the difference between this approach (implementing the custom bounce code from Farhad) and simply using a blackhole for a given account ? As far as I understand it (please correct where wrong !), a blackhole will send all invalid emails to /dev/null, basically deleting them... this custom code discards invalid emails as well, but it writes a custom fail text message in the exim mainlog... so is the only difference compared to a blackhole approach the custom fail text message in the exim mainlog ? (2) can somebody (who has experience coding exim filters) please explain the first IF condition of the code... if $sender_address is ""
to me, when I read it, it means if the variable $send_address is empty (not null, but empty), then proceed with the second if condition... that in turn would mean, that only invalid email that has an empty sender address would be processed by this code... but we would like for all invalid email to be processed by this code... am I correct or am I misinterpreting the condition... ? Thanks. - M0 -
Hello :) Have you considered simply configuring a temporary blackhole during the Exim attack? Thank you. 0 -
Hi cPanelMichael, I did set that up, but obviously we need a permanent solution, so since I don't know how to dynamically identify an "Exim attack" when it happens, I thought implementing this code would solve as a permanent solution... Given your expertise, could you please answer the 2 questions from my last post: (1) what is the diff of this solution to a blackhole ? (2) could u explain the conditional logic of line 1 of the code ? Thanks ! - M 0 -
Choosing a "blackhole" deletes incoming messages to non-existing email accounts without a failure notice. No bounce message is sent. You simply choose the "Discard" option as documented at: Default Address - Documentation - cPanel Documentation Could you clarify what additional actions you want to occur that require the custom filter rule? Thank you. 0 -
Hi Michael, well, I'm not sure if there are additional actions that I need at the moment... but when googling for solution to this particular problem, people refer to this custom Exim filter solution, which was also what the OP used... Why don't these people just set up a blackhole ? What is the "advantage" of the custom filter solution is ? Thanks. - M 0 -
Why don't these people just set up a blackhole ? What is the "advantage" of the custom filter solution is ?
I believe the purpose of this is to alert the sender that their message was not delivered. Thank you.0 -
I believe the purpose of this is to alert the sender that their message was not delivered. Thank you.
okay, if I understand you correctly, you mean that this code is used to send the original sender of the email an undeliverable message ? that is exactly what this code is supposed to stop: the code suppresses all bounce emails and logs a message into the exim logs. This is used to prevent to bounce off spam from our servers. The question remains (as a few peeps have set this up over the years, u will find when googling) why these users not simply used a blackhole ? I'm sure there is something that I'm missing that is worth the effort setting up this code... (?!) - M0 -
You can simply use the "blackhole" option in your case. The following post explains why some users require additional configurations: Disable bounce messages in exim Thank you. 0 -
@ cPanelMichael: Naturally I read that post and the included link, before I made my first post here in this thread... it is still not clear, what could be a reason or what is an example of going the custom filter route over the blackhole... (?) I've asked now a few times, repeatedly, directly, but ur answers are either very broad or cryptic... and no, the post u refer does NOT explain why some users may require additional configurations.... it simply deals with implementing the code properly. again: all of the posts, including the post by the OP as well as Farhad's page (farhad.ca/2006/07/27/how-to-disable-delayed-bounce-back-messages-in-exim/) deal with "How to disable delayed bounce back messages in exim" and the title of this very thread is "Disable bounce messages in exim". Since this can be achieved via a blackhole, why fiddle with a custom exim filter ? There's gotta be a reason if quite a few people do it and Farhad himself used that route... Why do u keep recommending to temporarily set up a blackhole (until the filter works), when that is actually a long term solution ? A direct, to the point answer to this simple question is appreciated. Thanks. 0 -
Thank you for taking the time to seek additional clarification. It's advised as a temporary solution because the original request was to address an attack on Exim. Attacks often only last for a period of time, thus it's advised as a temporary solution until the Exim attack stops and a blackhole setting is no longer required. The third-party URL, and what some of the users on this thread found helpful, was the ability to adjust the filter so the message was bounced to an email address of their choosing instead of bouncing it to the remote mail server where the email address is hosted. This way, they can see all of the bounces that are occurring, without bouncing them to the sender and ending up blacklisted for backscatter SPAM. Thank you. 0 -
@ cPanelMichael: so u're saying these peeps set up this custom filter instead of using the "catch all" solution, so they can forward the spam bounce messages to an external / foreign email address compared to a server side system address in the "catch all" configuration ? If so, then that would eat off your daily relay limit quite a bit if one is forwarding 20,000 spam bounces daily to a personal gmail address... and then gmail / Google will still consider your server to send spam and take appropriate actions... I don't seem to understand your point or the reason why to implement the custom filter... Thanks. 0 -
so u're saying these peeps set up this custom filter instead of using the "catch all" solution, so they can forward the spam bounce messages to an external / foreign email address compared to a server side system address in the "catch all" configuration ?
I believe some of the users utilized a local email address, but I'll leave this thread open for the other users to add feedback about why they chose that specific method. Thank you.0
Please sign in to leave a comment.
Comments
26 comments