ConfigServer Community Forum

This is a cross post. Also on cPanel forum.

I use Mailscanner with the configerver front end. Accounts are set up with a default mail address of :fail:
Yet someone with a lot of IP addresses is mailbombing an account on my box with thousands of emails addressed to nonexistent mailboxes on that account and the mail is not being :fail:ed (rejected) but accepted, not scanned, and bounced. Since the return addresses are mostly gmail accounts (which also don't exist) gmail rejects it as spam and blocks my server.

I have examined the settings carefully and cannot see how this could be happening. Most of the email has a subject something like
"Environmental representative needed" or words to that effect (they vary)
Banning IP addresses only works until they switch to another one.

Given the way :fail: is supposed to work, I don't see how these are getting in.

Moreover, I went into mailwatch and selected many of these, then marked them as spam. This had no effect. The system said they were being checked for tokens, but the next batch of such messages came in also without apparently being checked. MailScanner says it is running, and other messages are indeed being scored and pink, red, or black listed appropriately, but not these. The DC said outgoing messages were not being scanned and that they had set that setting, yet it was (apparently, according to the MSFE) already set. Moreover, these messages are incoming, not outgoing.

Is anyone else seeing this? Surely if must be more widespread than just my box. At the h=eight of the attacks I was getting over 10 000 messages like this a day, all with fake gmail or google.com return addresses. Many (perhaps all, I haven't checked) say the domain lookup has failed. At the suggestion of the DC I instituted mandatory DKIM checks, and thius seemed to reduce the problem, but in the last couple of days it is heating up again.

Any suggestions from mail experts?

Rick

Try to ban by "subject" or "email content", to do that you can use MCP, that is very effective. Doing this, MailScanner will block all the emails that comes with what you specify on the MCP rules.

Sergio

I looked up MCP, enabled it and put in some rules with a delete option for high scores. The offending mail is now being bluelisted. Does this mean it is rejected as :fail: would do without entering the system, or is it just bounced (the problem then continues)?

If it is light blue, the email is sent to the destinatary, if it is blue (darker) it means that the email was deleted at your server side, no email is sent to the other party. This way you will be discarding all the emails that triggers your rules.

Ah, good. After watching a while that seemed to be what was happening. I gave the key catch phrases scores of 20 and set the delete threshold lower than that, so I got only the dark blue.

However, I sense this is a temporary fix, as was enabling and requiring DKIM checking last week, for the bomber has an endless supply of slightly differently worded emails, fake addresses, and body wording. I have high-scored some 13 unique phrases, subject matters, and a group of addresses in the message body for the "real" response to the spammer.

What all these messages have in common is that they fail reverse DNS lookup. I've looked around, and found ACL content to drop the connection on such a failure, though it is not clear where such content is best put in the config file. OTOH, I see opinions expressed that this test has too many false positives and is therefore not worth doing. What is the opinion here on these counts?
- such an acl worth it
if so
- best text for same to ensure a drop
- where does the test go in the exim congig file, exactly, and is a setting needed as well (I've done ACLs on earlier versions of Exim, but this one seems quite different, or at least the cpanel interface to it is very different.)
if not
- any other suggestions?

The DC (very big one), BTW, says they haven't seen this kind of attack before. But this is a large and sophisticated operation, and it can't have been set up to attack one account on an obscure server like mine. Moreover, it seems somehow a little pointless, as the only effect is to get my server banned by gmail, to whom the bounces go. (OK, maybe that was the whole point, but the thing has the bad flavour of either (and if there is one thing I can smell it is rot):
- graffitti on a bathroom wall that just has to be painted over every time it appears
or
- a dress rehearsal for a really big bot net attack on one or more major operations.

I've got a bad feeling about this, as I suspect the latter, and that someone is in for big time troubles. These guys had no trouble sending 125K messages my way from dozens of IP addresses, with thousands of fake To and From and ReplyTo addresses, and dozens of slightly different text content. With the kind of horsepower apparently behind this, they could easily send hundreds of millions.

Rick

Oh, and one more thing. Suppose I wanted to prevent bounces from going out to a specific domain, such as gmail.com. How and where would I write and place a rule for that?
Rick

You said that the emails comes from different IPs, have you checked those IPs against RBLs? If so, what RBLs are these IPs on? Have you tried to add the RBLs to exim?

Sergio

My scanner already does such checking. The ones that get in have passed those checks. I added about 20 IPs to my block list without noticaeable effect, as they switch to a new one ever few hundred messages or so. IP address is blocking correctly, but that strategy alone was not enough. It is possible of course that the IPs were also faked. I THINK one reason the messages got in was because the faked TO was the same as the faked FROM, even though both were different from the faked ReplyTo.

MailsScanner is one thing and using an RBL at exim side is more effective, that is why I am asking if you have checked that IPs. If you haven't done it yet, get one IP and check that at www.mxtoolbox.com using the black list option, open your EXIM and add the RBL to EXIM, that is more efficient that using MailScanner. In my servers I use RBLs from Barracuda, CBL, UCEProtect, PSBL and the ones that are already set spamcom and spamhaus.

Knowing what RBLs are those IPs hitting will help you a lot.

Sergio

I actually banned some of those IP addresses in the firewall. I checked a few against the site you suggest and they were not blacklisted. I suspect they were faked.

I wonder if I could write some rules for acls or for spamAssasson that would catch

from = to and replyto contains google.com or gmail
from = local domain and reply contains gmail or google.com
from contains more than one sender

Not a lot around on the syntax other than scattered examples that don't seem to address these issues.

Rick