I just picked up a new client (woo hoo!). He mentions today that he's been mail-bombed in the past.

Well, it's happening again.

Someone, some where in the world is sending emails to his domain using some type of algorythm to auto-generate user accounts.

I use both APF and SNORT.

However, the IP Addresses and Email Accounts appear to be spoofed as I haven't seen the same "From" email account nor the same "IP Address" in the message headers.

I'm running the latest STABLE cPanel (8.4.0-S92). Exim is at v4.24.

Any assistance is greatly appreciated. It's killing the server and (obviously) effecting all of my other clients on the same server.

Here are headers from 3 of the emails if they help explain the problem.

I've received THOUSANDS of these in a very short amount of time...


==================
ONE EMAIL HEADER
==================
Return-path:
Received: from [24.217.242.80] (helo=fl3-24.217.242.80.charter-stl.com)
by XXXXXXXXXXX.com with smtp (Exim 4.24)
id 1A5uCh-0006M9-0Z; Sat, 04 Oct 2003 16:44:43 -0500
Received: from [38.224.67.130]
by fl3-24.217.242.80.charter-stl.com with ESMTP id <099887-83271>;
Sat, 04 Oct 2003 15:35:32 -0700
Message-ID:
From: "Maxwell Muller"
Reply-To: "Maxwell Muller"
To: aaaak@MYCLIENTDOMAIN.com


==================
ANOTHER EMAIL HEADER
==================
Return-path:
Received: from [67.9.54.108] (helo=cpe-67-9-54-108.sw.rr.com)
by XXXXXXXXXXX.com with smtp (Exim 4.24)
id 1A5uCg-0006IS-VQ; Sat, 04 Oct 2003 16:44:43 -0500
Received: from [246.112.104.247] by cpe-67-9-54-108.sw.rr.com SMTP id YJNYIzUp7SaCWv; Sat, 04 Oct 2003 23:40:32 +0100
Message-ID: <8767rb93-659fjo@jtsx.ikabrr>
From: "Jonas Kendall"
Reply-To: "Jonas Kendall"
To: aaabg@MYCLIENTDOMAIN.com


==================
ANOTHER EMAIL HEADER
==================
Return-path:
Received: from [24.162.47.242] (helo=cs2416247-242.houston.rr.com)
by XXXXXXXXXXX.com with smtp (Exim 4.24)
id 1A5uCo-0006W5-O0; Sat, 04 Oct 2003 16:44:50 -0500
Received: from [218.249.221.55] by cs2416247-242.houston.rr.com id <6739559-83008>; Sat, 04 Oct 2003 23:44:40 +0100
Message-ID: <9-58$-wzpw2$$2y@ljy85m>
From: "Enid Ziegler"
Reply-To: "Enid Ziegler"
To: aaadk@MYCLIENTDOMAIN.com

simple solution... disable catch all...

on my ensim box I would further reduce impact by forwarding catch-all to site_blackhole (/dev/null) so nothing is bounced. I'm not sure how this is done on Cpanel though...

We have done that, and it helps a bit.

However, the mail bomber is opening so many connections, so fast, from so many different places, that the mail server stop accepting new connections totally (even the good connections).

Well then theres nothing much you can do...

other than remove the guys domain from your server. Is he paying you top dollar to manage the security of his site as well as the impact his site has on the rest of your machine??

You are being dDOS attacked... not something I'd put up with for a single web hosting account.

I dont know why people think there is not much you can do.

1) You need to reduce the max number of connections in exim.conf from 100 to 5. This will prevent them from opening 100 connections at once. So in /etc/exim.conf find these lines and change the following options;

Change;

smtp_connect_backlog = 50
smtp_accept_max = 100

to

smtp_connect_backlog = 3
smtp_accept_max = 5

Next, you should make the following modification to exim.conf

Find the following in /etc/exim.conf

accept domains = +local_domains
accept domains = +relay_domains

Comment these out;

# accept domains = +local_domains
# accept domains = +relay_domains

Immediately after the above two comments add this;

accept domains = +local_domains
endpass
message = unknown user
verify = recipient

# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.

accept domains = +relay_domains
endpass
message = unrouteable address
verify = recipient

Save and restart exim!

In the domains control panel go to the default address field and add the following in the space provided;

:fail: no such address here!

That should fix the spammer up for awhile. I see the msgs being delivered are being sent to non existant users on his domain. The above modification will fix that and prevent those msgs from being delivered. It will immediately bounce and the msg will not be delivered. The modification restricts msgs from being delivered to non existance email addresses. Try it. Let me know! Watch your exim_mainlog for all the msgs that get kicked back.

Amps: I figured as much. I'm persistent, though. Gotta keep trying, but figured there may not be much, if anything, I can do about it.


Thanks for the help, Aussie.

Before I implement, I have some questions, if you will bear with me (here's where I show my newness to Exim):

I assume that if I reduce the number of connections, then I'd still not be able to take email for my other clients. Bummer.....

I believe I have Exim already setup to verify the recipient (the exim_mainlog was showing the following:

2003-10-04 16:43:18 1A5uBJ-00056h-Mr ** aaasz@MYCLIENTDOMAIN.com R=virtual_aliases: no such address exists please check to see if you entered the correct email address.

What would those "accept domains" modifications do other than verify the recipient?

All of the emails were already being bounced back to the "sender". Of course, the sender's email address was changing as much as the sending IP Address. This made my mail queue well into the thousands of emails that were trying to be sent back. Once my client switched it to "black hole", no bounced emails, and the system load was within tolerable limits.

But, we were still receiving the email attempts.

I very much appreciate the time/effort you are taking to help me out, and explain it to me.


Last night, we had him move to a new domain name (he was going to anyways, but this just sped up the process). We then modified the MX record of his bombed domain to be 127.0.0.1, thus causing a backup of email on the mail bomber's PC/Server.

An interesting thing about all this: All of the messages I looked at were for "Reducing SPAM" (yes, the subjects changed frequently as well...smart bomber).

hmm anyone knows how to use this catch all thingy in cpanel?

Just make the modification please. After you make the modification clean out the queue so there are no msgs left in there. My modification will not allow the msg to come in at all so there will be ZERO msgs in the queue. Unlike what Cpanel is doing, which is really flawed. Listen, i just made a similar mod on a guy whos being bombed by over 100,000 msg a day and everyone one of them are being kept out of the queue. The number of connection is fine. You dont need 100 connections unless you have thousands of msgs coming to your local users.

How to use a similar solution in an Ensim server?

I got an user that is getting email from in a similar fashion..

asdfasdf@domain.com all coming from XXXXX isp relay servers. currently those mailservers are being blocked but that is not a solution.

Thx

Sad to see that this guy never replied with the results. Maybe i should forget about trying to help people if they cant be bothered to get back with me on whether worked or not.

hi aussie, how do i disable catch all ? You see , I am getting sick of receiving invalid emails sent to my domain...

Follow this to the T!

Next, you should make the following modification to exim.conf

Find the following in /etc/exim.conf

accept domains = +local_domains
accept domains = +relay_domains

Comment these out;

# accept domains = +local_domains
# accept domains = +relay_domains

Immediately after the above two comments add this;

accept domains = +local_domains
endpass
message = unknown user
verify = recipient

# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.

accept domains = +relay_domains
endpass
message = unrouteable address
verify = recipient

Save and restart exim!

In the domains control panel go to the default address field and add the following in the space provided;

:fail: no such address here!

Keep trying to help people, dude. I've found many of your posts helpful.

I just haven't implemented this yet. Of course, the issue has stopped, although I would have implemented it.

I'm guessing our MX Record change for this old domain had a "positive" effect.

I have no results to state (since it stopped within a few hours of our MX Record change), otherwise I would have said something.

My apologies...I should have at least said it stopped before the changes were made.

Hi Aussie,

Thanks for the how to, it has stopped one that started coming through :-)

However since adding it, I now get Exim failed on server.xyz failed about every 1 or 2.

One thing I did notice was 'accept domains' had 2 spaces between the words. Wonder if that has anything to do with it?

Thanks.

hi aussie i dun understand this part... where do I change it? WHM or cpanel?

The the X or X2 control panel under DEFAULT ADDRESS!

do i have to change it for all the users? I mean i have a few users hosted with me using my cpanel... is there a round about to this?

Aussie-

Cpanel should pay you for making their crap work correctly. Thank you again for another great guide.

Fanstastic!!!

With this and Spam Assassin on the server and SpamBayes on my desktop spam has gone from 500+/day to 1 or 2.

Thank you, Aussie!