Blacklisted because of quota bounce messages

[Kiekeboe100]

Hi,

My server got blacklisted today.
I couldn't find any malware / users / scripts that where spamming.

I did notice that my mail queue was full of outgoing bounce messages to a lot of non-existing mail adresses.
Bounce messages stating that the user's mailbox was full.

I updated yesterday to the latest dovecot and ESF version.
So I'm not sure whether this is an issue with the latest version, or that the user's mailbox only got full today (I think it has always been full).

regards,
Stijn

 

[zEitEr]

Hello Stijn,

Update:

/etc/exim.variables.conf.custom

bounce_return_message = false
bounce_return_body = false

and update exim.conf with:

(Make sure to create backups of files matching the /etc/exim* as they will be overwritten if you follow the guide further)

cd /usr/local/directadmin/custombuild/
./build update
./build set eximconf yes
./build eximconf

with this you will configure exim to exclude original (spammy) message from bounce in order to reduce chances to get blacklisted by other mail servers. As they might think that you are spamming them.

Of course you need to apply extra steps to remove your IPs from blacklists.

 

[SeLLeRoNe]

Hi Alex,
are you sure about the bounce_return_body?

As far as i can see here https://help.directadmin.com/item.php?id=145 , the first option already prevent exim to return the original message.

Also, this will be applied for all bounce, not only the spam ones, am i right?

Best regards

 

[zEitEr]

Andrea,

Correct me if I'm wrong: message = header + body

bounce_return_body

include body if returning message

This option controls whether the body of an incoming message is included in a bounce message when bounce_return_message is true. The default setting causes the entire message, both header and body, to be returned (subject to the value of bounce_return_size_limit). If this option is false, only the message header is included. In the case of a non-SMTP message containing an error that is detected during reception, only those header lines preceding the point at which the error was detected are returned.

bounce_return_message

include original message in bounce

If this option is set false, none of the original message is included in bounce messages generated by Exim. See also bounce_return_size_limit and bounce_return_body.

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html


Thus probably using bounce_return_message=false only would be sufficient.

 

[SeLLeRoNe]

I get the point and you may be right, what confuses me is that once you set bounce_return_message to false, it shouldn't send back the header and the body, so in that case the bounce_return_body is pointless because already exlcuded by the other option.

Maybe would be better (for bounce-spam prevention purposes) to set:
bounce_return_message=true
bounce_return_body=false

So just the header will be included in the bounce messages.

Does it make sense to you?

Best regards

 

[zEitEr]

That's OK if you need to send headers. But will spammers ever read them? So I disable the both at least on my server.

With regards, Alex.

 

[SeLLeRoNe]

For sure spammers will not, but it's useful to debug when customers say they are not receiving emails

Best regards

 

[Kiekeboe100]

Hi Alex, Andrea,

I've been trying a bit more.

I found a problem with my bounce messages not being signed. This was because the hostname DNS zone was removed. And because I added DKIM, SPF and DMARC entries on the main domain. This cause gmail to not accept my bounce messages.

After this was resolved, I could test both exim conf options above.
It seems to me that only bounce_return_body = false changes the bounce message format. When I added this value the headers from the original email were added as an attachment to the bounce message.
The other option didn't seem to do any changes. Not by itself, neither when added together with the other option.

Any chance one of you could try these options too?

For my blacklist problem, I think there was a surge in spam that day, and in combination with the non-authenticated bounce messages to all those spam messages could have triggered the CBL spamhaus blacklist.
I did see more spam messages being delivered to my inbox that day than before and now.

thanks,
Stijn

 

[hci]

Why not reject at SMTP time messages to over quota email accounts to avoid this problem all together?