Email Spoofing / Bounce messages

webspacez

webspacez

Verified User
Joined
Apr 29, 2020
Messages
8
I have a client on my server that is getting 300 plus bounce emails. Spam filter does not stop the domains or keywords and the DKIM /SPF are all set properly but the only way I can stop them now is to add the sender IP to my firewall. Was hoping that it would stop eventually but is is now going on for months. I have read to ad <> to the config but this will stop all bounces on the whole server. There must be a solution but my sysadmin says not. Below one of the headers as reference. I hope I have posted this in the correct forum as I am new here (not to DA). Cant paste header it marks it as SPAM.
 
Here the header replaced her email with herdomain.nl. Hope someone had a genius solution because untill now I have nor been able to solve it.

Code: 
Return-Path: <>
Delivered-To: [email protected]
Received: from web01.webspacez.net
    by web01.webspacez.net with LMTP
    id g9l7K90Mql697wIAh/S+tg
    (envelope-from <>)
    for <[email protected]>; Thu, 30 Apr 2020 01:25:17 +0200
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Thu, 30 Apr 2020 01:25:17 +0200
Received: from mail.wbgdns.net ([209.182.204.195])
    by web01.webspacez.net with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.93.0.4)
    id 1jTw4o-000oRe-8g
    for [email protected]; Thu, 30 Apr 2020 01:25:17 +0200
Received: from mailnull by mail.wbgdns.net with local (Exim 4.93)
    id 1jTw4Z-0003jf-Q8
    for [email protected]; Wed, 29 Apr 2020 19:25:10 -0400
X-Failed-Recipients: [email protected],
  [email protected]
Auto-Submitted: auto-replied
From: Mail Delivery System <[email protected]>
To: [email protected]
Content-Type: multipart/report; report-type=delivery-status; boundary=1588202699-eximdsn-1804289383
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <[email protected]>
Date: Wed, 29 Apr 2020 19:24:59 -0400
X-OutGoing-Spam-Status: No, score=4.2
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.wbgdns.net
X-AntiAbuse: Original Domain - herdomain.nl
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: mail.wbgdns.net: sender_ident via received_protocol == local: mailnull/primary_hostname/system user
X-Authenticated-Sender: mail.wbgdns.net: mailnull
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 209.182.204.195, -10 Spam score
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software, running on the system "web01.webspacez.net",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  This message was created automatically by mail delivery software.
    A message that you sent could not be delivered to one or more of its recipients.
    This is a permanent error. The following address(es) failed:
 
 Content analysis details:   (0.0 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: redd.it]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  0.0 HTML_IMAGE_ONLY_32     BODY: HTML: images with 2800-3200 bytes of
                             words
  0.0 HTML_MESSAGE           BODY: HTML opgenomen in het bericht
  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML tekstkleur lijkt er op de
                             achtergrondkleur
 
 Spam detectie software op het systeem "web01.webspacez.net", heeft dit bericht
 als mogelijke spam aangemerkt. Het originele bericht is bijgevoegd als
 bijlage bij dit bericht zodat u het kunt bekijken (als het geen spam is)
 of soortgelijke toekomstige berichten blokkeren. Zie the administrator of that system
 voor meer details
 
 Gedeelte van de inhoud:  This message was created automatically by mail delivery software.
    A message that you sent could not be delivered to one or more of its recipients.
    This is a permanent error. The following address(es) failed:
 
 Analyse details:   (0.0 punten, 5.0 vereist)
 
  pnt regel naam             omschrijving
 ---- ---------------------- -------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: redd.it]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  0.0 HTML_IMAGE_ONLY_32     BODY: HTML: images with 2800-3200 bytes of
                             words
  0.0 HTML_MESSAGE           BODY: HTML opgenomen in het bericht
  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML tekstkleur lijkt er op de
                             achtergrondkleur
SpamTally: Final spam score: -10
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
 
Do you use the latest:
1.) exim -> 4.93.0.4
2.) exim.pl -> v29
3.) exim.conf -> 4.5.23

Especially the last one is also important.

Next to that, you can also disable bounce messages.

After you have everything up to date, create a file:
/etc/exim.variables.conf.custom
add this content:
bounce_return_message = false

Dont forget to restart exim. See if the problem persists.
 
You must log in or register to reply here.
Back
Top