Exim mail queue flooding with bounces 1000s

[baggs1981]

One of my servers is getting it's mail queue flooded with bounce emails all of which are notifications of emails from and to non-existent addresses, 60k+ each day.
I can see no evidence that these emails are actually sending via the server.

It started off as randomly generated emails @ domains that are on the server, I switched the domains catchall accounts from 'Fail' to 'Ignore' and this stopped the queue going nuts, but then a short time later the bounces started up again as different domain on the server, so changed all catchall accounts from 'Fail' to 'Ignore'.

Now, the queue is getting full of bounced emails for domains which don't even exist on the server ?!? it feels like something is very wrong, but as I say am getting nothing in logs to suggest these emails are actually going out and the server is not an open relay.

Any help or suggestions would be greatly appreciated.

Here is an example of the mail queue:



And the details of one of the emails:

Headers spool file
1jSNWc-0007BH-2Z-H
mail 8 12
<>
1587831570 0
-received_time_usec .079763
-ident mail
-received_protocol local
-body_linecount 104
-max_received_linelength 99
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
[email protected]

156P Received: from mail by server01.hostname.net with local (Exim 4.93.0.4)
    id 1jSNWc-0007BH-2Z
    for [email protected]; Sat, 25 Apr 2020 17:19:30 +0100
144  X-Failed-Recipients: [email protected],
  [email protected],
  [email protected],
  [email protected]
029  Auto-Submitted: auto-replied
070F From: Mail Delivery System <[email protected]>
024T To: [email protected]
099  Content-Type: multipart/report; report-type=delivery-status; boundary=1587831570-eximdsn-699559105
018  MIME-Version: 1.0
059  Subject: Mail delivery failed: returning message to sender
059I Message-Id: <[email protected]>
038  Date: Sat, 25 Apr 2020 17:19:30 +0100
Data spool file
1jSNWc-0007BH-2Z-D
--1587831570-eximdsn-699559105
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    retry timeout exceeded
  [email protected]
    retry timeout exceeded
  [email protected]
    host gmail-smtp-in.l.google.com [2a00:1450:400c:c0a::1a]
    SMTP error from remote mail server after pipelined end of data:
    550-5.7.26 This message does not have authentication information or fails to
    550-5.7.26 pass authentication checks. To best protect our users from spam, the
    550-5.7.26 message has been blocked. Please visit
    550-5.7.26  https://support.google.com/mail/answer/81126#authentication for more
    550 5.7.26 information. x2si5826409wmi.142 - gsmtp
  [email protected]
    Unrouteable address

--1587831570-eximdsn-699559105
Content-type: message/delivery-status

Reporting-MTA: dns; server01.hostname.net

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.26 This message does not have authentication information or fails to
550-5.7.26 pass authentication checks. To best protect our users from spam, the
550-5.7.26 message has been blocked. Please visit
550-5.7.26  https://support.google.com/mail/answer/81126#authentication for more
550 5.7.26 information. x2si5826409wmi.142 - gsmtp

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

--1587831570-eximdsn-699559105
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from [206.189.174.212]
    by server01.hostname.net with esmtp (Exim 4.93.0.4)
    (envelope-from <[email protected]>)
    id 1jSFWr-0005cR-93; Sat, 25 Apr 2020 08:47:13 +0100
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: =?utf-8?q?ATENCI=C3=93N_SIR_/_MADAM?=
To: Recipients <[email protected]>
From: "UNITED NATIONS" <[email protected]>
Date: Sat, 25 Apr 2020 00:45:27 -0700
Reply-To: [email protected]
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Atenci?n: se?or / se?ora,
=

=

Soy Michael V. Moon y mi direcci?n es 738 Part Ave Memphis Tennessee 38119 =
USA. Soy el nuevo abogado de Naciones Unidas / Fondo Monetario Internaciona=
l (FMI) y el Gobierno de los Estados Unidos porque el ?ltimo abogado fallec=
i? hace unos meses.
Le escribo para notificarle de un archivo de pago pendiente que contiene fo=
ndos de ($ 12.5 millones de d?lares) que est? conmigo para la entrega. Por =
favor, ?puede decirme amablemente el motivo de su retraso con respecto a la=
entrega?
=

Nota: si no me contacta dentro de las 72 horas, como se le indic?, su archi=
vo de pago que contiene sus fondos de ($ 12.5 millones de d?lares) se cance=
lar? y su compensaci?n se devolver? a la cuenta de reserva del gobierno, pe=
ro si a?n est? listo para recibir su pago , luego aseg?rese de contactarme =
con la siguiente informaci?n para su procesamiento.
=

Nombre completo:
Domicilio / Oficina:
Ocupaci?n:
N?meros de tel?fono celular / m?vil:
Aeropuerto m?s cercano:
Tuyo sinceramente,
Michael V. Moon
738 Part Ave Memphis
Tennessee 38119 EE. UU.
[email protected]
...

--1587831570-eximdsn-699559105--
cmq: v3.01
©2006-2019, ConfigServer Services (Way to the Web Limited)

Further, I ran the below:

[root@server01 ~]# sed -n '/2020-04-25 14/,/2020-04-25 14/p' /var/log/exim/mainlog | grep -oP "A=\K([A-Za-z0-9_.:]+)" /var/log/exim/mainlog | sort | uniq -c | sort -nr

and got the results:
19 login:bob
10 login:sales
3 _ZGF2aWRAd29ybGR6b25lLmNvLnVr
2 plain:sales
2 20proactivity
1 plain:bob
1 20Highly

Perhaps someone can tell me if I have this code correct that the results show all emails sent in 24 hours and by how many for which users?

 

[Richard G]

I don't see it that quickly, but if it's originated from external systems to bounce on your systems, you could try to see if disabling bouncing would be of any help.

I presume you're using the latest exim.conf version which is 4.5.23 if I'm not mistaken.
If yes, you could try disabling bounces serverwide like this.

in /etc you have a exim.variables.conf file. Now create a exim.variables.conf.custom file and add this line in it:

bounce_return_message = false

save and restart Exim.
Maybe it helps.

 

[baggs1981]

I don't see it that quickly, but if it's originated from external systems to bounce on your systems, you could try to see if disabling bouncing would be of any help.

I presume you're using the latest exim.conf version which is 4.5.23 if I'm not mistaken.
If yes, you could try disabling bounces serverwide like this.

in /etc you have a exim.variables.conf file. Now create a exim.variables.conf.custom file and add this line in it:

bounce_return_message = false

save and restart Exim.
Maybe it helps.

Hi Again Richard G

I can't see that line already in exim conf, would this section have anything to do with it?

# do not reply to errors and bounces or lists
senders = " ! ^.*-request@.*:\
! ^owner-.*@.*:\
! ^postmaster@.*:\
! ^listmaster@.*:\
! ^mailer-daemon@.*\
! ^root@.*"

NOTE: I updated exim prior to posting to see if that helps but it didn't, it is currently 4.93.0.4

 

[Richard G]

Hello again baggs1981.

Yes it might have something to do with it, but to be honest I'm not sure. I thought the line which I mentioned does something different but I can be wrong, I'm not native English.
I'm using it a couple of years now already, but you can find more explanation about it here:

Blacklisted because of quota bounce messages

Hi, My server got blacklisted today. I couldn't find any malware / users / scripts that where spamming. I did notice that my mail queue was full of outgoing bounce messages to a lot of non-existing mail adresses. Bounce messages stating that the user's mailbox was full. I updated yesterday to...

forum.directadmin.com

 

[factor]

Did you get this sorted?

So is the bookscan.co.jp domain your domain? or one on your server? The email [email protected] is listed as spam and backscatter.

 

[factor]

Of the several email you have in the post. All the ones I checked are listed as spam.

Do you have all the Spam prevention applications installed on your servers?
You might see if this helps

Simple Guide to Email Blacklist

All: I am no wizard. Dont claim to be. If this helps someone awesome. If you all want me to add to it just say add this..

forum.directadmin.com

You also need to test out your server on intodns or DNS stuff
Maybe you have some mail forwarding or something going on.

 

[baggs1981]

Hi Both, thanks so much for the pointers, yes this seems sorted now, obviously out in the word there are still these fake attempts happening but not clogging up the server anymore.

Although exim was latest it seems exim conf needed updating which I presume as a result includes some config to deal with this type of issue because since then it is now sorted.

 

[ikkeben]

Look also at mail/contact submit forms /scripts on your server.

Or if using those on other websites but then with some forwards to your server.

 

[Richard G]

it seems exim conf needed updating

Yes that's what I was talking about in my first reply, I put the current version number next to it.
Good to hear it's sorted now.

Be also aware of things like ikkeben said and auto-answer or vacation messages from domains.

 

[baggs1981]

Yes that's what I was talking about in my first reply, I put the current version number next to it.
Good to hear it's sorted now.

Be also aware of things like ikkeben said and auto-answer or vacation messages from domains.

OIC Sorry, at the time I read that as 'Check Exim is updated', rather then specifically exim.conf which I later noticed is listed separately within the Custombuild software list.

Thanks again all.

 

[Richard G]

I can imagine you misread it in the worries of getting things fixed. Glad it's fixed!

 

[factor]

Good deal..