Modifying "Catch-All E-Mail" to get rid of spam abuses

A

Andruhius

Verified User
Joined
Oct 23, 2009
Messages
10
Hi!
The other day I received an abuse email regarding my server IP:

"Hello,
this is an autogenerated abuse complaint regarding your network.
abusix.org will return every single spamtrap hit as well as any other
abusive behavior to the responsible Network Operator or Abuse Desk."

As I can see this is happening coz I have Catch-All E-Mail in my server configured as "The sender is notified that the address doesn't exist" and each time the spammers send emails to any random emails related to my domains my server sends them undeliverable email message out, and while spammers origin emails are often real emails - real email owners receive undeliverable email messages and report them as spam.

The question is - if I set "Catch-All E-Mail" to "The email is dropped and completely ignored" option - it says that I will have huge server load increase.
So I want to make sure that if I will choose this option - will my server be overloaded instantly or I better take another solution? What do you recommend to get rid of such abuse emails?

Thank You!
 
The catchall should be set to fail. That way the email is rejected and not accepted from the server that sent it. The from address in the header is not relevant.

Catchall should not be used because it allows a multitude of spam to your server. You should only be accepting mail to specific addresses.
 
floyd said:
The catchall should be set to fail. That way the email is rejected and not accepted from the server that sent it. The from address in the header is not relevant.

Catchall should not be used because it allows a multitude of spam to your server. You should only be accepting mail to specific addresses.
Click to expand...

I have just set it to ignore and now my server is down..
What will be solution to get rid of those abuse emails?
 
I have just set it to ignore and now my server is down.
Click to expand...

You were warned.

What will be solution to get rid of those abuse emails?
Click to expand...

You need to determine how your server is sending out spam.

You have two completely different questions:

1) What to do with the catchall
2) How to git rid of spam abuses

One has nothing to do with the other unless the problem is that you are receiving spam.

As I can see this is happening coz I have Catch-All E-Mail in my server configured as "The sender is notified that the address doesn't exist" and each time the spammers send emails to any random emails related to my domains my server sends them undeliverable email message out, and while spammers origin emails are often real emails - real email owners receive undeliverable email messages and report them as spam.
Click to expand...

You are completely misunderstanding. "The sender is notified that the address doesn't exist" this is the sending server not the address in the from header. It does not send anything back to innocent bystanders.
 
floyd said:
You are completely misunderstanding. "The sender is notified that the address doesn't exist" this is the sending server not the address in the from header. It does not send anything back to innocent bystanders.
Click to expand...

I have only one question now - how to stop getting those abuse emails?

You see, if I have the "Catch-All E-Mail" set to FAIL (The sender is notified that the address doesn't exist) - and if I send out an email from my real email to let's say [email protected] - I receive immediately "Delivery Status Notification (Failure)" email which I can REPORT as SPAM and they will send me abuse that I'm spamming.

For the moment I found the following method how to fix this issue but I need you to confirm it:

Make the lines in exim.conf like this:

# accept mail to postmaster in any local domain, regardless of source
# accept local_parts = postmaster
# domains = +local_domains

# accept mail to abuse in any local domain, regardless of source
# accept local_parts = abuse
# domains = +local_domains

# accept mail to hostmaster in any local domain, regardless of source
# accept local_parts = hostmaster
# domains =+local_domains
 
This is so frustrating.

If you have catchall set to fail and then if you send an email to [email protected] from your [email protected] then yes you receive the bounce.

If you have catchall set to fail and then you send an email to [email protected] from your [email protected] then yes you receive the bounce.

In both cases above you receive the bounce NOT because your server sent the bounce to the from address but because your server rejected the address and then the sending server bounced it back to the from address ONLY because the from address existed on the sending server.

If you have catchall set to fail and then you send an email to [email protected] from a [email protected] using ANOTHER sending server other than your own then your sever rejects the email and the sending server then has to drop the email because it cannot deliver it because [email protected] does not exist on the sending server. Even if the sending server did send it back to [email protected] it would be the sending server's fault and not yours.

A rejection is not the same as a bounce. A bounce sends it to the from address. A rejection simply does not accept it at all from the sending server so the sending server has to do something with it. That is not your problem and you will not get the blame for it.


Now you have into this thread yet another item unrelated to the previous which is the exim.conf file and how it deals with postmaster, hostmaster, and abuse emails. If they are uncommented and then exim accepts the email and then if it cannot deliver it then it bounces the email causing backscatter or returning to possible faked from addresses. This has nothing to do with the catchall.

You seem to want to combine separate issues into one. Commenting those lines does NOT fix the catchall issue because it has nothing to do with the catchall issue in the first place.

How exim deals with postmaster, hostmaster, and abuse emails has been discussed extensively in another thread. Please see that one. I remember backscatter was in the title.

Somebody else can probably explain it better than me. Your abuse report did not say anything about improper bounces so we do not even know if you have really fixed the issue by commenting out those lines. The real issue could still be that someone is actually on your server sending spam.
 
It looks like those commenting is not proper solution.
Here's my next solution for this directadmin issue (I heard that cpanel has no this problem):

make modification of /etc/system_filter.exim and change everything through vi to:


# START
# Filters all incoming an outgoing mail


logfile /var/log/filter.log 0644
## Common Spam
if

# Header Spam
$header_subject: contains "Pharmaceutical"
or $header_subject: contains "Viagra"
or $header_subject: contains "Cialis"
or $header_subject: is "The Ultimate Online Pharmaceutical"
or $header_subject: contains "***SPAM***"
or $header_subject: contains "[SPAM]"
or $header_subject: contains "returning message to sender"
or $header_subject: contains "size"
or $header_subject: contains "Watches"
or $header_subject: contains "Replica"
or $header_subject: contains "carrier"
or $header_subject: contains "delivery"
or $header_subject: contains "failed"
or $header_subject: contains "Error"

# Body Spam
or $message_body: contains "Cialis"
or $message_body: contains "Viagra"
or $message_body: contains "Leavitra"
or $message_body: contains "St0ck"
or $message_body: contains "Viaagrra"
or $message_body: contains "Cia1iis"
or $message_body: contains "URGENT BUSINESS PROPOSAL"
or $message_body: contains "X-Assp-Spam: YES"

then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
# fail text "Message has been rejected because it hasn
# triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"

seen finish
endif


# END
# Filters all incoming an outgoing mail


# START
# All outgoing mail on the server only - what is sent out

#Check forwarders so it doesn't get blocked
#Forwarders still work =)

## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@citibank.com" or
$header_from contains "@bankofamerica.com" or
$header_from contains "@wamu.com" or
$header_from contains "@ebay.com" or
$header_from contains "@chase.com" or
$header_from contains "@paypal.com" or
$header_from contains "@wellsfargo.com" or
$header_from contains "@bankunited.com" or
$header_from contains "@bankerstrust.com" or
$header_from contains "@bankfirst.com" or
$header_from contains "@capitalone.com" or
$header_from contains "@citizensbank.com" or
$header_from contains "@jpmorgan.com" or
$header_from contains "@wachovia.com" or
$header_from contains "@bankone.com" or
$header_from contains "@suntrust.com" or
$header_from contains "@amazon.com" or
$header_from contains "@banksecurity.com" or
$header_from contains "@visa.com" or
$header_from contains "@mastercard.com" or
$header_from contains "@tut.by" or
$header_from contains ".de" or
$header_from contains ".cn" or
$header_from contains ".kr" or
$header_from contains ".br" or
$header_from contains ".by" or
$header_from contains ".lan" or
$header_from contains ".cl" or
$header_from contains ".mx" or
$header_from contains ".tw" or
$header_from contains ".jp" or
$header_from contains "@tutby.com" or
$header_to contains ".tw" or
$header_to contains ".jp" or
$header_to contains ".kr" or
$header_from contains "@mbna.com"
)
then
logwrite "$tod_log $message_id from $sender_address is fraud"
seen finish
endif

## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@hotmail.com" or
$header_from contains "@yahoo.com" or
$header_from contains "@aol.com"


)
then
logwrite "$tod_log $message_id from $sender_address is forged fake"
seen finish
endif



## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
#Paypal
$message_body: contains "Dear valued PayPal member" or
$message_body: contains "Dear valued PayPal customer" or
$message_body: contains "Dear Paypal" or
$message_body: contains "The PayPal Team" or
$message_body: contains "Dear Paypal Customer" or
$message_body: contains "Paypal Account Review Department" or


#Ebay
$message_body: contains "Dear eBay member" or
$message_body: contains "Dear eBay User" or
$message_body: contains "The eBay team" or
$message_body: contains "Dear eBay Community Member" or


#Banks
$message_body: contains "Dear Charter One Customer" or
$message_body: contains "Dear wamu.com customer" or
$message_body: contains "Dear valued Citizens Bank member" or
$message_body: contains "Dear Visa" or
$message_body: contains "Dear Citibank" or
$message_body: contains "Citibank Email" or
$message_body: contains "Dear customer of Chase Bank" or
$message_body: contains "Dear Bank of America customer" or




#ISPs
$message_body: contains "Dear AOL Member" or
$message_body: contains "Dear AOL Customer"


)
then
logwrite "$tod_log $message_id from $sender_address is phishing"
seen finish
endif

# END
# All outgoing mail on the server only - what is sent out
 
You must log in or register to reply here.
Back
Top