spam problem (alias email users)

T

TMMM

Verified User
Joined
Oct 29, 2006
Messages
48
We recently added a new domain and since then the exim and spamd processes for that user have been overloading the server. When I kill all of the processes the load goes down and then If I disable spamassassin for that user the problem stops.
If I take a look in the mail log, just about every second are lines for this domain with fake user email names. For example:
2006-12-21 21:06:53 1GxZoD-0007ex-SA <= <> H=smtp.sncomm.com (barracuda.sncomm.com) [208.11.179.146] P=esmtp S=2619 id=000c01c7256d$d7a116b0$00000000@computer T="**Message you sent blocked by our bulk email filter**" from <> for [email protected]
2006-12-21 21:06:53 1GxZoD-0007ex-SA => :blackhole: <[email protected]> R=virtual_aliases

"thedomain.com" is not the real domain, I just do not want to throw there name into this problem.

The user "crew" is not a real user and there are several hundred false names here.

If these are not real users Im not sure why exim or spamd are even running on the non existant user emails?

If anybody would have some insight into this so that we can re-enable spam assasin for this user could they please help.
Thank you

Im not sure if this "R=virtual_aliases" has anything to do with it?
 
it's a broken Barracuda server (I think they're all broken) that attempts to send spam back to the sender.

Of course you're not the sender, but the Barracuda server thinks you are.

Because the spammer has forged invalid usernames from your domain to get the spam sent.

You can block the IP# or IP#s of the server(s) sending you these, if it's only one or a few.

You can (and probably should) turn off the catchall for the domain(s) with the problem so the email will never be received on your server and run through SpamAssassin.

Me? I dislike SpamAssassin. Mostly because of the machine and human resources it uses.

Your mileage may vary.

The R=virtual_aliases is simply the name of the router exim is using to deliver the mail; if you touch its configuration you'll break exim.

Jeff
 
Thanks Jeff.

Ive checked the mail logs and the # of ip's are all different for the most part.

It looks as though this domain is on a bad "list" somewhere. I spoke to them and they informed me that when they were with there previous host they were receiving hundreds of spam email in there "inbox" on there local computer.
Im suspecting that the old host noticed this issue to and just sent them on through for them to filter themselves aswell.

Spamassasin seems to take up a high cpu load every time it processes even one email, it would be nice if it didnt take up so much.

Thanks again
 
Have them turn off that pesky catchall. Or deal with the spam themselves.

Jeff
 
Thanks for the reponse Jeff.

What im curious about is why, if there is no email with the names that are being sent to the server is spamd even processing the mail. I would think that the mail would come in and then just be dropped because the user is not on the machine.

Another thought Im having is that, about 2 weeks ago we did enable catchh-all email on that particular account, which is the first time this was done on this machine in particular. When the spamd service was crashing the machine we then went into the users panel and into the catch-all link and set the catch-all to "Ignore: The email is dropped and completely ignored". Is this the correct bullet to check within the catch-all link in the user panel?

If so and thats correct, then if it is then supposed to "drop the email completely" why is it then running through spamd?

Thanks
 
Last edited:
TMMM said:
What im curious about is why, if there is no email with the names that are being sent to the server is spamd even processing the mail. I would think that the mail would come in and then just be dropped because the user is not on the machine.
Click to expand...
Servers don't work that way. They're responsible for the email. According to the RFCs they must either deliver the email or return it. The latter no longer works on today's internet because spammers forge sender addresses. The reason you're getting bombed with those emails is because the servers getting those emails with your client's domain forged aren't following the rule.

The way the DA exim configuration works is it checks to see if the user is on the server. If the catchall is checked for the domain that defaults to yes. If not, then it looks for the specific mailbox or other deliver rule. If it doesn't find a delivery rule, it rejects the email (it never gets loaded on to your system).

Once it's accepted it follows the delivery rule or rules it finds. One of the rules for catchall is to deliver the email to /dev/null. Technically this is a violation of the RFCs but it's one a lot of us live with because after all the mail wasn't correctly addressed. However this means that if someone writes you and has one letter mistyped in your email address they'll never know you didn't get the email. If catchall is set to fail, they'll get a notice back from their server that it couldn't deliver the mail.
Another thought Im having is that, about 2 weeks ago we did enable catchh-all email on that particular account, which is the first time this was done on this machine in particular. When the spamd service was crashing the machine we then went into the users panel and into the catch-all link and set the catch-all to "Ignore: The email is dropped and completely ignored". Is this the correct bullet to check within the catch-all link in the user panel?
Click to expand...
No.
If so and thats correct, then if it is then supposed to "drop the email completely" why is it then running through spamd?
Click to expand...
Because in dropping the mail it's following a delivery rule after the mail is accepted through spamd. As it's supposed to.

Jeff
 
No.
Click to expand...

Which would be the correct bullet to check, or the proper way to go about dealing with catchall after it has been enabled?

After reading your answer of "No", I am believing the correct bullet to check is:
"Fail: The sender is notified that the address doesn't exist"

could this have been the cause of the load averages being so high?
If you think so I will go ahead and re-enable the spam filter and see how it goes.

Thankyou
 
Last edited:
Catchall should be set to fail for best results.

Then you can retry SpamAssassin if you'd like.

Jeff
 
You must log in or register to reply here.
Back
Top