Mailing List Archive

Help with dropping spam e-mail.
I need help. (pun included)

Someone is using "please@help.co.za" as the source of spam e-mail. The
address does not exist...

delivering 1fI8dS-0008Pd-DC (queue run pid 700)
LOG: MAIN
  ** please@help.co.za: Unknown user

...but I do manage the domain "help.co.za"

I also allow wildcards in addresses - so "*@help.co.za" could be
forwarded to a single "catchall" account and some customers use this to
"fetch" all their e-mails....

I'm getting a few 100 per minute which upsets the Load Average - which
stops local delivery. What would be the most appropriate means to
/dev/null this crap. I'm running my users from a MySQL database and
serve a few hundred domains - each with multiple email users. I'm
running a pretty new version of exim and do this on a Gentoo machine.

Either - create a user by the appropriate name and forward it to what???

or - somehow tell exim when it gets an unknown user to /dev/null it ???

Second would be better - as long as its logged - How do I do this?

--
Mark James ELKINS - Posix Systems - (South) Africa
mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Help with dropping spam e-mail. [ In reply to ]
Hi, Mark -

It's a little unclear from your message whether:

- you've got an influx of messages arriving *from* please@help.co.za
that you want to block, or
- you've got an influx of messages *to* please@help.co.za that you want
to block.

As you mentioned one possibility might be to create a local user of the
appropriate name I'll assume it's mail *to* that address you wish to
block/get rid of.

If you have some sort of aliasing/user mapping that you use in a redirect
router one way might be to 'alias' your please@help.co.za address to one of
the special recipients ":blackhole:" or "/dev/null". See the chapter *The
Redirect Router* in the *Special items in redirection lists*
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_redirect_router.html#SECTspecitredli>
section.

Alternatively you could add an ACL to your Exim configuration that either
rejects the recipient address please@help.co.za when an incoming message
says it wants to go to that recipient, or you could instead accept the
recipient but then silently discard the message instead of delivering it.
For example, something like this (CAUTION: UNTESTED!) in your
acl_check_rcpt ACL:

deny recipients = please@help.co.za


Put this before any "accept" ACL statements. Then, when an incoming SMTP
connection sends a :RCPT TO: please@help.co.za", your system will reject
that recipient address with a 5xx SMTP response code so the message doesn't
get into your system but stays on the remote server (which hopefully then
won't try and deliver it again as it got a 5xx code rather than a 4xx code).

Alternatively use "discard" instead of "deny" and your server will accept
the message, send a 2xx code back to the sending server, but then discard
that recipient address. If the message was destined for several of your
users then the others will still get a copy; you can avoid this by moving
the discard into the acl_check_data ACL, as explained in the *Specification*
.

See the *Access Control Lists* chapter in the *ACL verbs*
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#SECID200>
section for more about the deny and drop verbs and their effect when in the
rcpt or data ACLs.

Those are just quick thoughts to hlep you combat the immediate problem;
others might be able to offer more insightful responses. Good luck and let
us know how you get on!

Cheers,
Mike B-)

On Mon, 14 May 2018 at 09:28, Mark Elkins via Exim-users <
exim-users@exim.org> wrote:

>
> I need help. (pun included)
>
> Someone is using "please@help.co.za" as the source of spam e-mail. The
> address does not exist...
>
> delivering 1fI8dS-0008Pd-DC (queue run pid 700)
> LOG: MAIN
> ** please@help.co.za: Unknown user
>
> ...but I do manage the domain "help.co.za"
>
> I also allow wildcards in addresses - so "*@help.co.za" could be
> forwarded to a single "catchall" account and some customers use this to
> "fetch" all their e-mails....
>
> I'm getting a few 100 per minute which upsets the Load Average - which
> stops local delivery. What would be the most appropriate means to
> /dev/null this crap. I'm running my users from a MySQL database and
> serve a few hundred domains - each with multiple email users. I'm
> running a pretty new version of exim and do this on a Gentoo machine.
>
> Either - create a user by the appropriate name and forward it to what???
>
> or - somehow tell exim when it gets an unknown user to /dev/null it ???
>
> Second would be better - as long as its logged - How do I do this?
>
> --
> Mark James ELKINS - Posix Systems - (South) Africa
> mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Help with dropping spam e-mail. [ In reply to ]
On 2018-05-14, Mark Elkins via Exim-users <exim-users@exim.org> wrote:
>
> I need help. (pun included)
>
> Someone is using "please@help.co.za" as the source of spam e-mail. The
> address does not exist...

step 0: publish an SPF record.

> delivering 1fI8dS-0008Pd-DC (queue run pid 700)
> LOG: MAIN
>   ** please@help.co.za: Unknown user

why are you letting this email onto the queue?

> ...but I do manage the domain "help.co.za"

> or - somehow tell exim when it gets an unknown user to /dev/null it ???

can you instead tell exim which are valid users?

--
?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Help with dropping spam e-mail. [ In reply to ]
Mark Elkins via Exim-users <exim-users@exim.org> (Mo 14 Mai 2018 10:23:52 CEST):
>
> I need help. (pun included)
>
> Someone is using "please@help.co.za" as the source of spam e-mail. The
> address does not exist...
> delivering 1fI8dS-0008Pd-DC (queue run pid 700)
> LOG: MAIN
>   ** please@help.co.za: Unknown user

So, you're receiving the bounces, because somebody uses
please@help.co.za as a sender address to spam the world?
(That is, sending messages to mostly non-existent accounts, which in
turn accept the message and bounce later to the faked sender
please@help.co.za)?.


> ...but I do manage the domain "help.co.za"

> stops local delivery. What would be the most appropriate means to
> /dev/null this crap. I'm running my users from a MySQL database and
> serve a few hundred domains - each with multiple email users. I'm
> running a pretty new version of exim and do this on a Gentoo machine.
>
> Either - create a user by the appropriate name and forward it to what???
> or - somehow tell exim when it gets an unknown user to /dev/null it ???

In case you never ever use please@help.co.za as a sender, you can block
all messages destined to this address. (Ideally this is done
automatically doing inbound recipient verification.)

A fast (but ugly) solution until you got the right way, could be:


deny message = This address didn't send mails ever.
senders = :
local_parts = please
domains = help.co.cz


As one of the very first ACL in your acl_check_rcpt (or approbiate)
block.

If your load settles down a bit, we can discuss better ways :)

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Re: Help with dropping spam e-mail. [ In reply to ]
On 14/05/2018 12:25, Jasen Betts via Exim-users wrote:
> On 2018-05-14, Mark Elkins via Exim-users <exim-users@exim.org> wrote:
>> I need help. (pun included)
>>
>> Someone is using "please@help.co.za" as the source of spam e-mail. The
>> address does not exist...
> step 0: publish an SPF record.
except there is no guarantee that I am the only method of sending
e-mail's out for this domain. I do run mail submission relay services
for those that ask. Many customers still use their Internet service
provider though to send out email - which is far easier to set up for
themselves (a single SMTP machine name) vs Submission - which is a bunch
of configuration items. I do tell people that Mail submission to my
relay is better/safer/more secure/mobile
(587+authentication+ssl+StartTLS) but people are funny creatures - if it
works - don't change it.

>
>> delivering 1fI8dS-0008Pd-DC (queue run pid 700)
>> LOG: MAIN
>>   ** please@help.co.za: Unknown user
> why are you letting this email onto the queue?

I'm not sure that I am explicitly doing that.
>
>> ...but I do manage the domain "help.co.za"
>> or - somehow tell exim when it gets an unknown user to /dev/null it ???
> can you instead tell exim which are valid users?

The problem only arises for domains that I host. Need to sit down next
to Lena (or a similar person) and have them check my configuration.
(Is Lena at RIPE? - got friends there)

--
Mark James ELKINS - Posix Systems - (South) Africa
mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Help with dropping spam e-mail. [ In reply to ]
On Tue, 15 May 2018, Mark Elkins via Exim-users wrote:
> On 14/05/2018 12:25, Jasen Betts via Exim-users wrote:
>> On 2018-05-14, Mark Elkins via Exim-users <exim-users@exim.org> wrote:
>>> Someone is using "please@help.co.za" as the source of spam e-mail. The
>>> address does not exist...
>> step 0: publish an SPF record.
> except there is no guarantee that I am the only method of sending
> e-mail's out for this domain. I do run mail submission relay services
> for those that ask. Many customers still use their Internet service
> provider though to send out email
SPF records are managed by the domain name owners because you need to be
able to publish to the domain's DNS.

If a client of yours sends emails through their own servers, _and_ through
yours, then it is up to them to configure their own SPF records, listing
their own servers, and _including_ your domain's SPF rules.
Indeed, I suppose that in this case, the domain name being used is that of
the client; I cannot imagine that you let your clients send emails through
servers of their own choosing using _your_ domain name...
I did such a thing in my limited case: I have my own server, but I send
emails through my ISP's smarthost, thus my SPF records lists my server (by
name), and includes my ISP's SPF rules.

For your clients that use only your servers to send emails, then in theory
it would depend on who has authority on the domain. However, in such
cases (for example mail from companies that get handled by Microsoft), the
management of the DNS may be actually handled by the mail operator (you).
So you would publish the SPF records listing your servers, on behalf of
these clients.

>>> ...but I do manage the domain "help.co.za"
>>> or - somehow tell exim when it gets an unknown user to /dev/null it ???
>> can you instead tell exim which are valid users?
>
> The problem only arises for domains that I host. Need to sit down next
> to Lena (or a similar person) and have them check my configuration.
> (Is Lena at RIPE? - got friends there)
>
> --
> Mark James ELKINS - Posix Systems - (South) Africa
> mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Cheers,
Yves.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Help with dropping spam e-mail. [ In reply to ]
On Mon, 14 May 2018 at 11:32, Jasen Betts via Exim-users <
exim-users@exim.org> wrote:

> On 2018-05-14, Mark Elkins via Exim-users <exim-users@exim.org> wrote:
> > Someone is using "please@help.co.za" as the source of spam e-mail. The
> > address does not exist...
>
> step 0: publish an SPF record.
>

Umm… This would help authenticate *outgoing* mail, but from the sound of it
(here and in a later message) Mark is seeing *incoming* Non-Delivery
Reports coming back *into* his <please@help.co.za> address. So an SPF
record isn't likely to help block these as his domain won't be in the
RFC5321.MailFrom address or the HELO string (used, if memory serves, when
the RFC5321.MailFrom is <> such as for Non-Delivery Reports).

You're perhaps looking at BATV
<https://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation> instead so
you can discard invalid NDRs coming back as backscatter spam. But that
would be a longer term solution rather than a quick fix to address (if
you'll pardon the bijou pun-ette) the current address problem he's seeing.

Cheers,
Mike B-)
?
--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Help with dropping spam e-mail. [ In reply to ]
On 14/05/18 09:23, Mark Elkins via Exim-users wrote:
> I also allow wildcards in addresses - so "*@help.co.za" could be
> forwarded to a single "catchall" account and some customers use this to
> "fetch" all their e-mails....

Look into changing that. It's a source of more problems than
it is worth.
--
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Help with dropping spam e-mail. [ In reply to ]
Hi Mark,

Heiko Schlittermann via Exim-users <exim-users@exim.org> (Mo 14 Mai 2018 21:23:46 CEST):
> all messages destined to this address. (Ideally this is done
> automatically doing inbound recipient verification.)
>
> A fast (but ugly) solution until you got the right way, could be:
>
>
> deny message = This address didn't send mails ever.
> senders = :
> local_parts = please
> domains = help.co.za

As you wrote, it works. Now we've time to discuss further measures.
It depends on you setup. I understand that you're relaying mails for
your customers domains, here you're the relay for mails from and to
help.co.nz.

The most natural way is to your inbound traffic at SMTP time for valid
AND existing recipients. The RCPT acl is the ideal place for doing so.

In an ideal world your ACL can rely on the routers and can just do a

require verify = recipient

optionally with callout, in case the routers needs to contact a remote
destination via SMTP:

require verify = recipient/callout=defer_ok,use_sender

But, as said, this relies on the router having information if the
recipient exists, or how to do the callout to the next hop. It won't
work for catchall destinations. If you insist on having catchall
destinations, you need other means to check if a given recipient address
exists.

For you special issue, being the victim of an as-sender-abused address,
you can employ BATV, bounce address tag verification. But this implies
that all the customers outbound traffic passes your servers or(!) uses
the same BATV scheme as your server uses.

Which of the above seems to be most realistic to you?

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Re: Help with dropping spam e-mail. [ In reply to ]
On 2018-05-15, Mike Brudenell via Exim-users <exim-users@exim.org> wrote:
> On Mon, 14 May 2018 at 11:32, Jasen Betts via Exim-users <
> exim-users@exim.org> wrote:
>
>> On 2018-05-14, Mark Elkins via Exim-users <exim-users@exim.org> wrote:
>> > Someone is using "please@help.co.za" as the source of spam e-mail. The
>> > address does not exist...
>>
>> step 0: publish an SPF record.
>>
>
> Umm… This would help authenticate *outgoing* mail, but from the sound of it
> (here and in a later message) Mark is seeing *incoming* Non-Delivery
> Reports coming back *into* his <please@help.co.za> address. So an SPF
> record isn't likely to help block these as his domain won't be in the
> RFC5321.MailFrom address or the HELO string (used, if memory serves, when
> the RFC5321.MailFrom is <> such as for Non-Delivery Reports).

An SPF should make it harder to generate backscatter, hopefully most
systems that are opportunistically attempting to forward email are
at-least checking SPF.

> You're perhaps looking at BATV

BATV only works if you can rewrite the envelope sender of all messages from the
domain.

--
?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/