AOL EMail Bomb - Failed Msgs

Discussion in 'Linux VPS/Dedicated - cPanel' started by WRMercier, Mar 11, 2010.

  1. WRMercier

    WRMercier Member

    Am having a problem that started this past weekend. Some time ago I activated the SpamAssasin and BoxTrapper for my personal email account. Per BoxTrapper instructions I went about the task of adding trusted domains to my WhiteList including .+\@aol\.com. This past weekend, I started receiving hundreds and even thousands of failed email msgs. Due to the huge influx, I immediately went to my WHM and changed the Systems Mail Preferences to another email addy that is not currently used until I could sort out the problem. I have submitted 2 support tickets and pretty much am told to contact AOL’s support. (Good luck contacting anyone at AOL) Is anyone else experiencing this problem? I even resorted to putting .+\@aol\.com on my Ignore List and still the daily failed msgs keep coming by the thousands. I just a few minutes ago eliminated the mail forward to nobody’s mail in Systems Mail Preferences completely but what I really need is some direction to get this stopped completely. Anyone here experienced this type problem with AOL related mail before and if so, what did you do to stop it? Thanks!
     
  2. mylinear

    mylinear Member

    Is this only about mails specifically to AOL bouncing back? That is, your IP may be blacklisted?

    Or do you have hundreds / thousands of undelivered messages in your Exim mail queue?

    Maybe you can post a sample header of the bounced / undelivered message to provide more info on the problem.
     
  3. WRMercier

    WRMercier Member

  4. mylinear

    mylinear Member

    Perhaps you could try to disable BoxTrapper and delete unwanted messages in the Exim queue and see what happens from that point. I have SpamAssassin enabled but BoxTrapper disabled.

    If you receive a message from a spammer using a fake AOL address, BoxTrapper sends a verification email to that address which will then bounce as it does not exist.

    If you receive a message from a spammer using someone else's AOL address, BoxTrapper will send a verification message to that address. The real owner of that address may then report the verification message as being spam to AOL. The message reported will be originating from your IP and you could get blacklisted.
     
  5. Dan

    Dan Moderator

    Personally this backscatter method of spamming is why I quit using Spamassassin and boxtrapper.

    What you are seeing is a dictionary attack of spam on your domain. The address is bad so the server attempts to bounce it back to the sending address. Which is of course spoofed and you end up with thousands of undeliverable messages in your Exim queue.

    Spam software should never bounce a spam message or replay to it in any way, shape, or form.

    I do not think this is a boxtrapper issue it is a Spamassassin issue and I was not able to find any configuration for this problem.
     
  6. WRMercier

    WRMercier Member

    Thanks MYLINEAR and DAN for your informative replies. By eliminating the catch-all email addy I have stopped the bounced msgs from loading my email but of course they are still coming. Just no where to go I suppose. I think I very well may just endure the spam and backstroke away from both BoxTrapper as well as SpamAssign. Hopefully in a short amount of time these bounced emails will die off and I can avoid having to use my last resort of simply changing to a new email addy which I hopefully can avoid. Thanks again for your response and info.
    WR
     
  7. KH-Paul

    KH-Paul CTO Staff Member

    Dan - SA won't bounce emails unless you enable the "SpamAssassinTM: Bounce mail when the spam score is greater than NN" option on the WHM >> Service Configuration >> Exim Configuration Editor screen. Not quite sure why such an option was implemented in the first place but it should never be checked.

    WRMercier - if you set default delivery to "Discard with error to sender (at SMTP time)" then emails to unknown mailboxes within that domain will be rejected during the SMTP session, so no bounce will be generated by your own system. I would also suggest to add SPF record for your domain(s) to reduce chances for your domains to be used by spammers in the From: field of their emails.
     
  8. WRMercier

    WRMercier Member

    KH-Paul – Thanks so much for your info and advice. Unfortunately I am very new to much of this and am struggling to understand and comprehend the info presented. With that said, this situation seems to be escalating as after disabling SpamAssign yesterday I showed over 6K bounced msg last night between 1900-2000 that I purged and probably that many or more at 0400 this morning.

    I have looked through the different areas in my WHM and failed to find the "Discard with error to sender (at SMTP time)" option you noted in your last response. I would very much appreciate your giving me the dummy version of your instructions, being as specific as possible as to what I can and need to do to resolve this problem. Also I would be appreciative if you could also do the same as to precisely how to add the SPF record you noted to reduce chances for domains to be used by spammers in the From: field of their emails.

    Other then your above suggestions, I am at a total loss as to how to resolve this problem and would be appreciative and grateful for any assistance and/or specific advice you might offer. Many thanks for your response.
    WR
     
  9. mylinear

    mylinear Member

    While waiting for more help from KH-Paul...

    For the "Discard with error to sender" option, login to your cPanel (not WHM) for the domain in question (the one with the bounced mail problem). In the Mail section, click on the Default Address option. You will see it there.

    For SPF, in cPanel for the domain in question, see the Email Authentication option in the same Mail section.

    You can read more about SPF here:
    http://www.openspf.org/

    By any chance, do you have an installation of ZenCart on the domain in question? I had a domain with ZenCart installed for testing and I had a problem with thousands of undelivered / bounced emails in my Exim queue. I later removed ZenCart and so far it has not happened again. Or perhaps some other such program installed could be causing this problem.


    Some additional info...

    I have SpamAssassin enabled on my VPS. BoxTrapper is disabled.

    In WHM -> Service Configuration section -> Exim Configuration Editor:

    I have the following checked.

    ACL Options
    SpamAssassinTM: Reject mail with a spam score greater than 10 at SMTP time.

    The following is what KH-Paul says should be unchecked. I have it checked, but I believe it is negated by the checked option in the ACL section above.

    Filters
    SpamAssassinTM: Bounce mail when the spam score is greater than 10

    RBLS
    RBL: bl.spamcop.net
    RBL: zen.spamhaus.org

    HTH.
     
  10. WRMercier

    WRMercier Member

    mylinear;
    I am so indebted to you and KH-Paul for your info and attempts to assist in getting me out of this black hole I’m currently in with the email bombing issue. As suggested I checked and DO indeed have the "Discard with error to sender (at SMTP time)" ticked in the cPanel - Default Address option. Also been reading the info at http://www.openspf.org/ which is admittedly more then a little confusing to this newbie. Not sure what I need to address and include in creating the SPF record to keep spammers from hijacking my email addy? Any chance of getting a point in the right direction? If it means anything, I use my ISP’s outgoing mail (smtp.earthlink.net). To date here is where I’m at. I have the "Discard with error to sender (at SMTP time)" ticked per yours and KH-Paul’s suggestion. I turned off SpamAssassin but still have BoxTrapper enabled. With these in place, as of last evening I am still receiving thousands of bounced msgs and they appear to be escalating as it took me much longer to purge them.

    I don’t have Zen Cart installed or anything out of the ordinary that I don’t have on other web sites that are not getting bombed as my personal one is.

    The desperation level is definitely rising in proportion to the increase in the bounced mail. This situation is fast getting out of control and I very much appreciate the effort and assistance in attempting to right this wrong. A BIG Thank you for your help folks ! ! !
    WR
     
  11. mylinear

    mylinear Member

    Could you try to disable BoxTrapper, enable SpamAssassin, clear your mail queue and see what happens then? See my previous post and try the options I listed under "Some more info...".


    Could you also check in the public_html directory of the account in question to see if there is any unusual files there. I had a file named 404.php which caused a similar problem with mails a few weeks ago.
     
  12. mylinear

    mylinear Member

    For SPF, see if you can use the cPanel -> Email Authentication section. Or submit a ticket to support with relevant details and ask them to setup the SPF record for you.

    I do not use my ISP mailserver to send mails from my domain, so my SPF is different from yours, so no guarantee the below will work properly. hope someone else can verify this, or ask support to verify this. You can try the below.

    1. Go to WHM -> DNS Functions section -> Edit DNS Zone.
    2. Select the domain in question. Click Edit button.
    3. Scroll down to the "Add New Entries Below this Line" section.
    4. In the 1st blank field, type in your domain name with a period at the end. Eg:
    example.com.
    (Note the. at the end)
    5. Leave 14400 in the next field.
    6. Select TXT from the dropdown list in the next field.
    7. In the last field, type this in (including the quotes). Change x.x.x.x to your domain's IP address.

    "v=spf1 ip4:x.x.x.x a:smtp.earthlink.net mx:smtp.earthlink.net -all"

    (Note: include the double quotes at the start and end of the text)
    8. Scroll down and click the Save button.

    Clear your mail queue. Test by sending and receiving emails from your domain or Yahoo, Hotmail etc to see if emails go in and out correctly. If your tests shows emails are not being sent or received, remove the SPF record and submit a ticket to support to get it done correctly.
     
  13. WRMercier

    WRMercier Member

    Have disabled BoxTrapper and enabled SpamAssassin as well as well as cleared the mail queue per your suggestions.

    Note:
    In WHM -> Service Configuration section -> Exim Configuration Editor:


    ACL Options
    SpamAssassinTM: Reject mail with a spam score greater than 10 at SMTP time.

    Mine indicates 20 at SMTP time. Should this number be changed to 10 in SpamAssissan configuration or some other area?

    Filters
    SpamAssassinTM: Bounce mail when the spam score is greater than 10

    Also this one indicates 20 in my WHM. Should this number be changed at some place as well?

    RBLS
    RBL: bl.spamcop.net
    RBL: zen.spamhaus.org

    I take it the above needs to be ticked which is what I did.

    Also checked the public_html directory and didn’t see any files that shouldn’t be there.

    Have also done the SPF per your above specific instructions. Did an email "To" and "From" my domain and it worked fine. Now to see if this stops the recent bombing mission. I’ll check back in a few days with an updated report. Many thanks again for your help and assistance.
    WR
     
  14. mylinear

    mylinear Member

    For the first 2 options above, uncheck the current setting of 20. Then you will see a new list of options and you can select the 10 option by checking the appropriate box.

    Yes, both RBL options should be checked.

    FYI, I received an Abuse Complaint report from KH Abuse Dept. When I checked, I found I had approx 50,000 messages in the Exim mail queue. They are either spam or bounced messages, but not legit emails from any of my domains. Support helped me clear the queue and I suspect that a file has been uploaded somehow on one of my domains that was generating the spam.

    Not sure if its the same case as yours. But if your queue goes up again, submit another ticket to support and ask them to look into it. They may be able to narrow down to what may be causing these messages in the queu. Support is generally very helpful.

    Also, consider changing all your passwords on the VPS, which is what I am currently doing as I do not know for sure how the file was uploaded.
     
  15. WRMercier

    WRMercier Member

  16. Dan

    Dan Moderator

    Hi WRMercier,

    You need to UNcheck the option that KH-Paul listed.

    And changing from 20 to 10 could cause a good amount of false positives as that is a pretty low number (just keep that in mind).

    Enabling SPF on your domains is a great idea and you should definitely do it. But it will not actually stop others from spoofing your domain. What it will do is provide more positive identification for email actually sent from your domain. As to whether or not spoofed email will fail or not will depend on the recipient's spam software configuration.

    Hope that helps
     
  17. WRMercier

    WRMercier Member

    Dan;
    Thanks once again for the response and info. I am making myself a little checklist and adding all info and suggestions to try. Have implemented suggestions and will give a report in a few days when I see what kind of results I get.

    Thanks again for your info and help. Definitely getting a good education from all this. Just hope it pays off.
    WR
     
  18. WRMercier

    WRMercier Member

    Mail Bombing Update :D
    First off my sincere thanks to mylinear, Dan, and KH-Paul for their info, advice, help and assistance. Your response and help is so very much appreciated.

    Now the report card; My Mail Queue Manager in WHM is down to nothing over the past few days in comparison to thousands prior to making the suggested changes by the above heroes. That’s the good news. Unfortunately I have made a full circle to a lesser degree as I am now again receiving SPAM again but admittedly, not to the extent I originally was. That may be due to the fact that I am relying on SpamAssasin exclusively with BoxTrapper disabled. If this is what it takes to keep the bombing at bay then I can live with it unless anyone has some fine tuning advice I might give a try to.

    Again, I wish to send out my appreciation to all of you who gave me the help I needed to dig myself out of a deep black hole. Your efforts are so very much appreciated.
    WR
     
  19. mylinear

    mylinear Member

    You can check in the spam message headers to see what sort of score were given by SpamAssassin. Then maybe you can tweek SpamAssassin spam score or other settings / rules. I do not have specifics as I leave SpamAssassin with default settings and with score of 5 and discard messages marked as spam.

    If you want to experiment, you could enable BoxTrapper for a day or so to see what happens. Does it get rid of your current spam? Or increases spam / bounced mails? Then you will know for sure whether BoxTrapper is the cause or of any help. You can then disable it again if it is not helpful.
     
  20. WRMercier

    WRMercier Member

    Folks;
    Thought I’d follow up with a status report. After trying out all of the suggestions and ideas I am now practically free of SPAM. Not exactly sure what was the magic bullet but whatever it was finally worked. I have made myself a little suggestion folder with all of the info you folks shared in case this gremlin jumps up to try and bite again.

    Just want to pass along my sincere appreciation and thanks to you mylinear, Dan, and KH-Paul for all your time and assistance. It is so much appreciated.
    WR
     

Share This Page