PDA

View Full Version : spam, email aliases and bounces



RichardM
04-16-09, 05:39
A few weeks ago, my VPS was swamped with spam out of Taiwan, to the tune of tens of thousands of attempts per hour. The sheer volume overwhelmed SpamAssassin and Exim and slowed the VPS to a crawl; and although only a small fraction of the spam made it through, that small fraction still amounted to thousands of spams. I just finally managed to get my IPs off what I think is the last of the blacklists that I was placed on as a result of the attack.

This attack was partially due to one of my clients' PCs having been rootkitted, but mainly it was my fault for not having tightened up the mail and firewall settings after the VPS was restored subsequent to a recent crash. I've been through this nonsense before and I've learned that the default settings in Exim, SpamAssassin, and CSF are inadequate against today's spammers.

But in this case, the attack lasted a few days before I noticed it happening, because I only use a fraction of my available VPS resources during normal use. So even under the strain of the attack it wasn't immediately apparent to me that anything was wrong because Web, FTP, and mail were still functional. I had no occasion to log in via WHM or SSH, so I didn't realize anything was wrong until the loads became so high that things started feeling a little sluggish.

In any case, once I did realize there was a problem, I decided to take care of it myself because I've been through this before and knew what to do. I tightened the CSF, SpamAssassin, and Exim rules; blocked or null-routed the offending IP ranges (mainly dynamic IPs from hinet.net and other Taiwanese ISPs); disabled my infected client's mail; strengthened the login failure rules; and so forth. Within a few hours the attack was defeated.

Since then, everything has been working splendidly -- with one exception.

Some of my clients choose not to have email accounts on their domains, but rather choose to use aliases (forwarders) instead. The way I've always set these up is to create the forwarders in cPanel, but not create the actual mailboxes. This just saves me from having to regularly empty all the inboxes that would never be checked.

Since I tightened up all the Exim settings, bounce messages are being generated for mail that is sent by scripts and addressed to aliases. The mail goes through, but the sender receives a bounce message. This only happens when the mail is sent by a script, not when sent by an actual human using a standard email client.

I can work around the problem by modifying the scripts to send the mail directly to the end address (rather than the alias), so it's no big emergency. I'm just curious if anyone has any thoughts about which Exim configuration setting would cause script-generated emails to bounce when addressed to aliases for which no corresponding mailbox exists.

Incidentally, I'm not even sure that it's an Exim setting that's at fault, nor am I in any hurry to "fix" the problem because only a very few of my clients use aliases, anyway; and the workaround is easy. It's just a curious thing for me, and I thought others might be interested in thinking about it.

All the best,

Richard