Hi,

I was wondering what it would take to get a patch into the interworx qmail rpm so qmail will reject mail to invalid addresses at the smtp layer.

This would be great for spammers that use a dictionary of words to bombard a mailserver with spam. By rejecting it at the smtp layer, it never clogs up the mail queue, and those that are running spam/virus checks are not wasting cpu time on mail that is never going to get delivered.

One such patch that seems to do this is located at:

http://code.dogmap.org/qmail/

named qmail-realrcptto patch

Yes, this one would be really great.

Another day a spammer sent to my server 20.000 (yes, 2 + four zeros) e-mails, using my domain with a dictionary.

The only problem with this is spammer s can validate e-mail addresses. If htey forge From (which they almost allways do), they don't know what happens to the span when they send it.

If you reject at the SMTP server, they know as they are sending what addresses are good and what are bad. They can validate e-mail addresses and know if they keep sending to certian ones someone will get it.

Yes, I'm aware of this possibility. But as things are today, they keep sending to all addresses. And as they use fake return paths, you waste resourses bouncing the e-mail back and reciving the bounce back to you some time later ("This is the qmail-send program at XXXXX. I tried to deliver a bounce message to this address, but the bounce bounced!").

I agree, this is a valid concern. The patch you mentioned won't work with InterWorx since it doesn't understand vpopmail, but there is a patch we're looking into called chkuser.

There is something you can do about the double bounce messages immediately though.

run the following commands as root:

echo '#' > /var/qmail/alias/.qmail-dev-null
chown alias.nofiles /var/qmail/alias/.qmail-dev-null
echo 'dev-null' > /var/qmail/control/doublebounceto

I agree, this is a valid concern. The patch you mentioned won't work with InterWorx since it doesn't understand vpopmail, but there is a patch we're looking into called chkuser.


it seems to be great


There is something you can do about the double bounce messages immediately though.

run the following commands as root:

echo '#' > /var/qmail/alias/.qmail-dev-null
chown alias.nofiles /var/qmail/alias/.qmail-dev-null
echo 'dev-null' > /var/qmail/control/doublebounceto

Paul, isn't it the same think to only let a blank field or only # char in /var/qmail/control/doublebounceto ?

For my personnal concern, do you absolutly need to have an existing alias to pipe all double bounce messages to a null email ?

Thanks

Pascal

Knowing qmail it could work with just the # in there Pascal, but every example I've seen uses the alias.

Chris

Knowing qmail it could work with just the # in there Pascal, but every example I've seen uses the alias.

Chris

Ok, so it should have a reason why :)

If every example uses the alias, I'll use the alias :)

Thanks Chris and Paul

So what's our final solution to filter out the double bounces?

http://www.interworx.com/support/docs/iworx-cp/sysadmin/system-services/mail-server/mta/howto-change-bounce-options

There's an option in there to disable double bounces.

Just checking this discussion for the first time. Wondering if this patch was ever implemented in interworx (latest update). We have been hit by two smtpd attacks where they are doing dictionary attacks. Of course the qmail we all know and love accepts every darn message before it denies it! So, valuable server resources are taken up dealing with it.
We have been looking at adding a Barracuda Spam Filter to help offload the huge loads we get on SPAM (having almost 5000 email accounts) but they will not work to deny smtpd attacks if this patch is not in place because qmail will accept all the messages before bouncing them.
Sorry to be so verbose on a simple question... was this patch implemented yet? Thanks.

Hello,

I would also appreciate some info on this, as we want to enable Dynamic Recipient verification for our SPAM checking, and without it rejecting at the outset of the SMTP transaction, it cant work.

Cheers,

William

Yes, the chkuser patch has been added. You enable it on a per-domain basis in SiteWorx, by turning "bounce on". Site Services->E-mail->Overview on the menu.

Paul

There is nothing cooler than asking something and finding out that you already have it! Thanks guys for the amazing product! Greatly appreciated.

Ahh.. perfect thank you Paul :)

Just tested it, and got an email back from the SPAM Server (which is what we were aiming for), saying:

<test@emailaddress.com>: host servername.ew-servername.net[87.117.XXX.XX] said: 511 sorry, no
mailbox here by that name (#5.1.1 - chkuser) (in reply to RCPT TO command)

Perfect ;)

smtp attacks seem to be a major drag on resources for me as well. I enabled bouncing in SiteWorx but the help file states the following:

This is where you can define what happens when an e-mail is sent to an address at your domain that does not exist. The choices are:
1. Send a "bounce" message back to the sender informing them that the e-mail address they sent to does not exist
2. Silently delete the message without informing the sender that the e-mail address does not exist
3. Forward these messages to another e-mail address, called a "catch-all" address.


I want to do #2. How do I accomplish this?

oaf357,
it is pretty easy to accomplish #2. You need to log in to each of your user accounts to do this. Once logged in to a user account, cick on Email --> Overview --> and then you will see the 'Bounce Messages' field will either be set to On or Off. If the bounce is set to 'off' then qmail will silently delete all messages. When set to On, this is where the patch comes in to play and it will bounce all messages that do not match a valid recpt.
Here is the problem with it comes to an smtp attack though. If you have set it to black hole these messages (silently delete) the problem is that you can be overloaded with an smtp attack because qmail has to process every bogus email account. It runs each message through virus and spam filtering and realizes that account doesn't exist. What Paul said, by implementing the chkuser patch into qmail is that qmail checks for a valid user before even accepting the message. If the account doesn't exist, it can bounce it BEFORE tying up your server resources. So, in the case of an smtpd attack, you are better off bouncing emails than black holing them in my opinion.

Thanks for that. We'll see how it helps.

Paul,

Can you just confirm that the chkuser does succesfully allow email addresses which are setup as aliases.

Eg:

Mailbox: firstname@domain.com
Alias: firstname.lastname@domain.com

These would both be classed as valid recipients by chkuser?

thanks,

William

William,
I can confirm that that is the case. Vpopmail is what is actually storing all of your email accounts, aliases, and mail lists. What chkuser does is query the vpopmail service asking for the valid recipients before any other processing happens. If it does not find a match, it will send a 553 bounce message to the sender.
You can read more about the patch at http://www.interazioni.it/opensource/chkuser/

Thanks for that. I was pretty sure with the testing we've done that it was operating as requested.

We now have some very happy, spam-free customers.

Woohoo! :D

Hi,

Just to know, which is the version of chkuser Interworx use ? which version the V3.0 use ?

2.0.9 ?

Thanks

Pascal

We're currently using the 2.0.8 version. iworx 3.0 will use the same version. Is there a specific feature you want that is only in the 2.0.9 version? We're not in a rush to make changes to important things like e-mail when it works without making changes :)

Paul

Hey all,

Jumping in late, but let me see if I understand correctly.

Within Interworx 2.0.3, the chkuser patch is enabled. This allows me to set each SiteWorx account to 'Bounce Messages' within the Email Management / Overview page. If it's set to off, these messages will be silently deleted (blackhole). However, when the messages are silently deleted it utilizes system resources because qmail has to process each piece of inbound mail sent to a non-existent mailbox. This is a problem especially in the case of an smpt attack.

The chkuser patch will have qmail check to see if the incoming mail is headed towards a valid user. If qmail finds that the incoming mail does not have a valid target email address, a bounce message will be delivered to the sender.

If this is correct, my question is:

Wouldn't it be wise to disable the doublebounce feature as well so that users are not receiving a wad of bounce failure notices (The bounce bounced!) because the outbound bounce message cannot find a legitimate target?

Please, correct me if I'm misunderstanding anything. Any guidance would be appreciated.

Thanks

Hey all,

Jumping in late, but let me see if I understand correctly.

Within Interworx 2.0.3, the chkuser patch is enabled. This allows me to set each SiteWorx account to 'Bounce Messages' within the Email Management / Overview page. If it's set to off, these messages will be silently deleted (blackhole). However, when the messages are silently deleted it utilizes system resources because qmail has to process each piece of inbound mail sent to a non-existent mailbox. This is a problem especially in the case of an smpt attack.

The chkuser patch will have qmail check to see if the incoming mail is headed towards a valid user. If qmail finds that the incoming mail does not have a valid target email address, a bounce message will be delivered to the sender.

If this is correct, my question is:

Wouldn't it be wise to disable the doublebounce feature as well so that users are not receiving a wad of bounce failure notices (The bounce bounced!) because the outbound bounce message cannot find a legitimate target?

Please, correct me if I'm misunderstanding anything. Any guidance would be appreciated.

Thanks

Yes it is correct ! with bounce On, chkuser test if it is a known user at an smtp level

For the double bounce message, you can already disable it in nodeworx ! (System services/mail/MTA)

In the MTA config there is an option for doublebounce

Pascal

Pascal,

Thanks for the affirmation. I was also informed through a support ticket I sent in the other evening which was replied to promptly by Paul. Since, I've already benefited from his response, I might as well pass it on so that anyone observing this thread will gain from it as well.
--------------------------------------------------

Hi Zach,

"The chkuser patch will have qmail check to see if the incoming mail is headed towards a valid user. If qmail finds that the incoming mail does not have a valid target email address, a bounce message will be delivered to the sender."

That's almost right. If the chkuser patch finds that there is not a valid target e-mail address, the SMTP server will reject the message then and there. It will just say "no thanks, don't want any" to the SMTP server that is connecting to it. That SMTP server that is connecting to it MIGHT then generate a bounce message based on that error, and send it to the sender address - but YOUR server will not be generating this bounce message. Your server is just not accepting the message at the SMTP level.

"Wouldn't it be wise to disable the doublebounce feature as well so that users are not receiving a wad of bounce failure notices (The bounce bounced!) because the outbound bounce message cannot find a legitimate target?"

Yes, in most cases it's advantageous to just disable the double bounce messages. You can do this from the NodeWorx MTA configuration page.

"(I was also going to edit the original post to address any complications that might occur when a catchall address is assigned.)"

If a catchall is "on" for the domain, then "bounce" will be off and by definition, all e-mail recipients at that domain are valid, and chkuser will accept all at the SMTP level, there will be no SMTP level rejection.

Hope that helps clear things up, let me know if you have any other questions.

Paul
----

Thanks Paul, Thanks Pascal