Are you trying to control bounce back email messages?
This guide will help you.
Often, we may send emails and they might fail to reach the recipient’s inbox. This condition is email bounce back.
If this is the case, then the email service provider sends an email bounce back messages about failed delivery and technical details of the failure.
In some other cases, the server might be flooded with these messages. It might be as a result of spamming or spoofing attacks.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to configure their email servers to prevent spamming attacks.
In this context, we shall look into ways to control bounce back email messages.
What triggers Bounce back email messages ?
Emails can bounce back due to several reasons which include:
i. Invalid or nonexistent email address
ii. Blocked sender’s IP address
iii. Email blocked by receiving server
iv. Receiving server is overloaded
v. The receiver's inbox is full
vi. Low sender reputation score
vii. The recipient has added an auto-reply
viii. Email size is too large
Methods to control bounce back email messages ?
It is a common incident that our server will be flooded with bounce back emails and we are not able to find the exact problem. In such cases, there are two possible causes for these bounce back messages:
Let us discuss them in details. Also, we will provide some examples and solutions.
Generally, spamming occurs mainly in two forms.
Here, the email account will compromise and the hacker will send spam emails from the account. The mails to non-existent email accounts will bounce back.
To confirm this, we need to check the mail logs first.
We use the "exigrep" command and check the Exim mail log "/var/log/exim_mainlog".
From the mail transaction details, we will find how the mails were sent:
#exigrep firstname.lastname@example.org /var/log/exim_mainlog | head -100
This command will take the first 100 lines of the mail log of the mail account email@example.com.
Please note that firstname.lastname@example.org is a sample mail account.
Here is a sample email transaction from the Exim log:
2021-02-03 13:13:21 1TJVJp-0004Ns-Pr <= email@example.com H=(sample.com) [184.108.40.206]:46779 P=esmtpa A=courier_login:firstname.lastname@example.org S=616 email@example.com T=”oooooooooV,-,1,-,A,-,G,-,R,-,Aooooooooo” for firstname.lastname@example.org 2012-10-03 13:13:21 1TJVJp-0004Ns-Pr SMTP connection outbound 1349295201 1TJVJp-0004Ns-Pr sample.com email@example.com
On analyzing the log, we can see that the email was sent from the address “firstname.lastname@example.org” with proper authentication using the same email account.
This indicates that the account is compromised and the hacker has access to this email account.
In order to resolve this, we have to reset the password of the email account. Before proceeding, we use the below command to delete the spam mails present in the mail queue:
#exiqgrep -i -f email@example.com | xargs exim -Mrm
This command removes all the mails that are sent from this mail address (which are currently present in the queue):
#exiqgrep -i -r firstname.lastname@example.org | xargs exim -Mrm
This command removes all the emails received to this email address (which are present in the queue).
In the second type of spamming, the email account will compromise, and emails are sent after spoofing.
For example, we can check the below log:
2021-02-03 13:13:21 1TJVJp-0004Ns-Pr <= email@example.com H=() [220.127.116.11]:46779 P=esmtpa A=courier_login:firstname.lastname@example.org S=616 email@example.com T=”oooooooooV,-,1,-,A,-,G,-,R,-,Aooooooooo” for firstname.lastname@example.org 2012-10-03 13:13:21 1TJVJp-0004Ns-Pr SMTP connection outbound 1349295201 1TJVJp-0004Ns-Pr sample.com email@example.com
From the log, we can see that the mails are gone from the email address firstname.lastname@example.org. However, we cannot find such an email account on the server.
Since the login occurs to be the email@example.com, but the mails are gone as firstname.lastname@example.org we can ensure email@example.com is compromised and then sent mails after spoofing.
In this case, also, reset the password of firstname.lastname@example.org and clear the mail queue as we did above.
If we are not able to see any details that the mail is sent from the server when we check the Exim logs, it will usually be a spoofing activity.
The mails sent through spoofing does not pass through our server in any way, but the bounce back messages will come back to the mailbox on our server.
However, in this case, the email account will not compromise.
There is no effective way to prevent spoofing from our end. The only thing we can do is, set up an SPF record for the domain with only our IPs allowed to send mails using this domain.
This may not prevent spoofing, but if the recipient mail server checks the SPF record of the incoming emails, then the spoofed emails will not deliver to the recipient.
In this case, also, there will be a bounce-back message to the email account. We can add filtering rules from Cpanel to filter out such emails.