Don’t know how to control bounce back email messages? We can help you.

Sometimes we may send emails and they might fail to reach the recipient’s inbox. This condition is email bounce back.

In such cases, the email service provider sends an email bounce back messages about failed delivery and technical details of the failure.

There are also cases where our server might get flooded with these messages. It might be due to spamming or spoofing.

Here at Bobcares, we help web hosts and online service providers with email queries as part of our Server Administration Services.

Today, let us see how our Support Techs control bounce back email messages.

Bounce back email messages

Emails can bounce back due to several reasons which include:

1. Invalid or nonexistent email address
2. Blocked sender’s IP address
3. Email blocked by receiving server
4. Receiving server is overloaded
5. The receiver’s inbox is full
6. Low sender reputation score
7. The recipient has added an auto-reply
8. Email size is too large

How to control bounce back email messages

It is a common incident that our server will be flooded with bounce back emails and we are not able to find the exact problem. In such cases, there are two possible causes for these bounce back messages:

1. Spamming
2. Spoofing

Let us discuss the two in detail. Our Support Techs explains them with examples and solutions.

• Spamming

Generally, there occurs mainly two types of spamming.

Case 1: In this case, the email account will compromise and the hacker will send spam emails from the account. The mails to non-existent email accounts will bounce back.

To confirm this, we need to check the mail logs first.

We use the “exigrep” command and check the Exim mail log “/var/log/exim_mainlog”. From the mail transaction details, we will find how the mails were sent.

#exigrep test@sample.com /var/log/exim_mainlog | head -100

This command will take the first 100 lines of the mail log of the mail account test@sample.com.

Please note that test@sample.com is a sample mail account.

Here is a sample email transaction from the Exim log:

———————–
2021-02-03 13:13:21 1TJVJp-0004Ns-Pr <= test@sample.com H=(sample.com) [1.1.1.1]:46779 P=esmtpa A=courier_login:test@sample.com S=616 id=2956633080.20121003171321@sample.com T=”oooooooooV,-,1,-,A,-,G,-,R,-,Aooooooooo” for test@yahoo.com 2012-10-03 13:13:21 1TJVJp-0004Ns-Pr SMTP connection outbound 1349295201 1TJVJp-0004Ns-Pr sample.com test@yahoo.com
———————–

On analyzing the log, we can see that the email was sent from the address “test@sample.com” with proper authentication using the same email account.

A=courier_login:test@sample.com

This indicates that the account is compromised and the hacker has access to this email account.

In order to resolve this, we have to reset the password of the email account. Before proceeding, we use the below command to delete the spam mails present in the mail queue.

#exiqgrep -i -f test@sample.com | xargs exim -Mrm

This command removes all the mails that are sent from this mail address (which are currently present in the queue).

#exiqgrep -i -r test@sample.com | xargs exim -Mrm

This command removes all the emails received to this email address (which are present in the queue).

Case 2: In the second type of spamming, the email account will compromise, and emails are sent after spoofing.

For example, we can check the below log.

——————-
2021-02-03 13:13:21 1TJVJp-0004Ns-Pr <= 12344@choco.com H=() [1.1.1.1]:46779 P=esmtpa A=courier_login:test@sample.com S=616 id=2956633080.20121003171321@sample.com T=”oooooooooV,-,1,-,A,-,G,-,R,-,Aooooooooo” for test@yahoo.com 2012-10-03 13:13:21 1TJVJp-0004Ns-Pr SMTP connection outbound 1349295201 1TJVJp-0004Ns-Pr sample.com test@yahoo.com
——————-

From the log, we can see that the mails are gone from the email address 12344@choco.com. However, we cannot find such an email account on the server.

Since the login occurs to be the test@sample.com, but the mails are gone as 12344@choco.com we can ensure test@sample.com is compromised and then sent mails after spoofing.

In this case, also, reset the password of test@sample.com and clear the mail queue as we did above.

• Spoofing

If we are not able to see any details that the mail is sent from the server when we check the Exim logs, it will usually be a spoofing activity.

The mails sent through spoofing does not pass through our server in any way, but the bounce back messages will come back to the mailbox on our server.

However, in this case, the email account will not compromise.

There is no effective way to prevent spoofing from our end. The only thing we can do is, set up an SPF record for the domain with only our IPs allowed to send mails using this domain.

This may not prevent spoofing, but if the recipient mail server checks the SPF record of the incoming emails, then the spoofed emails will not deliver to the recipient.

In this case, also, there will be a bounce-back message to the email account. We can add filtering rules from Cpanel to filter out such emails.

In addition, for information about vulnerabilities in Exim, visit https://bobcares.com/blog/?p=867 and https://bobcares.com/blog/?p=859.

[Failed to control bounce back emails? We can help you]

Conclusion

To conclude, Email bounce back is the condition when emails fail to reach the recipient’s inbox. Today, we saw how to control bounce back email messages.