Bounced Email Woes

[HM666]

Having a severe bounce email problem with a client's site since the host "fixed" their hosting. They "fixed" it by moving them to a bigger more expensive hosting plan which is not working much better than the plan they had before. To make a long story short it never fixed the initial problem that we had to begin with and now the client gets hundreds of bounced emails pretty much every day since the switch.

The hosting company in their infinite wisdom cited that we should turn off the MAILER-DAEMON and that would solve the problem completely. If we just turned this off all our troubles would be over. I'm not so sure about that personally. I think they are idiots personally. This is the information they gave my client on turning it off:

Quote:

This file needs to be edited via ssh command line not via WHM/CPANEL or FTP.

You would add/edit the entry in the /etc/aliases file on the server to read: -

MAILER-DAEMON: /dev/null

This was the extent of the instructions they gave. I really feel this is just a band aid to a much larger server problem they have. When my client asked them if they would edit it they said they would "do it this time but charge him if they had to do it again". The bounced emails stopped for a couple of weeks and now they are back, when my client emailed them again they said the same thing as above to edit the file. But didn't they do that already???

So my question to everyone is how do I go about trying to find and fix this problem with the email? How do we find why there are hundreds of bounced emails in this account. What steps should I take? Is it safe to edit this file via SSH? Or is the host full of s***? If its ok to edit this file via SSH? How do I navigate to it using SSH? Its not that common that I use SSH to design a web site, so I do not know the commands to navigate to files or where they are. And of course there was nothing on the host's site that was remotely helpful.

What I have tried already:

1. Checking the settings in the WHM.
2. Checking the settings in the cPanel.
3. Enabled SpamAssassin.
4. Removed email accounts that seemed wrong that the client did not remember creating.
5. Have done several hours of research online/google looking for an answer and have found nothing that tells me what I need so far.

Any help would be great! Thanks.

[Simon Lloyd]

Make sure they have an SPF and that the MX records are correct, check the "from" domain is correct, in fact there's lots to check that moving server could have broken, try out http://www.dnsstuff.com/tools you have to register for free to use the professional toolset but it will help you a lot

[RichieBoy67]

As for editing that file it is not a solution and the file will most likely be over written after cpanel/whm updates.

You will have to set up the mail server/dns according to anti spam regulations.

What do the headers in the bounced emails say?

What do you get in http://mxtoolbox.com ??

[HM666]

Thanks I'll take a look at these on Monday and see. Richie yeah I was pretty much thinking the same thing. I really did not think the hosts "Fix" was gonna fix anything. *sigh*.

[HM666]

WOW - digging around in WHM cPanel while waiting for some of the tests to load and to me it looks as if possibly the email account has been hacked. What do you guys think?

I'm in the View Mail Statistics Summary area and under the heading: Top 50 sending hosts by message count I see these hosts as senders I assume:

ip1.grsrv.com
(wf41wb6.myrename.com)
(l7erx.renameweb.com)
(marketmindful2.com)
(nativespace-janus.ns-janus.com)
(grandpat.info)
(lloydstsb.co.uk)
m5.myzamanamail.com
(ip-static-74-121-182-135.as5577.net)
(mailserver.localhost.com)
fordtruckin.com
m1.myzamanamail.com
(acreflubgh0121.com)
(h2zmoj.renameweb.com)
mail02.feedblitz.com
mta65250.mxmfb.com
r26.hello.channel4.com
pc-175-63-100-190.cm.vtr.net
hot-train.com
mout.gmx.com
(bldprssure0128.com)
m10.myzamanamail.com
(fight4fam0128.com)
jest8.jestpil.org
(gmail.com)
106-85.mta.dotmailer.com
(februdeals.co)
mail2146.lakelandltd.mkt2684.com
(datecommunity.co)
(topwindowglass.net)
spruce-goose-af.twitter.com
spruce-goose-al.twitter.com
spring-chicken-ar.twitter.com
mail23.members.csnstores.com
mail4.members.csnstores.com
smtp083.myfanbox.com
(static.ttnet.com.tr)
cpe-066-056-189-213.sc.res.rr.com
mail.aaftexteis.pt
(rectifyeliminate.co)
smtp076.myfanbox.com
smtp077.myfanbox.com
nitrogen-onsise.cccampaigns.com
(truefreecredit.org)
68-170-59-100.mammothnetworks.com
mail1767.messages.eno.org
61-227-9-71.dynamic.hinet.net
fw.dabs.com
adsl-68-91-199-150.dsl.snantx.swbell.net

If this is a hacked situation how do I fix this? I'm used to fixing a hacked vBulletin but not an email server. Shouldn't the freaking host be fixing this crap since they are the ones who ultimately caused it anyways?!?!? I've attached three screens from the site suggested by Simon. I'm not sure what exactly some of that means on those warnings. Where do I make those changes or is that something the host should do?

[Simon Lloyd]

I've checked and your DNS is mismatched and your SPF failed too! Your email system is set to NOT relay mails which is a good thing. If your server is compromised at all it must be sending mails direct rather than via another host.

Can you post or PM me an entire header of a suspect mail? you can get ith through looking at the mails via WHM.

[Dave]

Do you use shared hosting? This stuff always happens with shared hosting, some websites get hacked and are then backdoored to be used for email spamming and DDoSing.

[HM666]

Quote:

Originally Posted by Dave

Do you use shared hosting? This stuff always happens with shared hosting, some websites get hacked and are then backdoored to be used for email spamming and DDoSing.

Nope this is on a dedicated server or at least its supposed to be. This is one reason why I do not think the host is all together knowledgeable.