Exim: Blackhole vs Fail Print

  • 297

In the ever-present fight against spam, it's always wise to make your server as robust as possible. When it comes down to handling mail addressed to non-existent addresses with Exim, there are three options admins can take:

1. Local delivery: Forward the mail to an existing address on the system (e.g. does-not-exist@domain.com -> admin@domain.com).
2. Blackhole: Accept the mail, and deliver it to a null router (literally, "black hole it").
3. Fail: Reject the message at SMTP time with a 5xx level error to the sender.

The first option is used by a lot of novice admins/end-users to have a single account on a domain catch mail for a bunch of different addresses so they do not have to set up forwards for them all. This presents a situation that makes them extremely vulnerable to dictionary mail spam, and this is why option 1 is never recommended.

Option 2 may seem ideal, however quick analysis reveals that it too is sub-par. Blackhole-ing a message will essentially make it so that the sender (e.g. the spammer) has no idea whether or not the message was accepted, and also whether or not the destination mailbox exists or not. However, the nature of the blackhole filter means that the message is accepted from the sender, filtered, and then canned. This means extra load on the server to process the message, write it to disk, and then delete it. Multiply this by a few thousand (or million) emails in a day, and this can significantly slow down your server! And you thought you were doing the right thing!

It should be fairly clear by now that option 3 is the best option of the bunch. Setting unrouted addresses to fail means that emails are rejected immediately upon receipt, no disk I/O is generated to store the email itself, and no further processing is done.

Now if you have a bunch of cPanel accounts that are already using the blackhole address and would like to migrate to the fail method, here is a little Bash one-liner to make that happen:

# grep -RH 'blackhole' /etc/valiases/|awk -F ':' {'print $1'}|xargs -n 1 sed -i 's/blackhole/fail/g'

Also, don't forget to enable the fail address as the default option for new accounts in the WHM under Main >> Server Configuration >> Tweak Settings:

Default catch-all/default address behavior for new accounts. "fail" is usually the best choice if you are getting mail attacks.

Was this answer helpful?

« Back