Exim: Blackhole vs Fail

In the ever-present fight against spam, it's always wise to make your server as robust as possible. When it comes down to handling mail addressed to non-existent addresses with Exim, there are three options admins can take:

1. Local delivery: Forward the mail to an existing address on the system (e.g. does-not-exist@domain.com -> admin@domain.com).
2. Blackhole: Accept the mail, and deliver it to a null router (literally, "black hole it").
3. Fail: Reject the message at SMTP time with a 5xx level error to the sender.

The first option is used by a lot of novice admins/end-users to have a single account on a domain catch mail for a bunch of different addresses so they do not have to set up forwards for them all. This presents a situation that makes them extremely vulnerable to dictionary mail spam, and this is why option 1 is never recommended.

Option 2 may seem ideal, however quick analysis reveals that it too is sub-par. Blackhole-ing a message will essentially make it so that the sender (e.g. the spammer) has no idea whether or not the message was accepted, and also whether or not the destination mailbox exists or not. However, the nature of the blackhole filter means that the message is accepted from the sender, filtered, and then canned. This means extra load on the server to process the message, write it to disk, and then delete it. Multiply this by a few thousand (or million) emails in a day, and this can significantly slow down your server! And you thought you were doing the right thing!

It should be fairly clear by now that option 3 is the best option of the bunch. Setting unrouted addresses to fail means that emails are rejected immediately upon receipt, no disk I/O is generated to store the email itself, and no further processing is done.

Now if you have a bunch of cPanel accounts that are already using the blackhole address and would like to migrate to the fail method, here is a little Bash one-liner to make that happen:

# grep -RH 'blackhole' /etc/valiases/|awk -F ':' {'print $1'}|xargs -n 1 sed -i 's/blackhole/fail/g'

Also, don't forget to enable the fail address as the default option for new accounts in the WHM under Main >> Server Configuration >> Tweak Settings:

Default catch-all/default address behavior for new accounts. "fail" is usually the best choice if you are getting mail attacks.

  • 291 Users Found This Useful
Was this answer helpful?

Related Articles

How to enable InnoDB?

Enabling InnoDB in the VPS isn't hard at all. Actually, the steps are very quick and seamless....

How to enable gzip in WHM cPanel

Use easyapache to recompile apache and php. Find and enable the module "deflate"Some things to...

WHM SSH Reset

If for some reason you become locked out of SSH due to a misconfiguration, you may be able to...

Increase cPanel Securetmp Partition Size

cPanel's new securetmp script is handy to prevent users from executing malicious code in /tmp or...

Temporary URL for cpanel accounts

The temporary URL is used when your domain name is not working. Here is an example of the...