Spam email from self

levelmeasure

August 09, 2018 14:30

I have a reseller account at a host with several client domains. One client has a number of email addresses that are getting email from themselves, containing spam. From what I can tell, these emails are being passed as example from my parent host's servers (the company I buy my reseller account from). Why don't these fail to authenticate when the fake sender sends, AND/OR when the real sender receives? How do I keep other people from sending email through my client's account? Example of Message Source in a fake email (names & numbers changed to protect privacy)

Envelope-to: myclient@example.com
Delivery-date: Wed, 08 Aug 2018 17:19:32 -0400
Message-ID: <001b0ddd5bbb@cmkky2by>
From: 
To: 
Subject: Welcome to our company
Date: 9 Aug 2018 02:05:48 +0200
MIME-Version: 1.0
Content-Type: text/plain;
    charset="cp-850"
Content-Transfer-Encoding: 8bit

In track delivery the acceptance looks like this (changes to names & numbers)

Event:    success success
User:    -remote-
Domain:  
From Address:    myclient@example.com
Sender:  
Sent Time:    Aug 8, 2018, 4:19:16 PM
Sender Host:    adsl-001.001.001.001.bogus.gr
Sender IP:    002.002.002.002
Authentication:    localdelivery
Spam Score:  
Recipient:    myclient@example.com
Delivery User:    myclientrealusername
Delivery Domain:    example.com
Delivered To:    myclient@example.com
Router:    virtual_user
Transport:    dovecot_virtual_delivery
Out Time:    Aug 8, 2018, 4:19:16 PM
ID:    3c3c3c3c3c3c-OT
Delivery Host:    localhost
Delivery IP:    100.0.0.1
Size:    1.66 KB
Result:    Accepted

Comments

50 comments

cPanelLauren

August 10, 2018 20:05
Hi @levelmeasure Does your client have a valid SPF and DKIM? What your describing sounds a bit like spoofing. Thanks!
0
levelmeasure

August 12, 2018 16:26
Hi @levelmeasure Does your client have a valid SPF and DKIM? What your describing sounds a bit like spoofing. Thanks!

Yes, SPF and DKIM are configured. The email server does not recognize it as coming from an unauthorized sender. It gets passed through as really having come from the recipient's own email account. My concern is not knowing who else is getting email that appears to come from my client. Thanks
0
cPanelLauren

August 13, 2018 13:38
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!
0
ProDesignz

October 25, 2018 06:44
Hi I'm facing the same issue and my client is very serious about this. Client had zimbra before and Now on my recommendation they switch to cPanel. Please help me cause this is very frequent now. We had changed passwords and there is only SSH connection is enabled on server. Below is email header Return-Path: Delivered-To: kerul@example.com Received: from mail.example.com by mail.example.com with LMTP id 0BBZJZ5X0Vu0CQAAM3BfSA for ; Thu, 25 Oct 2018 11:11:50 +0530 Return-path: Envelope-to: kerul@example.com Delivery-date: Thu, 25 Oct 2018 11:11:50 +0530 Received: from [103.x.x.x] (port=56315 helo=[90.161.20.38]) by mail.example.com with esmtp (Exim 4.91) (envelope-from ) id 1gFYOy-0000lo-Ff for kerul@example.com; Thu, 25 Oct 2018 11:11:50 +0530 From: To: Subject: account kerul@example.com is compromised Date: 25 Oct 2018 08:22:47 +0100 Message-ID: <002d01d46c36$023a8f7b$bbdf978a$@example.com> MIME-Version: 1.0 Content-Type: text/plain; charset="ibm852" Content-Transfer-Encoding: 8bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acjhjwjwwb06j869jhjwjwwb06j869== Content-Language: en x-cr-hashedpuzzle: 2D4= i2f4 r6sl qkom mci2 f4r6 slqk ommc i2f4 r6sl qkom mci2 f4r6 slqk ommc i2f4;1;r6slqkommci2f4r6slqkommci2f4r6slqkommci2f4r6slqk;Sosha1_v1;7;\{AD9937D4-1B03-7AF8-CC62-90A274F27046\};ZQB3AGUAZgi2f4r6slqkommci2f4r6slqkommci2f4r6slqk;25 Oct 2018 08:22:47 +0100;92aea0fbvpfmxk92 x-cr-puzzleid: \{AD9937D4-1B03-7AF8-CC62-90A274F27046\} X-Spam-Status: No, score=1.2 X-Spam-Score: 12 X-Spam-Bar: + X-Ham-Report: Spam detection software, running on the system "mail.example.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Hello! I'm a hacker who cracked your email and device a few months ago. You entered a password on one of the sites you visited, and I intercepted it. Of course you can will change it, or already change Content analysis details: (1.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: example.com] 2.0 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe 0.2 FROM_IN_TO_AND_SUBJ From address is in To and Subject X-Spam-Flag: NO
Please give some solution to this.
0
cPanelLauren

October 25, 2018 12:48
Hello @ProDesignz Are either of these your IP address? Received: from [103.x.x.x] (port=56315 helo=[90.161.xx.xx])
Also can you show me the output of the transaction in the exim logs? The command to do this would be: exigrep 1gFYOy-0000lo-Ff /var/log/exim_mainlog
Thanks!
0
ProDesignz

October 25, 2018 15:11
Hello @ProDesignz Are either of these your IP address? Received: from [103.x.x.x] (port=56315 helo=[90.161.xx.xx])
Also can you show me the output of the transaction in the exim logs? The command to do this would be: exigrep 1gFYOy-0000lo-Ff /var/log/exim_mainlog
Thanks!

103.x.x.x is our Server's IP address, while 90.161.xx.xx is not our server IP, it is spammer's IP address. Here is a exim log 2018-10-25 11:11:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gFYOy-0000lo-Ff 2018-10-25 11:11:48 1gFYOy-0000lo-Ff H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 Warning: Message has been scanned: no virus or other harmful content was found 2018-10-25 11:11:50 1gFYOy-0000lo-Ff H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 Warning: "SpamAssassin as example detected message as NOT spam (1.2)" 2018-10-25 11:11:50 1gFYOy-0000lo-Ff <= someusr@example.com H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 P=esmtp S=4510 id=002d01d46c36$023a8f7b$bbdf978a$@example.com T="account someusr@example.com is compromised" for someusr@example.com 2018-10-25 11:11:50 1gFYOy-0000lo-Ff SMTP connection identification D=example.com O=someusr@example.com E=someotherusr@example.in M=1gFYOy-0000lo-Ff U=example ID=1000 B=redirect_resolver 2018-10-25 11:11:50 1gFYOy-0000lo-Ff Sender identification U=example D=example.com S=someusr@example.com 2018-10-25 11:11:50 1gFYOy-0000lo-Ff SMTP connection outbound 1540446110 1gFYOy-0000lo-Ff example.com someotherusr@example.in 2018-10-25 11:11:50 1gFYOy-0000lo-Ff => someusr R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 0BBZJZ5X0Vu0CQAAM3BfSA Saved" 2018-10-25 11:11:52 1gFYOy-0000lo-Ff => someusr@example.com (someusr@example.com) R=dkim_lookuphost T=dkim_remote_smtp H=aspmx.l.google.com [74.125.68.26] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1540446112 u10-v6si7275955pgg.180 - gsmtp" 2018-10-25 11:11:52 1gFYOy-0000lo-Ff Completed
0
ProDesignz

October 25, 2018 15:15
One more thing, the same thing is happening to another email server. Both servers are in different zones and nothing to do with this client. So, please give some solution to stop this kind of spam.
0
cPanelLauren

October 26, 2018 15:05
Are all the mails of this type originating from the same IP Address? If they all have a similar content you could create a filter to limit them - How to Create a Spam Email Filter - cPanel Knowledge Base - cPanel Documentation
0
ProDesignz

October 27, 2018 14:39
0
cPanelLauren

November 01, 2018 15:58
Hi @ProDesignz Do you have SPF & DKIM implemented on the domain/s you're receiving this on? I am still concerned about the fact that it's not getting flagged as spam as it's not actually originating from your IP address.
0
ProDesignz

November 03, 2018 08:59
Hi @cPanelLauren We have SPF & DKIM implemented and still it continues, please look into this matter as now customers are feeling insecure.
0
rpvw

November 03, 2018 10:33
If you have implemented correctly set DKIM and SPF records, and mail with spoofed headers are not being flagged as spam, you may need to adjust your Spamassassin filters, or user, or global filters for the domain. Spam and spoofing email headers like the from address has been around almost as long as email has existed, and everyone has been struggling to solve the problem by adding more and more layers to the protocol like RBL, SPF, DKIM and DMARC. This is far from being a complete solution, and what is really needed is a complete overhaul of the email systems and protocols. cPanel do not write the email protocol or system, they use the existing industry standard tools and daemons and attempt to make your interaction with those tools easier by providing a graphical user interface (and for the most part, do an excellent job as well) so don't blame, or expect cPanel to be able to do very much about your problem of spoofed email headers. Since the problem you are facing is a global one, the first mitigation can be by educating your users how to spot these obvious fraudulent emails. As to filters; I should very much like to see an easy way of introducing some new Exim rules e.g. If the from address matches the to address; test to establish and reject/flag as spam, if the sender user was 'remote' rather than a local or a known username within WHM. I haven't had enough coffee yet to start writing a rule that might work for the above scenario, so if anyone wants to chip in, any contributions would be welcome :) **EDIT ** Still not enough coffee but I have got # Exim Filter # Spoofed From if first_delivery $h_from: matches $h_to and (sender user (need a variable for this) matches "remote") then seen finish endif
DO NOT TRY AND RUN THIS CODE - IT IS ONLY A FLOW CONCEPT AND IS NOT FINISHED AND MAY BREAK YOUR EXIM This is intended to try to explain the direction I wanted to move towards with an exim filter. Please contribute, or maybe a moderator would like to split this off into a new thread.
0
ProDesignz

November 03, 2018 13:00
Hi @rpvw Thanx for the practical solution :) Anyone like me who facing this issue please follow the given steps. This is not permanent solution, it is work around. Step 1 Create Custom Filter File if $header_from matches $header_to and ($sender_host_address does not matches "134.xx.xx.xx") then save "/dev/null" 660 endif
Step 2 upload it to /usr/local/cpanel/etc/exim/sysfilter/options Step 3 Then Rebuild Exim Conf execute /scripts/buildeximconf
0
rpvw

November 03, 2018 14:08
Thank you @ProDesignz for the code. Based on the theory that the sender_host_address will be empty if the message originated on the local host (server), and populated with the IP of the remote host if originated by someone trying to spoof the address, I would like to think that some better rule without a specific IP would be possible by testing for an empty string It's making my head hurt :(
0
cPanelLauren

November 05, 2018 13:31
I'm glad that you were able to find a solution that worked for you @ProDesignz though I do want to point out that a rule like the one implemented here may not work for everyone. As indicated by @rpvw you may want to go with a solution that doesn't make use of a specific IP address.
0
ProDesignz

November 15, 2018 09:07
@cPanelLauren, no luck :( Now he change something from his end and sending same messages again. Even this time he is able to bypass the rule I set as Sender Host IP address is different but still able to send email. Please give some solid solution to prevent such kind of spams. Following is the Header of email. Return-Path: Delivered-To: kerul@mydomain.com Received: from mail.mydomain.com by mail.mydomain.com with LMTP id SBA8EaYL4FtcFQAAM3BfSA for ; Mon, 05 Nov 2018 14:51:42 +0530 Return-path: Envelope-to: kerul@mydomain.com Delivery-date: Mon, 05 Nov 2018 14:51:42 +0530 Received: from [xxx.xxx.xxx.xxx] (port=34552 helo=[181.75.107.32]) by mail.mydomain.com with esmtp (Exim 4.91) (envelope-from ) id 1gJb4k-0001Pi-HN for kerul@mydomain.com; Mon, 05 Nov 2018 14:51:42 +0530 Message-ID: <5426EB2BC199E60173BE7E94CCB35426@WP419JBE2G> From: To: Subject: Change your password immediately. Your account has been hacked. Date: 6 Nov 2018 01:50:32 +0800 MIME-Version: 1.0 Content-type: text/plain; charset="ibm852" Content-transfer-encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994 X-Spam-Status: No, score=1.0 X-Spam-Score: 10 X-Spam-Bar: + X-Ham-Report: Spam detection software, running on the system "mail.mydomain.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: I greet you! I have bad news for you. 11/08/2018 - on this day I hacked your operating system and got full access to your account kerul@mydomain.com It is useless to change the password, my m Content analysis details: (1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP 0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: mydomain.com] 2.0 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe X-Spam-Flag: NO
0
Bill_H

November 19, 2018 04:22
I have to agree that this is ridiculous that there is no way to stop these type of spam emails from being bounced off the server. We need a SOLID SOLUTION!
0
rpvw

November 19, 2018 10:55
We need a SOLID SOLUTION!

Indeed we do, but I am not sure that cPanel are in a position to provide it :( I have been working on this Exim filter since this thread was opened, and have encountered the following issues, all caused by the way that Exim processes filter rules. If we start from the premise that we need to compare the From address to the To address, and then check to see if the sender_host_address is empty or not we can create some sudo code like this: # Exim Filter # Spoofed From Address if first_delivery and ("$header_from:" matches "$header_to:") and ("$sender_host_address:" is "") then deliver else seen finish endif
Now the problems as I see it are these (and I would love someone to tell me I am wrong, and that there is a better way of doing this) 1) Exim does not seem to be able to compare one variable against another; so it can compare eg "$header_from:" matches "name@email.tld" but not "$header_from:" matches "$header_to:" as it expands the second variable literally and does not replace it with the content of the variable. This would limit one to having to make a filter per address rather than a global filter. 2) There is no clear way I have found of testing for an empty string. Exim can use "is/is not" or "contains/does not contain" or "matches/does not match" in the string comparison once both strings have been expanded. Since we ideally need to look for an string that is not empty in the $sender_host_address: variable (which is always empty if the from/to actually originates on the same server) and we have no idea what the string might be if it is a spoofed message, other than it will contain an IP and probably other information, we need to either test for a empty string OR test (contains) for a regex that would encompass anything that might populate the variable. This should be a Perl compatible regex, but so far, I have been unable to write one that is 100% reliable. So if anyone has any ideas, please add then to the thread. I should prefer to get rid of the "else" line in the code and keep it simple, but I am not sure this will be possible, even if we can overcome the comparison of one string variable to another in the first place. Again, whilst I do recognise the need for some filter of this nature, I don't think it is necessarily up to cPanel to provide it. If they can help us, that would be fantastic, but I also note that such a fundamental filter should be available from dozens/hundreds of sources on the internet if it were possible to achieve using the current Exim filters - the very fact that there are NO references to any such filter does somewhat reinforce my belief that it wont be possible under the current Exim filter rules. I wonder if we should be looking at creating a custom Spamassassin rule instead ?
0
Spirogg

November 19, 2018 10:56
I am also getting this type of emails asking for randsome money ?? i ran this code exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog The IP is the spammers [root@server1 ~]# exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog 2018-11-19 04:30:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gOgoe-0003pl-Cw 2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: "SpamAssassin as ok2 detected message as spam (19.6)" 2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: Message has been scanned: no virus or other harmful content was found 2018-11-19 04:30:05 1gOgoe-0003pl-Cw <= mnb@*****.com H=([37.106.108.86]) [37.106.108.86]:25230 P=esmtp S=5060 id=204B90CD4EFB161378A3FE7DC825204B@ok.com T="mnb@*****.com - this account has been hacked! Change all your passwords!" for mnb@*****.com 2018-11-19 04:30:05 1gOgoe-0003pl-Cw => spiro R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 gJ8hHq2Q8lu7OQAAup1nGg Saved" 2018-11-19 04:30:05 1gOgoe-0003pl-Cw Completed
0
rpvw

November 19, 2018 11:00
We know what they are doing, and what is being sent !! There is little point in everyone posting more examples of the problem. What we need is constructive input towards how we are going to code a solution !
0
Spirogg

November 19, 2018 11:06
So for sure this is just spam no one has compromised the servers ? @rpvw can we just block that port in csf ? or is that needed for emails to function ? im kina a newbie when it comes to spam spoof etc
0
rpvw

November 19, 2018 12:07
Do NOT start blocking ports in CSF unless you know what you are doing ! You could end up with all sorts of problems :) Look at the email originating Received header ; if it has an IP in it, it probably does not belong to any of your clients or your server. You can look up where it comes from using a tool like Welcome to Robtex! If the mail was genuinely sent from your client to your client; this field would be empty as the mail authenticated to the same server as it was received on.
0
cPanelLauren

November 19, 2018 13:01
I am also getting this type of emails asking for randsome money ?? i ran this code exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog The IP is the spammers [root@server1 ~]# exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog 2018-11-19 04:30:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gOgoe-0003pl-Cw 2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: "SpamAssassin as ok2 detected message as spam (19.6)" 2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: Message has been scanned: no virus or other harmful content was found 2018-11-19 04:30:05 1gOgoe-0003pl-Cw <= mnb@*****.com H=([37.106.108.86]) [37.106.108.86]:25230 P=esmtp S=5060 id=204B90CD4EFB161378A3FE7DC825204B@ok.com T="mnb@*****.com - this account has been hacked! Change all your passwords!" for mnb@*****.com 2018-11-19 04:30:05 1gOgoe-0003pl-Cw => spiro R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 gJ8hHq2Q8lu7OQAAup1nGg Saved" 2018-11-19 04:30:05 1gOgoe-0003pl-Cw Completed

But this message is being flagged as spam? Warning: "SpamAssassin as ok2 detected message as spam (19.6)" cPanel can't stop you from getting spam sent to your server altogether, in this instance SpamAssassin is working for you.
0
cPanelLauren

November 19, 2018 13:09
Again, whilst I do recognise the need for some filter of this nature, I don't think it is necessarily up to cPanel to provide it. If they can help us, that would be fantastic, but I also note that such a fundamental filter should be available from dozens/hundreds of sources on the internet if it were possible to achieve using the current Exim filters - the very fact that there are NO references to any such filter does somewhat reinforce my belief that it wont be possible under the current Exim filter rules.

I am wondering if it's looked at from a different angle as well and you might try a Custom SpamAssassin rule with a heavy weight/point score. In the OP's instance, the issue was primarily that SpamAssassin wasn't actually seeing it as spam. WritingRules - Spamassassin Wiki Also there are some really amazing custom rules here as well.
0
plague

January 29, 2019 12:27
I have been facing this issue in a couple of server in the last months. Didn't bother to search the forums until today that a new case happened, found this thread and I would like to share my thoughts on this. So, as I noticed the previous posts didn't figure how this spam is being sent, and it's very simple: you don't need to authenticate to send local emails in the default EXIM config used on cPanel. You can just open a telnet connection on port 25, set the "mail from" and "rcpt to" as the same emails address and EXIM will deliver the email. Here is an example: root@servidor [~]# telnet domain.com.br 25 Trying 67.23.x.x... Connected to domain.com.br. Escape character is '^]'. 220-server.x.com.br ESMTP Exim 4.91 #1 Tue, 29 Jan 2019 11:07:44 -0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. ehlo domain.com.br 250-server.x.com.br Hello example.com [162.243.x.x] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP mail from: teste@domain.com.br 250 OK rcpt to: teste@domain.com.br data teste . 250 Accepted 354 Enter message, ending with "." on a line by itself 250 OK id=1goT8k-0000iR-4u
And here is the delivery log on the destination server: root@server [~]# grep 1goT8k-0000iR-4u /var/log/exim_mainlog 2019-01-29 11:09:23 1goT8k-0000iR-4u H=example.com (domain.com.br) [162.243.x.x]:45757 I=[67.23.x.x]:25 Warning: "SpamAssassin as sorriaortorisoco detected message as spam (15.8)" 2019-01-29 11:09:23 1goT8k-0000iR-4u <= teste@domain.com.br H=example.com (domain.com.br) [162.243.21.57]:45757 I=[67.23.238.2]:25 P=esmtp S=1744 from for teste@domain.com.br 2019-01-29 11:09:23 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1goT8k-0000iR-4u 2019-01-29 11:09:23 1goT8k-0000iR-4u => teste F= R=virtual_user T=dovecot_virtual_delivery_no_batch S=1912 C="250 2.0.0 KCt1D4NQUFzdegAAcWTs+w Saved" 2019-01-29 11:09:23 1goT8k-0000iR-4u Completed
As you can see, knowing an email address allows me to send emails to anyone on a Cpanel server. SpamAssassin is filtering the message, SPF and DKIM are being used on it's filters, but still this message shoud never be able to reach the account. Interesting fact that if you try to telnet on port 587, the connection is dropped before you can send the message: root@servidor [~]# telnet domain.com.br 587 ...... mail from: teste@domain.com.br 250 OK rcpt to: teste@domain.com.br 550 SMTP AUTH is required for message submission on port 587
Ok, so, how do I block this on my servers? Using some lines that I took from a VestaCP installation: - Go to Exim Config Editor > Advanced Editor on WHM - Find "custom_begin_recipient_post" - add this lines in that block: deny message = smtp auth required sender_domains = +relay_domains !authenticated = *
This will force authentication on port 25, but check your logs after this change, I have had problems with some redirections to and from Gmail accounts asking for authentication while redirecting emails received on the server. The workaround to this was to add Gmail IPs on the "Trusted SMTP IP addresses " list. Edit: Forgot to add the test after those changes: root@servidor [~]# telnet domain.com.br 25 Trying 67.23.x.x... Connected to domain.com.br. Escape character is '^]'. 220-server.x.com.br ESMTP Exim 4.91 #1 Tue, 29 Jan 2019 11:32:24 -0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. ehlo domain.com.br 250-server.srv1eua.com.br Hello example.com [162.243.x.x] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP mail from: ]teste@domain.com.br 250 OK rcpt to: teste@domain.com.br 550 smtp auth requried
0
plague

January 31, 2019 17:04
@cPanelLauren I think you guys should take a look at this. Not a big deal, but it's still some sort of security breach that can and should be closed in the default configuration.
0
cPanelMichael

January 31, 2019 19:36
Hello @plague,
So, as I noticed the previous posts didn't figure how this spam is being sent, and it's very simple: you don't need to authenticate to send local emails in the default EXIM config used on cPanel.

The following section from our Exim Configuration Manager interface (WHM >> Home >> Exim Service Configuration >> Exim Configuration Manager). After you enable this feature, you will see output that is similar to the following in the /var/log/exim_mainlog file: 2014-04-23 08:09:52 1Wcwvu-0000On-Sb From: header (rewritten was: [fakemail@example.com], actual sender is not the same system user) original=[fakemail@example.com] actual_sender=[spammer@spammer.com] The actual_sender portion of the log entry shows that spammer is the cPanel account that sent the email. This information allows the system administrator to take action against the account to prevent additional spam.
Additionally, I encourage you to vote and add feedback to the following feature request if you'd like to see a way to prevent this behavior:
0
sparek-3

January 31, 2019 22:56
root@servidor [~]# telnet domain.com.br 25

What server are you on when you do this telnet command? If you're on the same server that is hosting domain.com.br then at best, this is trivial. By and large, regular (non-root) users should not be able to open any connections directly on port 25. That is what SMTP Block in CSF and I think cPanel has something (I'm not sure what it's called) that prevents this. So a non-root user won't be able to make this connection. If it's not the server hosting domain.com.br, then you're not going to have any control over this. The SMTP transaction you posted is just a normal SMTP transaction, if you start tampering with that, then you're going to affect real, regular SMTP transactions. The bottom line throughout all of this is that people are going to have to learn that MAIL FROM (both the envelope-sender and the header From) can be faked and it's trivial to do. If you REALLY want to combat this, then DKIM and SPF are going to have to take a larger role (or something similar that is like these technologies). But as it stands, too many people don't understand the DKIM signing process or what an SPF record means, so they don't set them properly. This means recipient servers can't be completely bullish on how it handles that authentication ... "this messages doesn't pass DKIM... but that may just be because the sender's system doesn't understand how to use DKIM, so we'll allow it". And thus the perpetuation of spam continues on. There also has ramifications in how forwarders are used (the solution here... don't use forwarders). If every receiving mail server really scrutinized messages requiring hard DKIM checks, that would stop a lot of these fake messages. Legitimate messages that are sent would have to be properly signed with DKIM and recipient mail servers would only accept messages that are properly signed with DKIM. But how many billion email users are there in the world? How many millions of mail servers are there? If someone came out with a technology that ended spam completely right now... it would still take 10 years for all of that to filter down to the masses.
0
Volodymyr Petrov

January 31, 2019 23:32
Does your client have a valid SPF and DKIM? What your describing sounds a bit like spoofing.

I can confirm SPF with "-all" rule do not prevent sending such mails. It looks like a bug in implementation of SPF checking during SMTP time. I am absolutely sure that proper SPF should stop such letters.
0
plague

February 02, 2019 21:58
@cPanelMichael The server I used to telnet is another server, so the localhost rule does not apply. @sparek-3 with the adjustment I posted, I have control over this, just like you can't send that kind of message on port 587, I'm blocking it on port 25 too. After this fix I had one problem with one domain, over about 20k domains hosted, in a very specific situation with forwarders and filters to Gmail. I didn't spent time to figure out why that error happend in that situation, to be honest. I'd rather have the Gmail IP range whitelisted in some of my SMTP checks than have clients arguing about my server security or why and how someone had access to his email account to send this message to itself. As I said, I took those lines from a VestaCP server, and I never had problems sending or receiving emails on that panel, even though it uses thoses lines to block unanthenticated senders, as I am using on my Cpanel servers now. I aggree with you that faked headers are trivial, but on that cases you can show the client that it is a fake message and explain to them where it came from. In this case the headers are not faked. It is a regular message from an account to itself that the default EXIM config is allowing to be sent. All you can say is "well, yep, there's a hole on the server config allowing this guy to use your account to send this emails to you". Even if the spammer does not have access to the email data, this is not a good thing to hear from your webhosting support, right? I also aggree with you that SPF and DKIM should block this, but SPF and DKIM are filters that the user can enable/disable at will on Cpanel. In my opinion the best way to avoid that is to block it at SMTP time like it is already done on port 587, denying the spammer to even send the message than filtering it after it is was sent. With that said, how many Cpanel clients are facing this issue, and how many of them have found this thread to understand how can they block this? One time a client faces this issue and you just can't prove that this is a "fake header" situation (because it is not), this guy won't trust your server security level, and it doesn't matter if he could had block it himself activating the SPF and DKIM on his account. That's why I think Cpanel devs should care more about this thread, even if I already have found a fix for that on my servers. Relying on DKIM and SPF to block this messages seems just a weak workaround, not an actual fix for the issue.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?