Spam email from self
I have a reseller account at a host with several client domains. One client has a number of email addresses that are getting email from themselves, containing spam.
From what I can tell, these emails are being passed as example from my parent host's servers (the company I buy my reseller account from).
Why don't these fail to authenticate when the fake sender sends, AND/OR when the real sender receives?
How do I keep other people from sending email through my client's account?
Example of Message Source in a fake email (names & numbers changed to protect privacy)
In track delivery the acceptance looks like this (changes to names & numbers)
Return-Path:
Delivered-To: myclient@example.com
Received: from rs2.parentserver.com
by rs2.parentserver.com with LMTP id EiEiEi0
for ; Wed, 08 Aug 2018 17:19:32 -0400
Return-path:
Envelope-to: myclient@example.com
Delivery-date: Wed, 08 Aug 2018 17:19:32 -0400
Received: from adsl-001.001.001.001.bogus.gr ([002.002.002.002]:10500)
by rs2.parentserver.com with esmtp (Exim 4.91)
(envelope-from )
id 3c3c3c3c3c3c-OT
for myclient@example.com; Wed, 08 Aug 2018 17:19:32 -0400
Message-ID: <001b0ddd5bbb@cmkky2by>
From:
To:
Subject: Welcome to our company
Date: 9 Aug 2018 02:05:48 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="cp-850"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000In track delivery the acceptance looks like this (changes to names & numbers)
Event: success success
User: -remote-
Domain:
From Address: myclient@example.com
Sender:
Sent Time: Aug 8, 2018, 4:19:16 PM
Sender Host: adsl-001.001.001.001.bogus.gr
Sender IP: 002.002.002.002
Authentication: localdelivery
Spam Score:
Recipient: myclient@example.com
Delivery User: myclientrealusername
Delivery Domain: example.com
Delivered To: myclient@example.com
Router: virtual_user
Transport: dovecot_virtual_delivery
Out Time: Aug 8, 2018, 4:19:16 PM
ID: 3c3c3c3c3c3c-OT
Delivery Host: localhost
Delivery IP: 100.0.0.1
Size: 1.66 KB
Result: Accepted-
Hello @plague, One additional option to consider is Require remote (domain) HELO found under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor. This option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. EX: "REJECTED - Bad HELO - Host impersonating [testing.tld]"
Thank you.0 -
Hello @cPanelMichael Thanks for your advice, but still able to send the message using some random domain in the HELO. This options are checked in the Exim Config: Require HELO before MAIL Require remote (hostname/IP address) HELO Require remote (domain) HELO Require RFC-compliant HELO root@servidor [~]# telnet server.x.com.br 25 Connected to server.x.com.br. ....... ehlo hotmail.com 250-server.x.com.br Hello servidor.x.eti.br [x.x.x.x] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP mail from: user@x.com.br 250 OK rcpt to: user@x.com.br 250 Accepted data 354 Enter message, ending with "." on a line by itself teste . 250 OK id=1gr8HT-001CUN-LH0 -
Hello everyone This is the first post for me and I'm happy to be with this great cPanel community. Indeed, I love you cPanel because you served my business for a while Back to work: In "Mail Delivery Reports" I see a lot of delivered email made by a spammer [from to] the same email address, example: From 123@domain.tld To 123@domain.tld From jeorge@domain.tld To jeorge@domain.tld (Where: account: 123 not exist, account jeorge exists) Report from exaim_mainlog returns this 1- (Name_OfSpammerDomain) [His_IP]:Warning: "SpamAssassin as [user_account] detected message as spam (34.5)" 2- malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): Connection refused 3- (Name_OfSpammerDomain) [His_IP]: Warning: Message has been scanned: no virus or other harmful content was found 4- 123@domain.tld H=(Name_OfSpammerDomain) [His_IP]: P=esmtp S= id=xxxxx@domain.tld T="Caution! Attack hackers to your account!" for 123@domain.tld 5- discover_sender_information failed to set the from header rewrite for 123@domain.tld 6- jeorge+spam (jeorge@domain.tld) <123@domain.tld> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 Saved" 7- Completed
This happened with many domains on my server and for many emails for each domain Another domain shows the same report but with one different in line: 65- .....rewrite for notExistEmail@anotherdomain.tld 6- ..... Saved" Completed
All contents of the messages are about that this spammer has hacked the email and asks to transfer money I know this kind of lies (I hope that :) ) but I'm asking about two things: 1- Is really this email account hacked? 2- Can the spammer using one of those account to send messages to an outer email like: @gmail.com, in this case he will sends to a lot of outer emails and get my server blocked Thank you0 -
Hi @Inner2019Peace I've moved your post to this related thread. 0 -
Hi @plague, The Require remote (domain) HELO option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. It won't prevent the use of remote domain names as the FROM address, or prevent the activity completely. It's simply an added measure you can take to help prevent the FROM address from mimicking a domain name that exists locally on the cPanel server. To block the activity all together (other than the through the workaround you noted), the following feature request would need to be implemented: @Inner2019Peace, See my post 0 -
Hi @plague, The Require remote (domain) HELO option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. It won't prevent the use of remote domain names as the FROM address, or prevent the activity completely. It's simply an added measure you can take to help prevent the FROM address from mimicking a domain name that exists locally on the cPanel server. To block the activity all together (other than the through the workaround you noted), the following feature request would need to be implemented: for information on how you can block this behavior (specifically the use of a local domain as the FROM address). No, delivery attempts to a remote mail server using this method will fail because SMTP authentication is required for non-local addresses. Thank you.
I was linked to the quoted post from a0 -
We are getting massive amounts of spam with spoofed email addresses, and trying to see whether fixing this hole could help control the spam issue.
Hello @Juanpi, Can you confirm if the incoming SPAM has continued since making the adjustments to the options in the screenshot you attached? Thank you.0 -
I have an issue where I have a number of emails that are being spoofed saying email has been hacked. It appears and old database was compromised and the emails began coming in. How can I stop them? My mailscanner is NOT scanning it because it appears to be from my server. Hi! As you may have noticed, I sent you an email from your account. This means that I have full access to your account. I've been watching you for a few months now. The fact is that you were infected with malware through an adult site that you visited. If you are not familiar with this, I will explain. Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence. Why your antivirus did not detect malware? Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent. I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you0 -
Usually spam filters (either GMail's or cPanel's) will filter out most trash. However, this new string of emails being set by hackers claiming to have my password (but really smtp headers show its still from their server), has been making it past the filters and not only that, being enhanced by GMail rejecting any emails from my server, causing a Mailer Daemon Error and completely bringing the email from the scammer to my inbox every time (I blame both my config and google for this) For some reason, despite having set the option to only deliver from local addresses if authorized, as well as SPF, it still seems to come through. The message actually from Google, rejecting the forwarded email from cPanel server. While this mostly mentions gmail, the question I suppose is: How do I reject emails that pretend to be any account on the server's domains, and to NOT mailer daemon bounce back to itself.... 0 -
I have an issue where I have a number of emails that are being spoofed saying email has been hacked. It appears and old database was compromised and the emails began coming in. How can I stop them? My mailscanner is NOT scanning it because it appears to be from my server.
Can you share the message header (ensuring to remove real domain names and IP addresses) along with the entry from /var/log/exim_mainlog? EX:exigrep MSG-SUBJECT /var/log/exim_mainlog
Replace "MSG-SUBJECT" with the subject associated with the one of those emails. Ensure to remove real domain names and IP addresses when you paste the output here. Thank you.0 -
Hi, i "fix" this problem using RBL, DKIM,DMARC, SPF and configuring spamassasin. 0 -
It looks like my post got merged into this thread, which currently has no solution. While not cPanel's fault, it is disheartening that we are in this situation with a 20+ year old protocol and spammers "won". Maybe its time for Exim/Postfix to finally get a successor? 0 -
This is the issue with people relying on old technologies and the "you can take my old school technology from my cold dead hands" attitude. SMTP - as it is now - is never going to be able to fully combat this. It wasn't designed for this. Over the years, stuff has been added to and added to the SMTP protocol, but at it's core it does not combat email spoofing. SPF and DKIM definitely help. I'm not sure if it's a total solution, but it definitely helps. But the problem is... too many people still rely on old methodologies. SPF and DKIM won't work in those situations. Way too many users, mail server operators, etc do not deploy SPF and DKIM correctly and/or don't understand it (and don't bother with trying to understand it). Secondly, too many end users continue to use email forwarders, SPF and DKIM is not going to work in those situations. If you can get everyone (all people on the Internet) to properly deploy SPF and DKIM and actually configure mail servers to handle improperly validated emails (i.e. reject messages that don't pass SPF and DKIM instead of the current "well, this user may not know what they are doing" reason for allowing messages through), which would also mean doing away with email forwarders, then you MIGHT be looking at a solution. But that's never going to happen. You're best hope is to hope that another messaging protocol eventually supersedes SMTP, which hopefully would employ measures to prevent this type of spoofing. But email and SMTP is so ingrained our society it's going to be a tough sell. 0 -
Hello, I have also had this type of problems with emails that claim to come from a local account. A few minutes ago I got an email with the typical text that says things like "look, we have sent an email using your account .... we are watching you, I see you watching XXX videos, transfer a number of bitcoins to remain silent". I checked the mail headers and did not understand why spamassain did not mark anything.. and suddenly I noticed a detail ... the size of the mail was more than 200KB. In the configuration of exim, currently the maximum size of emails to be reviewed by SpamAssasin is 1000KB but before it was only 200KB and since my servers use a standard configuration of exim, .. I had not updated that value and I maintained a maximum of 200KB . Check that detail, maybe this detail may also be part of the problem. Nowadays, spammers do not mind sending large emails. 0 -
and suddenly I noticed a detail ... the size of the mail was more than 200KB. In the configuration of exim, currently the maximum size of emails to be reviewed by SpamAssasin is 1000KB but before it was only 200KB and since my servers use a standard configuration of exim, .. I had not updated that value and I maintained a maximum of 200KB .
Thanks for noticing this. I was just looking into the same issue where an email wasn't scanned. Turns out it was 251KB and my settings were also 250KB but I've now changed it to 1000KB so I'll see what happens.0 -
@shenzy said: the size of the mail was more than 200KB. In the configuration of exim, currently the maximum size of emails to be reviewed by SpamAssasin is 1000KB but before it was only 200KB and since my servers use a standard configuration of exim, did this work for you so far ? @plague are you also using 1000kb on top of your settings ? 0 -
@Spirogg yes, size limit is set to 1000 KB . 1000 KB is the default size since v80 I guess 0
Please sign in to leave a comment.
Comments
50 comments