Spam email FROM address

petersphilo

• March 08, 2019 12:08

Hello all.. i have DKIM, SPF, and SpamAssassin enabled on all accounts, but i don't understand how emails like this one below are getting through... i'm afraid that, somehow, my server is acting as an open relay.. Here is an actual example of the headers of a spam/ransom message that got through, and you can clearly see that SpamAssassin didn't even check it (as evidenced by the complete absence of X-Spam tags), that SPF and DKIM each should have failed, yet it got through.. Please, if anyone has any idea, please any suggestions are desperately welcome.. Here are the raw headers of the message: Return-Path: Delivered-To: --my-email-address-- Received: from --my-host-name-- by --my-host-name-- with LMTP id eP2NFSuPglznMwAAugyn/Q (envelope-from ) for <--my-email-address-->; Fri, 08 Mar 2019 16:50:03 +0100 Return-path: Envelope-to: --my-email-address-- Delivery-date: Fri, 08 Mar 2019 16:50:03 +0100 Received: from [27.254.xxx.xx] (port=55104 helo=WIN-41GNGA78579.home) by --my-host-name-- with esmtp (Exim 4.91) (envelope-from ) id 1h2Hkr-0003Sf-O8 for --my-email-address--; Fri, 08 Mar 2019 16:50:03 +0100 Received: from [example.net] ([210.245.xx.xx]) by home with MailEnable ESMTP; Sat, 9 Mar 2019 21:05:33 +0700 Subject: --my-first-name-- From: <--my-email-address--> Content-Type: multipart/related; boundary="17E4BDA2FE-0DF9-A276D708F5-787407A80C-E69887" MIME-Version: 1.0 Abuse-Reports-To: abuse@mailer.example.com Message-ID: <3675240188.290539026745856556730149035695.JavaMail.app@wsrmk.9dt28d> To: --my-email-address-- List-Unsubscribe: User-Agent: ORYANOO 6.2 Date: Fri, 8 Mar 2019 15:32:57 +0100 X-Complaints-To: X-aid: 8635314994 Organization: Esgxuwpq
Here is the result of the command: exigrep 1h2Hkr-0003Sf-O8 /var/log/exim_mainlog 2019-03-08 16:50:03 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2Hkr-0003Sf-O8 2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): No such file or directory 2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 H=(WIN-41GNGA78579.home) [27.254.148.50]:55104 Warning: Message has been scanned: no virus or other harmful content was found 2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 <= test@example.com H=(WIN-41GNGA78579.home) [27.254.148.50]:55104 P=esmtp S=258040 id=3675240188.290539026745856556730149035695.JavaMail.app@wsrmk.9dt28d T="--my-first-name--" for --my-email-address-- 2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 => --my-first-name-- <--my-email-address--> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <--my-email-address--> eP2NFSuPglznMwAAugyn/Q Saved" 2019-03-08 16:50:03 1h2Hkr-0003Sf-O8 Completed
Again, clearly all checks have been bypassed... How does this happen?

• 

  cPanelMichael

  • March 11, 2019 17:49

  Hello @petersphilo, The following section from our Exim Configuration Manager interface (WHM >> Home >> Exim Service Configuration >> Exim Configuration Manager). After you enable this feature, you will see output that is similar to the following in the /var/log/exim_mainlog file: 2014-04-23 08:09:52 1Wcwvu-0000On-Sb From: header (rewritten was: [fakemail@example.com], actual sender is not the same system user) original=[fakemail@example.com] actual_sender=[spammer@spammer.com] The actual_sender portion of the log entry shows that spammer is the cPanel account that sent the email. This information allows the system administrator to take action against the account to prevent additional spam.
  Additionally, I encourage you to vote and add feedback to the following feature request if you'd like to see a way to prevent this behavior:

  0
• 

  Jean Boudreau

  • April 02, 2019 18:48

  I will try that Experimental thing! Seems interesting :)

  0

Please sign in to leave a comment.