Skip to main content

Prevent FROM address spoofing

Comments

4 comments

  • cPanelMichael
    I noticed a huge number of spams being sent from my server which I figured must be coming from a compromised mail account. I changed the password and cleaned the queue after discovering it. 57497 This passed the spam filters. How can I prevent this in future? I think if I can force the "sender" and the "from address" to be the same, it would be enough as I don't see a case for else way.

    Hello @vqq, The delivery to Gmail succeeded in the example you provided because the sender successfully authenticated via SMTP. You can enable the following option under the Mail tab in WHM >> Exim Configuration Manager >> Basic Editor to ensure the FROM address is accurate: EXPERIMENTAL: Rewrite From: header to match actual sender Per it's description: If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected. The best way to prevent this in the future is to address the source of the issue (the email account compromise). Do you use cPHulk brute force detection on this server? Also, do you enforce password strength levels for email accounts in WHM >> Password Strength Configuration? Thank you.
    0
  • vqq

    The best way to prevent this in the future is to address the source of the issue (the email account compromise). Do you use cPHulk brute force detection on this server? Also, do you enforce password strength levels for email accounts in WHM >> Password Strength Configuration?

    We have migrated a few hundred accounts recently from a plesk panel, some of the passwords could be inadequate for the moment. I have changed the password to the said account and the problem seems to be gone.
    Hello @vqq, The delivery to Gmail succeeded in the example you provided because the sender successfully authenticated via SMTP. You can enable the following option under the Mail tab in WHM >> Exim Configuration Manager >> Basic Editor to ensure the FROM address is accurate: EXPERIMENTAL: Rewrite From: header to match actual sender Per it's description: If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.

    This will still send the spam mail but with my real address instead of spam "from address" if I am reading it correctly. I want to do something like if from address matches sender address deliver else mark as spam. So legitimate@company.com can send a mail where sender and from address are both legitimate@company.com. But the spam mail which has masqueradesas@bank.com in its from address and legitimate@company.com in its sender won't deliver. I think I saw something like this in this thread as an exim filter but I don't know if what I want is possible.
    0
  • cPanelMichael
    Hello @vqq,
    This will still send the spam mail but with my real address instead of spam "from address" if I am reading it correctly

    Yes, that is correct. The option is designed to ensure the actual FROM address appears in the message header, but it doesn't actually block the outgoing email.
    I want to do something like if from address matches sender address deliver else mark as spam. So legitimate@company.com can send a mail where sender and from address are both legitimate@company.com. But the spam mail which has masqueradesas@bank.com in its from address and legitimate@company.com in its sender won't deliver.

    I don't know of a specific filter rule to share (it likely requires the use of a custom regular expression in the filter), but the How to Prevent Spam with Mail Limiting Features - cPanel Knowledge Base - cPanel Documentation Thank you.
    0
  • NetVicious
    if from address matches sender address deliver else mark as spam.

    This will mark as spam all the messages sent from distribution lists because they always spoofed from headers. And will affect to the email aliases or redirections too. I think a better solution should be a rule which checks if the email from header it's a local account and if the connection it's authenticated or not. If it's not authenticated it should be filtered.
    0

Please sign in to leave a comment.