SPF record check

Wade John Beckett

• April 04, 2019 05:06

Hello, I hope you are well. Is it possible to force an account on my server to only accept mail if it complies with the SPF policy? I have a client that is being spoofed from her own domain which seems to be causing her (and by extension me) untold distress (though it is more an annoyance than anything). The MX records are pointed to SpamExperts, but I have been told that the mail was delivered "Directly" to my server and did not pass through their filter. I have enabled the SPF record as well as all the necessary DMARK and DKIM records but this email is still getting through. Any advice?

• 

  Infopro

  • April 04, 2019 10:12

  I have a client that is being spoofed from her own domain which seems to be causing her (and by extension me) untold distress (though it is more an annoyance than anything).

  
  There is a similar thread with some suggestions you might try, located here:

  0
• 

  cPanelMichael

  • April 04, 2019 20:05

  The MX records are pointed to SpamExperts, but I have been told that the mail was delivered "Directly" to my server and did not pass through their filter.

  
  Hello @Wade John Beckett, Can you share the specific log entry from /var/log/exim_mainlog for one of the spoofed emails? You can find the log entry by using the exigrep utility as root via the command line. EX: exigrep MSGSUBJECT /var/log/exim_mainlog
  Replace "MSGSUBJECT" with the subject of the email with the spoofed sender. Thank you.

  0
• 

  Wade John Beckett

  • April 08, 2019 09:01

  Hello, Thanks for the reply. Here is the output from the exim_mainlog for the specific message: 2019-04-02 08:11:25.343 [2489446] 1hBCdo-00ARcM-UL H=([5.76.71.62]) [5.76.71.62]:11180 I=[**.***.***.***]:25 Warning: Message has been scanned: no virus or other harmful content was found 2019-04-02 08:11:25.345 [2489446] 1hBCdo-00ARcM-UL <= user@domain.com H=([5.76.71.62]) [5.76.71.62]:11180 I=[**.***.***.***]:25 P=esmtp S=2955 M8S=0 RT=0.358s id=134380924.201904021711@domain.com T="Frauders known your old passwords. Access data must be changed." from for user@domain.com 2019-04-02 08:11:25.367 [2489817] 1hBCdo-00ARcM-UL => user F= P= R=virtual_user T=dovecot_virtual_delivery S=3149 C="250 2.0.0 oNRwFQ39olxq9yUAMIJW9Q Saved" QT=0.427s DT=0.009s 2019-04-02 08:11:25.367 [2489817] 1hBCdo-00ARcM-UL Completed QT=0.427s I have replaced my server IP with **.***.***.*** and the users email address with user@domain.com for security reasons.

  0
• 

  cPanelMichael

  • April 08, 2019 17:36

  Hello @Wade John Beckett, Here's a response from the link referenced earlier in this thread:

  One additional option to consider is Require remote (domain) HELO found under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor. This option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. EX: "REJECTED - Bad HELO - Host impersonating [testing.tld]"
  Thank you.

  
  This should be useful in your case because the emails are sent to an email account hosted locally on the cPanel server. Thank you.

  0

Please sign in to leave a comment.