Prevent email forging / incoming email that seems to come from self
In our server many email users (including me) find sometimes spam emails that seems to come from their own email address.
Looking into the email headers it's obvious that these emails come from other servers (sometimes even the real email address can be found). Though that doesn't seem to be a critical case, most of these messages try to terrify the user and make him believe his/her account was hacked and blackmail them.
Is there any simple option to enable (or rule to add) in order to prevent that email to be delivered? Something like: if from_address == to_address AND from_server != to_server -> block email. Any instructions on how to apply such option/rule would be appreciated.
Thank you in advance!!
-
Folks As this seems to be a re-occuring theme, what are your thoughts on a simple global filter. Could one be created along the lines If from contains mydomain.com and any header does not contain something else then fail 0 -
Until SPF and DKIM adoption is taken seriously (or if someone can come up with a better, similar solution), this is going to continue to be a problem. Any other "fix" is just going to be a temporary band-aid solution. What is utterly shocking though... is that it's taken the general population this long to realize that email senders can be faked. 0 -
Note that the accounts have SPF, DKIM and DMARC entries set. 0 -
Well... by adoption, I meant on the receiving end. Signing your messages with DKIM doesn't do jack if the receiving end doesn't accept/deny wholly based on that signature verifying. And there are way too many people that don't sign their messages or sign their message improperly (i.e. anyone that forwards mail sent to [plain]mydomain.tld[/plain] to their gmail address because they want to look more professional with their [plain]mydomain.tld[/plain] email address... but don't really want to leave Gmail behind). ... And no, we don't wholly accept/deny messages based on SPF and DKIM either. Can you imagine the backlash we'd get when little Johnny can't get email from some company because that company doesn't use DKIM or SPF or otherwise has it done improperly? That's what I mean about adoption of SPF and DKIM being taken seriously (and perhaps a tongue-in-cheek way of saying... it ain't ever going to happen). 0 -
Is there any simple option to enable (or rule to add) in order to prevent that email to be delivered? Something like: if from_address == to_address AND from_server != to_server -> block email. Any instructions on how to apply such option/rule would be appreciated.
Hello @Anastasios Pikri, Here's a response from Thank you.0 -
One additional option to consider is Require remote (domain) HELO found under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor. This option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction.
Doesn't this just force a remote mail server to use a HELO/EHLO name that does not exist on the server? How does that prevent MAIL FROM forging? It's rather trivial to use any name in the HELO/EHLO exchange.0 -
Doesn't this just force a remote mail server to use a HELO/EHLO name that does not exist on the server? How does that prevent MAIL FROM forging? It's rather trivial to use any name in the HELO/EHLO exchange.
Hello, You are correct. It remains possible to circumvent the option by using a different domain during the HELO/EHLO exchange. While it doesn't address the core of the issue, I've seen multiple reports where it's been effective as a temporary mitigation strategy because it's common for spammers to setup their scripts/bots to automatically use the local domain they are sending "to" during the HELO/EHLO exchange. Thank you.0 -
I've added this to the Email Filters: Body - Matches Regex: [Hh]ow\s+[Tt]o\s+[Bb]uy\s+[Bb]itcoin|[Aa]\s+fair\s+price\s+for\s+our\s+little\s+secret Then Discard Message. I would prefer to add something server-wide to identify these self-addressed emails. 0 -
If from self then spf fail +10? 0 -
I would prefer to add something server-wide to identify these self-addressed emails.
Hello @Nahoo, You could set that up as an Exim system filter rule per the instructions on the link below: How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation Thank you.0 -
If from self then spf fail +10?
This may help, but it may also block legitimate email if an email users intentionally sends themselves email messages. Thank you.0 -
When this started happening here we had SpamAssassin scoring that should have filtered it. We could manually run "spamassassin -t" on the emails and they would be scored much higher than the spam theshold, but they weren"t being filtered when received. Eventually it was discovered that the emails seemed to be just over 200KB in size, allowing the emails to get through because we had never changed the default size (200KB) at which SpamAssassin does not scan (set in the basic Exim configuration). These spammers seem to realize that many of us have left this default in place, and they"re getting these emails through by making sure they are larger than 200KB. 0 -
This may help, but it may also block legitimate email if an email users intentionally sends themselves email messages. Thank you.
I meant that if it is from your self, then add plus 10 if it also fails spf as it is unlikely that these spammers are actually sending from an approved server.0 -
When this started happening here we had SpamAssassin scoring that should have filtered it. We could manually run "spamassassin -t" on the emails and they would be scored much higher than the spam theshold, but they weren"t being filtered when received. Eventually it was discovered that the emails seemed to be just over 200KB in size, allowing the emails to get through because we had never changed the default size (200KB) at which SpamAssassin does not scan (set in the basic Exim configuration). These spammers seem to realize that many of us have left this default in place, and they"re getting these emails through by making sure they are larger than 200KB.
Hello @MediaServe, The default value for the Apache SpamAssassin": message size threshold to scan value was changed to 1000KB in cPanel & WHM version 78: Implemented case CPANEL-23522: Change default minimum spam scan size to 1000K. Thank you.0
Please sign in to leave a comment.
Comments
15 comments