Prevent receive "rewritten" address sent behalf of cPanel user
Hello,
We have an issue with some domains in our server which receiving an email from a spammer sending behalf of our cPanel user name.
This appears in exim_mainlog like this:
Is there anyway to mark this kind of emails as spam?, while already "Separated SpamBox" is enabled I wrote many filters in exim/sysfilter/options but doesn't work, e.g. if $h_from: header contains "rewritten was" then fail Thanks
From: header (rewritten was: [sample@yahoo.com], actual sender is not the same system user) original=[sample@yahoo.com] actual_sender=[cPanel_username@ourserver.ltd]Is there anyway to mark this kind of emails as spam?, while already "Separated SpamBox" is enabled I wrote many filters in exim/sysfilter/options but doesn't work, e.g. if $h_from: header contains "rewritten was" then fail Thanks
-
Is there a log of these in your exim mainlog? The header indicates the actual sender is the cPanel user. You can find it at /var/log/exim_mainlog0 -
If you can post the full exim log for a message like this that would be helpful. Unless I am reading this incorrectly, this suggests that your cpanel user is spoofing the yahoo.com domain name in an email. That would be outbound spam - not inbound spam. 0 -
Thank you very much @cPanelLauren & @rackaid for your replies This's a log from exim_mainlog: 1ithng-0006CV-SF <= cPanelUserName@MyServer.tld U=cPanelUserName P=local S=552 T="Message from [spammer name]" for mail@myDomain.com 1ithng-0006CV-SF Sender identification U=cPanelUserName D=myDomain.com S=cPanelUserName 1ithng-0006CV-SF From: header (rewritten was: [Spammer_email@yahoo.com], actual sender is not the same system user) original=[Spammer_email@yahoo.com] actual_sender=[cPanelUserName@MyServer.tld] 1ithng-0006CV-SF From: header (rewritten was: [Spammer_email@yahoo.com], actual sender is not the same system user) original=[Spammer_email@yahoo.com] actual_sender=[cPanelUserName@MyServer.tld] 2020-01-21 00:53:49 1ithng-0006CV-SF => info R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 xSYcOpxLJl4mXQAA3zlVNA Saved"
Regards0 -
From your email logs, you appear to have a security issue that allows spammers to send email from that domain. This is most likely being done via a web script. I recommend you review the account in question for security issues, such as outdated software. In WHM, you may want to consider rate-limits for email senders to unknown users. I am not sure you want to put a filter on the sender rewritten header. There could be legitimate web apps that send from a different user than the cPanel user. The would be caught as well. 0 -
Actually, @Shood can you show me the output of the following: egrep 'rewrite_from|srs' /etc/exim.conf.localopts0 -
Actually, @Shood can you show me the output of the following:
egrep 'rewrite_from|srs' /etc/exim.conf.localopts
----- The output is: srs=0 rewrite_from=all0 -
----- The output is: srs=0 rewrite_from=all
This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following: [CODE=bash]grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n0 -
This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following: [CODE=bash]grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Thank you @cPanelLauren, this's the output1 /home/cPanelUser1/public_html 1 /home/cPanelUser2/public_html/assets 2 /home/cPanelUser3/public_html/assets 3 /home/cPanelUser4/public_html 3 /root 4 /home/cPanelUser5/public_html 5 /home/cPanelUser6/public_html 5 /home/cPanelUser7/public_html 13 /home/cPanelUser8/public_html 15 /home/cPanelUser9 16 /home/cPanelUser10/public_html/site 22 /home/cPanelUser11/public_html 1375 /home/cPanelUser12 1522 /etc/csf
Addition info if it assists: 1- I have about 60 domains on this server, not 12 2- cPanelUser2 in the output above is the affected account in the question. Regards0 -
This doesn't list all the users on the server, it lists all the users listed in the current exim log who are sending email, via a script (by excluding mail originating from directories other than /var/spool/ cPanelUser2 being the user in question shows only 1 email originating from one of its directories - where cPanelUser12 shows 1375 in the current email log. If the issue isn't occurring still or if the issue stopped/started prior to the log rotation that includes those dates, you may need to check if you're archiving exim logs. Otherwise, the full exim transaction would be necessary to identify the source. exigrep /var/log/exim_mainlog0 -
Thank you @cPanelLauren This issue stopped occurring, maybe because I blocked the real spammer email address on user cPanel You've asked for "the full exim transaction", I have listed it in my 2nd reply above 0 -
That can't be the entire transaction, but if the spammer was sending email to your user, then your user was forwarding it, it might account for this behavior. 0 -
Thank you @cPanelLauren Because this issue has stopped occurring and there's no more log details exist in (olds exim_mainlog-...gz) than I've listed above so please consider this ticket as resolved. Regards. 0 -
Hi everyone i think my problem related with this topic I new in whm, i read so many forum but i cant resolved my problem I have same problem about email that deliveries to instead of Also i attached one of Delivery Event Detail How can i solve this problem 0 -
Hi @erol.cakar Your attachment is unavailable, however this occurred when the email address is not exist and your Tweak Settings is set to "System account" by default. To ensure: go to Tweak Settings, look for option: [Initial default/catch-all forwarder destination] You"ll find three options: System account, Fail and Blackhole For me I prefer Fail option Also take a look at this 0 -
Hi again very appreciate for answer I changed server to solve this i was opened a ticket but after changing server i closed it it is saying for Fail option "collect spam mails" but these are not spam In this it appearing delivered but it going to instead of I changed [Initial default/catch-all forwarder destination] to Fail But not solved still same sorry for attachment recipient and Delivered is different 0 -
Fail option in Tweak Settings controls how your server will respond to this kind of emails, however receiving spam emails is a normal issue for any server, I receive a ton each day In other words: you can"t prevent spammers from sending spam email to your server, however receiving spam email isn't a security issue itself, I mean isn't that risk unless it contains malicious links and you clicked it Also may you enable "Spam Filter" in cPanel by switch on the option: Move New Spam to a Separate Folder, in this case you won"t see Spam Emails in your inbox anymore 0 -
Sorry but there is a misunderstand These are not spam email i setup new server to correct this problem i create new account it was working After i transfer all accounts it is same problem these two different server but same domain It is a big headache please help... 0 -
@erol.cakar - could you open a support ticket directly with our team so we can check this issue? 0
Please sign in to leave a comment.
Comments
18 comments