Reject email (spam) when from address IP not match mail server IP

Ashtor

• March 03, 2021 03:39

Hi Guys, Problem: foreign SPAM devices sending a ton of e-mails from my e-mail address to my e-mail address. For example: Sender User: example Sender Domain: example.com From Address: example@example.com Sender: example@example.com Sender Host: foreign.domain.name Sender IP: 1.2.3.4 (foreign IP) Authentication: forwarder Recipient: example@example.com Result: Accepted
Foreign sender does not have any DKIM-SPF-DMARC record. BUT I recieve email FULLY authenticated: SPF pass, DMARC pass, DKIM pass. Exim generating valid DKIM then forwards the original SPAM email. I want to reject all email, when the sender domain is one of my added domain - and the sender IP does not match my mailserver's IP. Thank you for your help: Ashtor

• 

  cPRex Jurassic Moderator

  • March 03, 2021 17:30

  Hey there! It's interesting that you say the messages are fully authenticated. Could you post the mail headers here, just removing any public details like domains or IPs?

  0
• 

  Ashtor

  • March 03, 2021 17:54

  Here it is: Delivered-To: {{*privacy* MY_GMAIL}} Received: by 2002:a17:90b:3601:0:0:0:0 with SMTP id ml1csp5302349pjb; Wed, 3 Mar 2021 10:36:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJzQcytWGei8QrnPQAXYdBSVXEqlrb0wQeHKSzPAolUVRvqDc7CB03/uj23QZkhyCTe3DJnP X-Received: by 2002:a17:906:fc1c:: with SMTP id ov28mr203083ejb.342.1614796606032; Wed, 03 Mar 2021 10:36:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614796606; cv=none; d=google.com; s=arc-20160816; b=iljbHVJrUTRhJJpe5B+5claRJh+zHeuJl5DrqVI6De5Dd0JPKrrJclRtS9JrzirL7e zZj+07VaTdLpUPycW7w4P8HcSgz8GXU3NV+1nixV9kfg2ZF9DFCetCC2b6Lh2mZHp5nq 3ba5/5fQMs7ZsVPQCSsGDPCQiqc3kX8jUQHxgx2quPkkVdJSLJB+ZDJjLkB8jxekyadR 4b+eetuXbZk0uEr0nOQtxhctIGyetX5fA2QwUtZ1Mb+vor8BKehAxEmLWJ3LjvmcE5nU H0YDXFtBUKzxwybSd5xEo6J3rKkzgxCPLlmDsRZXcAoU3pSt7QvMY+8dsKP2hE+qJ4/2 ojDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:from:date:subject :to:dkim-signature; bh=1g/SB2vjVgVOydh3c6TA8OkGj1e24f9UOnnoTCBn65E=; b=f0HlNvwcT4HGuzrxJ9VqunKZiFWXl3FWjeoLTWI7WTpDQce/Hl82p1oh2FrMMiRmFc ynfc6179sM+HPs4waby83jyAXoCaOvxnrCV+88q6vxetJYdNsJXyF3SPoXlfFvlLTfyV B5IBIPKjg0k3hQySRgbtiyp3vy5FzDpvoioQHS0GFKYLYJciQdhgC0bdn32eH/16WFSi eTXZBx7ecxJ+gRuj6WPj5ExLo/mVS0GIV6DBnHs/O1LFz/tzbtCRwdcIthrAUKepzZ4w x/Zyfaz2kaacLTbrcpBlvKVKgwfvfA17hA0VkVyNhv6bmf7mbXPrm/SuWav6UH2Jp8LX WDqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@{{*privacy* MY_ADDON_DOMAIN}} header.s=default header.b="KjPKM0/5"; spf=pass (google.com: domain of hello@{{*privacy* MY_ADDON_DOMAIN}} designates {{*privacy* MY_WHM_IP}} as permitted sender) smtp.mailfrom=hello@{{*privacy* MY_ADDON_DOMAIN}}; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from={{*privacy* MY_ADDON_DOMAIN}} Return-Path: Received: from {{*privacy* MY_WHM_HOST}} ({{*privacy* MY_WHM_HOST}}. [{{*privacy* MY_WHM_IP}}]) by mx.google.com with ESMTPS id ly21si7285631ejb.128.2021.03.03.10.36.45 for <{{*privacy* MY_GMAIL}}> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Mar 2021 10:36:45 -0800 (PST) Received-SPF: pass (google.com: domain of hello@{{*privacy* MY_ADDON_DOMAIN}} designates {{*privacy* MY_WHM_IP}} as permitted sender) client-ip={{*privacy* MY_WHM_IP}}; Authentication-Results: mx.google.com; dkim=pass header.i=@{{*privacy* MY_ADDON_DOMAIN}} header.s=default header.b="KjPKM0/5"; spf=pass (google.com: domain of hello@{{*privacy* MY_ADDON_DOMAIN}} designates {{*privacy* MY_WHM_IP}} as permitted sender) smtp.mailfrom=hello@{{*privacy* MY_ADDON_DOMAIN}}; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from={{*privacy* MY_ADDON_DOMAIN}} DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d={{*privacy* MY_ADDON_DOMAIN}}; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:From:Date:Subject:To:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1g/SB2vjVgVOydh3c6TA8OkGj1e24f9UOnnoTCBn65E=; b=KjPKM0/5an1McrJH5IldcpWLcy 4S0ROX8V75MOlSgOpDskxkR8mNhoQ2E/H3M/aCU4DuZAnqhK1wqjgSXGpgAW2XdvjsLpEvLn+DETn chjuj6gPu6Pygw+rvSPo0V+GD1gvIpsJ9uSwsZLO+QYs86pePLS47ajEDpqj6urkLIe1wIs6WQAJr tMHPNwgsOffQxUwcNqAW7b0PIy0wrIssIg6Nsx+u2SYHzVqnZnNAYwHmA9+TXtyxh5vPVWpCt6BPz Knkhf6IIloj7ZZlvhv0M2HoGgFcm1ZN35scb1lN60fMSENJE9NqK+F3bsFg08rvv58KEMhFgttfq9 Dv5AK9zg==; Received: from srv2.pixelstar.hu ([185.43.207.238]:42950 helo=pixelstar.hu) by {{privacy* MY_WHM_HOST}} with esmtp (Exim 4.94) (envelope-from ) id 1lHWMV-0002sI-P5 for hello@{{*privacy* MY_ADDON_DOMAIN}}; Wed, 03 Mar 2021 19:36:45 +0100 {{** Here is -> foreign hostname/IP **}} Received: by pixelstar.hu (Postfix, from userid 33) id 8989023F98A; Wed, 3 Mar 2021 19:36:03 +0100 (CET) To: "hello@{{*privacy* MY_ADDON_DOMAIN}}" Subject: DKIM teszt 4876 Date: Wed, 3 Mar 2021 19:36:03 +0100 From: "hello@{{*privacy* MY_ADDON_DOMAIN}}" Message-ID: <5b1265bd88dd11e72f08a64bd2b9f22d@www.vevovelemeny.hu> {{** E-mail sent from foreign domain name **}} MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_5b1265bd88dd11e72f08a64bd2b9f22d" Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.0 X-Spam-Score: 20 X-Spam-Bar: ++ X-Ham-Report: Spam detection software, running on the system "{{*privacy* MY_WHM_HOST}}", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Kedves C"mzett,K"r"s"re hamarosan v"laszolunkFelado: hello@{{*privacy* MY_ADDON_DOMAIN}} Kedves C"mzett, K"r"s"re hamarosan v"laszolunk Content analysis details: (2.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current years X-Spam-Flag: NO X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - {{*privacy* MY_WHM_HOST}} X-AntiAbuse: Original Domain - {{*privacy* MY_ADDON_DOMAIN}} X-AntiAbuse: Originator/Caller UID/GID - [xx xx] / [xx xx] X-AntiAbuse: Sender Address Domain - {{*privacy* MY_ADDON_DOMAIN}} X-Get-Message-Sender-Via: {{*privacy* MY_WHM_HOST}}: redirect/forwarder owner hello@{{*privacy* MY_ADDON_DOMAIN}} -> {{*privacy* MY_GMAIL}} X-Authenticated-Sender: {{*privacy* MY_WHM_HOST}}: hello@{{*privacy* MY_ADDON_DOMAIN}}
  

  0
• 

  cPRex Jurassic Moderator

  • March 03, 2021 18:58

  Thanks for those details - this is the part that concerns me from those headers: Received: from {{*privacy* MY_WHM_HOST}} ({{*privacy* MY_WHM_HOST}}. [{{*privacy* MY_WHM_IP}}])
  Since the return path shows your WHM server's IP address, that seems to indicate the message was sent from your server. Do you see any evidence of this message coming outbound from your machine in the /var/log/exim_mainlog file?

  0
• 

  Ashtor

  • March 03, 2021 22:32

  Logs (new): 2021-03-04 00:27:35 1lHatx-0004JO-PI H=srv2.pixelstar.hu (pixelstar.hu) [185.43.207.238]:55996 Warning: "SpamAssassin as vj detected message as NOT spam (2.0)" 2021-03-04 00:27:35 1lHatx-0004JO-PI <= hello@{{*privacy* MY_WHM_HOST}} H=srv2.pixelstar.hu (pixelstar.hu) [185.43.207.238]:55996 P=esmtp S=2219 id=560e80edf61f7fcd2a419d9eab88ca2a@www.vevovelemeny.hu T="DKIM teszt 9156" for hello@{{*privacy* MY_WHM_HOST}} 2021-03-04 00:27:35 SMTP connection from srv2.pixelstar.hu (pixelstar.hu) [185.43.207.238]:55996 closed by QUIT 2021-03-04 00:27:35 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lHatx-0004JO-PI 2021-03-04 00:27:35 1lHatx-0004JO-PI SMTP connection identification D={{*privacy* MY_WHM_HOST}} O=hello@{{*privacy* MY_WHM_HOST}} E={{*privacy* MY_GMAIL}} M=1lHatx-0004JO-PI U=XXX ID=XXXX B=redirect_resolver 2021-03-04 00:27:35 1lHatx-0004JO-PI Sender identification U=XXX D={{*privacy* MY_WHM_HOST}} S=hello@{{*privacy* MY_WHM_HOST}} 2021-03-04 00:27:35 1lHatx-0004JO-PI SMTP connection outbound 1614814055 1lHatx-0004JO-PI {{*privacy* MY_WHM_HOST}} {{*privacy* MY_GMAIL}} 2021-03-04 00:27:36 1lHatx-0004JO-PI => {{*privacy* MY_GMAIL}} (hello@{{*privacy* MY_WHM_HOST}}) R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [108.177.127.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1614814056 p9si7439902edh.186 - gsmtp" 2021-03-04 00:27:36 1lHatx-0004JO-PI Completed
  

  0
• 

  cPRex Jurassic Moderator

  • March 03, 2021 22:50

  Thanks for that information. It might be a good idea to work through the information on this page to see if you can get even more information:

  0
• 

  Ashtor

  • March 04, 2021 05:34

  How to setup exim to reject this emails?

  0
• 

  cPRex Jurassic Moderator

  • March 04, 2021 14:01

  If there was an easy way to block all spoofed messages, we would have included that directly in the product by default, but unfortunately there just isn't. Were you able to confirm if the message was indeed originating from your server as spam? If not, it would be good to confirm that first, and you're always welcome to open a support ticket with our team so we can examine the system directly.

  0
• 

  Ashtor

  • March 04, 2021 15:07

  Scrammer says: "I sent you an email from your account ... I hacked your system... pay me bitcoin... etc etc". Like those:

  0
• 

  Ashtor

  • March 04, 2021 15:18

  The solution sounds easy to me: IF the sender address is one of my domains -> Check sender's IP address. -> IF it's different from my IP, THAN reject / stop forwarding.

  0
• 

  cPRex Jurassic Moderator

  • March 04, 2021 15:53

  I still believe it would be best for you to open a ticket with our team. Since you have root access we could check the settings on the server for you and ensure things are secure.

  0
• 

  BITCOINTIDINGS

  • December 27, 2021 19:00

  I am interested in whether the above problem has been solved and whether an error has been found that caused taking control of access to the mail? This is very important. Regards

  0
• 

  cPanelAnthony

  • December 28, 2021 20:45

  I am interested in whether the above problem has been solved and whether an error has been found that caused taking control of access to the mail? This is very important. Regards

  
  Hello! No ticket was opened for this issue. You can certainly open one using the link in my signature and we can investigate. If you do so, please provide me with the ticket ID.

  0
• 

  BITCOINTIDINGS

  • December 30, 2021 12:21

  Hello! I am asking if the above case has been resolved. If there were third parties there, it means that anyone could have such a problem, sooner or later.

  0
• 

  cPanelAnthony

  • December 30, 2021 21:09

  Hello! I am asking if the above case has been resolved. If there were third parties there, it means that anyone could have such a problem, sooner or later.

  
  Emails being spoofed, etc... Is just something that can happen with email in general. The way email is authenticated and sent has to do with Exim; it isn't something cPanel would have control over. Maybe I am misunderstanding you. Can you elaborate in detail regarding what you believe cPanel should provide a fix for specifically? My suggestion would be to write up the full suggestion as detailed as possible and then submit a feature request using the link in my signature. If you do open a feature request, please post it here so we can get some support for it.

  0

Please sign in to leave a comment.