Skip to main content

Rewrite header to match actual sender for the incoming emails

amjad.q
Hello, I receive emails show me it's coming from my domain, but when I check the source of email it's show me the real sender is different , Example below source for email show me the email was coming from email@mydomain.com[/EMAIL] but the real sender is email@spam-domain.com[/EMAIL] the source of email as below
------------------------------------------------------------------- Return-Path: Delivered-To: email@mydomain.com Received: from myserver.com by myserver.com with LMTP id 2IGOA+zUEYEBBW63 for ; 20 Oct 2017 11:09:00 +0200 Return-path: Envelope-to: email@mydomain.com Delivery-date: xxxxxxxx Received: from xxxserver.net ([xx.xx.xx.xx]:43674 helo=xxxserver.net) by myserver.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1e6aTZ-00083o-Nj for email@mydomain.com; 20 Oct 2017 11:09:00 +0200 Received: from xxxserver.net ([xx.xx.xx.xx]) by :WBEOUT: with SMTP id yieryeruye4983947ufgd; 20 Oct 2017 11:09:00 +0200 X-SID: 6aJweOOkTRt1B Received: (qmail 144488 invoked by uid 99); 20 Oct 2017 11:09:00 +0200 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8" X-Originating-IP: xx.xx.xx.xx User-Agent: Workspace Webmail 6.8.14 Message-Id: From: "name" X-Sender: email@spam-domain.com Reply-To: "name" To: email@mydomain.com Subject: RE: xxxxxxx Date: xxxxxxx Mime-Version: 1.0 X-CMAE-Envelope: -------------------------------------------------------------------
I would like to know how can protect myself from them 'deceitful'

Comments

11 comments

Date Votes
  • cPanelMichael
    Hello, Is SpamAssassin enabled for this account? If so, SpamAssassin includes SPF verification by default to help avoid spoofed emails. You could also enable the following options under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor" if you wanted to verify DKIM records: Allow DKIM verification for incoming messages Reject DKIM failures Thank you.
    0
  • amjad.q
    Hello, Thanks for your replay, Yes SpamAssassin, SPF and DKIM both of them are enable The email pass from the check as email@spam-domain.com but in the email show me it's from email@mydomain.com Delivery Details as below ----------------------------------------------------- Event: success success Sender User: myaccount Sender Domain: mydomain.com From Address: email@spam-domain.com Sender: email@mydomain.com Sent Time: xxxxxxxx Sender Host: spam-server.com Sender IP: xxxxx Authentication: forwarder Spam Score: 3.6 Recipient: email@mydomain.com Delivered To: email@mydomain.com Delivery User: myaccount Delivery Domain: mydomain.com Router: virtual_user Transport: dovecot_virtual_delivery_no_batch Out Time: xxxxxxx ID: xxxxxxxxx Delivery Host: localhost Delivery IP: 127.0.0.1 Size: 10.12 KB Result: Accepted -----------------------------------------------------
    0
  • rpvw
    There is a similar thread that may help: Exim filter to rewrite 'From' address on certain incoming mail
    0
  • amjad.q
    Hello, I want to rewrite header "from" to match actual sender for any incoming email, not just for specific domain The email pass from the check as email@spam-domain.com[/EMAIL] so it should be show in the email it's from that email, not another email In the source of email we have X-Sender is email@spam-domain.com and from email@mydomain.com, but the user doesn't see the X-Sender which is the real sender, so we have to rewrite from to be match the real sender
    0
  • cPanelMichael
    Thanks for your replay, Yes SpamAssassin, SPF and DKIM both of them are enable The email pass from the check as email@spam-domain.com[/EMAIL] but in the email show me it's from email@mydomain.com[/EMAIL]

    Hello, That's for outgoing email from your domain name. You'd need to enable SpamAssassin and the following options under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor" if you wanted to verify SPF and DKIM records for incoming email: Allow DKIM verification for incoming messages Reject DKIM failures Thank you.
    0
  • amjad.q
    Hello , I'm using SPF and DKIM to check the incoming emails too, option of SpamAssassin , Allow DKIM verification for incoming messages and Reject DKIM failures are enable The email pass from check of SPF and DKIM as email@spam-domain.com[/EMAIL], you can check the details as below
    ----------------------------------------------------- Event: success success Sender User: myaccount Sender Domain: mydomain.com From Address: email@spam-domain.com Sender: email@mydomain.com Sent Time: xxxxxxxx Sender Host: spam-server.com Sender IP: xxxxx Authentication: forwarder Spam Score: 3.6 Recipient: email@mydomain.com Delivered To: email@mydomain.com Delivery User: myaccount Delivery Domain: mydomain.com Router: virtual_user Transport: dovecot_virtual_delivery_no_batch Out Time: xxxxxxx ID: xxxxxxxxx Delivery Host: localhost Delivery IP: 127.0.0.1 Size: 10.12 KB Result: Accepted -----------------------------------------------------
    so he pass the email form the check as email@spam-domain.com[/EMAIL] but in header of email show it's from email@mydomain.com[/EMAIL], you can check the source of email as above show
    0
  • cPanelMichael
    Hello, Could you open a support ticket using the link in my signature so we can take a closer look? Thank you.
    0
  • amjad.q
    Hello, Thanks for your reply, I have already opened ticket ( ticket number 9066107 ) They did not give a solution for this issue, the told me that (We are limited in how we can help you with spoofed emails like this except make suggestions. In this case, as a courtesy I have verified that all the major cPanel features for combating incoming unsolicited email are on and all the RBL blacklists are in use. ) I wish if you can addition any help to have solution for this issue Thank you .
    0
  • cPanelMichael
    Hello, If the sender is passing DKIM and SPF verification, then it suggests abuse of the domain name for SPAM purposes. In such cases, you may want to consider reporting the issue to the administrator of the remote mail server, or blocking email from the mail server IP address used for sending. Thank you.
    0
  • amjad.q
    Hello, Thanks for your reply Blocking his IP or his hosting isn't solution he will use new server ,I must have solution to protect my server from fraud like this way What about if we can to use a filter in SpamAssassin or script for Exim to check the "X-Sender" if doesn't match the "From:" ignores the email !
    0
  • cPanelMichael
    Hello, To update, it looks like you may have found an alternate solution (using the HEADER_FROM_DIFFERENT_DOMAINS SpamAssassin option) per ticket number 9066107. Feel free to update this thread once the ticket is closed to let us know how it works. Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post