Skip to main content

Email Phishing and spoofing On server

Comments

5 comments

  • cPRex Jurassic Moderator

    Hey there!  I wish I had a good answer for this one, but if there was any type of tool or code that would block phishing attempts, the person creating that tool would be very rich.

    You may want to make sure you have Greylisting enabled, as that helps block most incoming spam from the server.  You can also examine other tools we have here: https://docs.cpanel.net/knowledge-base/email/how-to-prevent-email-abuse/

    0
  • Metro2

    Maybe someone has a better suggestion, but if I were you I would log into cPanel and in Email > Email Deliverability , I would confirm that DKIM and SPF exist correctly (and in your SPF only have your server's IP along with any specific includes if necessary) and then...

    In cPanel > Domains > Zone Editor , create a DMARC record and set the Policy to "Quarantine" and set it to generate failure reports an email address that you check frequently.

    Anyone please correct me if I'm wrong, but what I think that should do is prevent the spoofed messages from getting through, and generate an email report of each attempt to the OP.

    Hopefully that gets you started on the right path at least.

    0
  • mtindor

    SPF / DKIM / DMARC p=quarantine or p=reject will not stop the emails from coming into the server.   The cPanel server does not do any sort of blocking based upon DMARC (or DKIM or SPF) status by default.   You'd likely have to do that through SpamAssassin rules and such.

     

    SPF / DKIM / DMARC are intended to tell remote hosts (who accept mail from your domain) what emails are reputable (pass SPF/DKIM/DMARC) and what doesn't so that those remote mailsystems can make a determination.

    Exim / SpamAssassin on cPanel is basically "dumb" when it comes to processing inbound mail and grading it based upon SPF / DKIM / DMARC.   There may be a way to enable rejecting incoming messages that fail DMARC in Exim -- but if there is it is not enabled automatically.

    There are likely spamassassin rulesets already in place in your SpamAssassin that can be used (if appropriate plugins are enabled in SpamAssassin) to flag the incoming message with a high enough value that it would either dump it into spam or reject it outright.

    https://exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_srs_and_dmarc.html

     - what is possible (if support is present in cPanel Exim) as far as blocking on SPF / DKIM / DMARC failures

    0
  • Metro2

    Thanks for the valuable input mtindor , very enlightening. Thankfully I didn't provide the OP with any "bad" advice, just not the advice they need for a solution.

    And please correct me if I'm wrong - at least with correct DKIM/SPF/DMARC , the spoofs will only come to the OP, while remote recipients would be protected / the OP's domain rep would be protected from spoofs being able to be generated to anyone else outside of his domain and server ip. In other words - if an email from his domain is not generated from his actual server IP, then the message will be blocked from sending to a remote recipient, correct?

    0
  • mtindor

    Remote recipients would be "protected" in general, but only if the remote mailsystems quarantine/block based upon failures.   We all know that the "big guys" do -- AOL, Gmail, Yahoo, Microsoft, etc.   But there are a gazillion mailsystems out there that don't yet pay enough attention to DMARC p=quarantine and things like that to quarantine emails.   But if the remote system does, yep those users are protected for the most part.

    Yes, in general you are right as far as your last sentence -- but only if the remote mailserver quarantines or blocks on SPF or DKIM or DMARC failures.  Really there are a lot of servers that do not do that (just like most cPanel servers don't).  

    Mike

    0

Please sign in to leave a comment.