Email Phishing and spoofing On server
I have issue with my email being spoofed with phishing emails.
I have moved to new server on namecheap hosting vps and started receiving emails with bitcoin requests from myself . I know its a scam a phishing so i reached out to Namecheap support but after sending headers , and them looking on system they cant find anything Wrong.
I have removed all files and reinstalled wordpress clear all else... same issue.
Now The support Mention to Block the ip address.. As a temporary solution may work until next day i got same notice from different ip and country... So its useless.
So this is my question since i cant Submit ticket to Cpanel directly...
How can i setup a check that will deny any emails that are trying to phish my account
i mean in order to send email i have to authenticate with server? So how are they able to send emails that are supposed to be authenticated without authentication?
And Yes i have 2fa, changed Password, scan whole system... so im at a lost.
Could this be an solution ?
Blocking all un-authenticated spoofed outbound emails
Add the following code below acl_not_smtp:
deny
condition=${if!match_domain{${domain:${address:$h_From:}}}{+local_domains: +remote_domains: +allow_domains}}
message = Sorry, you don’t have permission to send email from this server with a header that states the email is from ${lc:
:${domain:${address:$h_from:}}}}
accept
Blocking all authenticated spoofed outbound emails
Add the following code below acl_not_smtp:
deny
authenticated = *
condition = ${if ! match_domain{${domain:${address:$h_From:}}}{+local_domains : +remote_domains : +allow_domains}}
message = Sorry, you don’t have permission to send email from this server with a header that that’s the email is from ${lc:${domain:${address:$h_from:}}}
accept
Or if there is another solution i can implemnt?
-
Hey there! I wish I had a good answer for this one, but if there was any type of tool or code that would block phishing attempts, the person creating that tool would be very rich.
You may want to make sure you have Greylisting enabled, as that helps block most incoming spam from the server. You can also examine other tools we have here: https://docs.cpanel.net/knowledge-base/email/how-to-prevent-email-abuse/
0 -
Maybe someone has a better suggestion, but if I were you I would log into cPanel and in Email > Email Deliverability , I would confirm that DKIM and SPF exist correctly (and in your SPF only have your server's IP along with any specific includes if necessary) and then...
In cPanel > Domains > Zone Editor , create a DMARC record and set the Policy to "Quarantine" and set it to generate failure reports an email address that you check frequently.
Anyone please correct me if I'm wrong, but what I think that should do is prevent the spoofed messages from getting through, and generate an email report of each attempt to the OP.
Hopefully that gets you started on the right path at least.
0 -
SPF / DKIM / DMARC p=quarantine or p=reject will not stop the emails from coming into the server. The cPanel server does not do any sort of blocking based upon DMARC (or DKIM or SPF) status by default. You'd likely have to do that through SpamAssassin rules and such.
SPF / DKIM / DMARC are intended to tell remote hosts (who accept mail from your domain) what emails are reputable (pass SPF/DKIM/DMARC) and what doesn't so that those remote mailsystems can make a determination.
Exim / SpamAssassin on cPanel is basically "dumb" when it comes to processing inbound mail and grading it based upon SPF / DKIM / DMARC. There may be a way to enable rejecting incoming messages that fail DMARC in Exim -- but if there is it is not enabled automatically.
There are likely spamassassin rulesets already in place in your SpamAssassin that can be used (if appropriate plugins are enabled in SpamAssassin) to flag the incoming message with a high enough value that it would either dump it into spam or reject it outright.
https://exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_srs_and_dmarc.html
- what is possible (if support is present in cPanel Exim) as far as blocking on SPF / DKIM / DMARC failures
0 -
Thanks for the valuable input mtindor , very enlightening. Thankfully I didn't provide the OP with any "bad" advice, just not the advice they need for a solution.
And please correct me if I'm wrong - at least with correct DKIM/SPF/DMARC , the spoofs will only come to the OP, while remote recipients would be protected / the OP's domain rep would be protected from spoofs being able to be generated to anyone else outside of his domain and server ip. In other words - if an email from his domain is not generated from his actual server IP, then the message will be blocked from sending to a remote recipient, correct?
0 -
Remote recipients would be "protected" in general, but only if the remote mailsystems quarantine/block based upon failures. We all know that the "big guys" do -- AOL, Gmail, Yahoo, Microsoft, etc. But there are a gazillion mailsystems out there that don't yet pay enough attention to DMARC p=quarantine and things like that to quarantine emails. But if the remote system does, yep those users are protected for the most part.
Yes, in general you are right as far as your last sentence -- but only if the remote mailserver quarantines or blocks on SPF or DKIM or DMARC failures. Really there are a lot of servers that do not do that (just like most cPanel servers don't).
Mike
0
Please sign in to leave a comment.
Comments
5 comments