Too many phishing emails with MY email address: Exim question

**erick_paper** · 06-16-2009 05:17 AM

Hi. I am getting a lot of emails from my own email address. If I look at the headers, it's clear it's not being sent from my server, but the "From" is fakely specified as mine.

Which rule in Exim's given cpanel config should I use to block this junk? I remember having an ACL in my older Exim file, but had to recently reset all the config to default after an update. Ideally I'd like to leave the ACL as it is, but i am hoping that there is some rule I can enable.

I tried "Sender Verification Callout" but that doesn't help, because it would connect to my server and find the right email address, because the fake "from" is in fact a valid sender on my server.

I also thought about "Require incoming SMTP connections to send a HELO that does not match this server's local domains." but this wouldn't work either, because the SMTP connection to this phisher's actual server would return a HELO that is different from mine.

Anything I'm missing?

Thanks!

**Spiral** · 06-16-2009 10:17 AM

Setting up SPF verification should help with that

**erick_paper** · 06-16-2009 10:20 AM

Thanks, but isn't SPF checking a bit dicey given that many domains may not have set SPFs yet?

**AndyReed** · 06-16-2009 10:51 PM

Originally Posted by erick_paper

Hi. I am getting a lot of emails from my own email address. If I look at the headers, it's clear it's not being sent from my server, but the "From" is fakely specified as mine.

This is Backscatter: http://en.wikipedia.org/wiki/Backscatter_(e-mail)

**mattdmin** · 06-17-2009 03:58 AM

Unfortunately, if your not using SPF checking your going to have this type of open relay. Utilize SPF checking, otherwise eventually you will be blacklisted too, so either way your mail won't go through. Been there done that, add SPF and Domain Keys to each domain. It's simple and you can add it in right through your user level CPANEL. Under Mail->Email Authentication

I'd also suggest firewalling up, that way you can take care of these nasty mail relayers.

**erick_paper** · 06-18-2009 07:37 PM

SPF is already enabled for all my domains.

I have now enabled SPF checking in WHM as well.

Still no help. Still getting crap emails with fake headers.

I used to have some ACL rule from years ago which took care of this, I think. Recently I had to "Reset all ACLs" in Exim in WHM before Cpanel's update could go through. So of course I have lost my older ACL. So what's the improvement from Cpanel? Where can I enable the blocking of fake FROM headers?

**erick_paper** · 06-18-2009 08:24 PM

Originally Posted by erick_paper

SPF is already enabled for all my domains.

I have now enabled SPF checking in WHM as well.

Still no help. Still getting crap emails with fake headers.

I used to have some ACL rule from years ago which took care of this, I think. Recently I had to "Reset all ACLs" in Exim in WHM before Cpanel's update could go through. So of course I have lost my older ACL. So what's the improvement from Cpanel? Where can I enable the blocking of fake FROM headers?

More specifically, I would like to enable some of the ACL rules from this old Chirpy thread:

http://forums.cpanel.net/f21/how-spa...sin-31530.html

But I'm worried that the new Exim 4 won't croak under these rules? The section in the config file now does say something like:

Code:

########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################
#
# cPanel Default ACL Template Version: 5.9
# Template: mailman2.exiscan.dist
#
########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################

Thanks for any thoughts!

**erick_paper** · 06-20-2009 12:14 AM

Anyone? Any thoughts?

Could I put this block in Exim 4's ACL rules:

Code:

  #---------------------------------------------------------------------
  # BE POLITE AND SAY HELO. REJECT ANYTHING FROM HOSTS THAT HAVN'T GIVEN
  # A VALID HELO/EHLO TO US.
  #---------------------------------------------------------------------
  deny 
    message = Bad HELO: Empty HELO, Polite hosts say HELO first. Please see RFC 2821 section 4.1.1.1.
    condition = ${if eq{$sender_helo_name}{}{yes}{no}}
  
  #---------------------------------------------------------------------
  # FORGED HOSTNAME -HELOS AS ONE OF MY OWN IPS
  # FORGED HELO (OUR IP/HOSTNAME)
  #---------------------------------------------------------------------
  deny message = Forged HELO: You are not $sender_helo_name as you claim. You are not allowed to use it in HELO/EHLO as per RFC Standards.
   !hosts = @[]
   !hosts = +relay_domains
   !authenticated = *
   condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}

LinkBack

Thread Tools

Too many phishing emails with MY email address: Exim question

Spf

How do you discard emails sent to other email address's please ?

getting emails from random email address which are fack

How to ban sending/receiving emails from an email address?

Email return with various address emails

Email Address Black Listed By Exim?