Clients receiving spam from themselves, but not being sent from server?

GreenQ

Registered
Sep 26, 2016
2
0
1
South Africa
cPanel Access Level
Root Administrator
Hi,

I am currently experiencing an issue where users are receiving SPAM from themselves. Could you kindly assist? I have root access (cloud server).
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

Could you provide an example from /var/log/exim_mainlog when this happens? EX:

Code:
exigrep MSGID /var/log/exim_mainlog
Replace "MSGID" with the message ID listed in the headers of one of the messages.

Thank you.
 

GreenQ

Registered
Sep 26, 2016
2
0
1
South Africa
cPanel Access Level
Root Administrator
Hello,

Could you provide an example from /var/log/exim_mainlog when this happens? EX:

Code:
exigrep MSGID /var/log/exim_mainlog
Replace "MSGID" with the message ID listed in the headers of one of the messages.

Thank you.
2016-10-02 18:39:10
Code:
1bqjn0-000DNS-6b H=([210.56.17.83]) [210.56.17.83]:24920 Warning: "SpamAssassin as wwwgreenqco detected message as spam (27.6)"
2016-10-02 18:39:10 1bqjn0-000DNS-6b <= [email protected] H=([210.56.1                  7.83]) [210.56.17.83]:24920 P=esmtp S=4526 [email protected]                  R1JPD77R T="From International Company" for [email protected]
2016-10-02 18:39:10 1bqjn0-000DNS-6b => info <[email protected]> R=virtual_user                   T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> kAjXKi448Vf2yAAAHoDy                  TA Saved"
2016-10-02 18:39:10 1bqjn0-000DNS-6b Completed
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
1bqjn0-000DNS-6b H=([210.56.17.83]) [210.56.17.83]:24920 Warning: "SpamAssassin as wwwgreenqco detected message as spam (27.6)"
This suggests SpamAssassin is accurately detecting the spoofed message as SPAM. Emails with spoofed "FROM" addresses are common SPAM techniques, but you can safely ignore this when SpamAssassin correctly blocks the message. In cPanel version 58, SPF checking is automatically enabled through SpamAssassin to help prevent these types of emails.

Thank you.
 
  • Like
Reactions: SysSachin

phillbooth

Active Member
Sep 9, 2013
41
4
8
cPanel Access Level
Root Administrator
SPF checking will only work if you have an SPF in the domains DNS. I would advise you to use a DKIM as well.

You need to go to Cpanel > EMAIL > Authentication and make sure these are added.

If you use an external DNS service, rather than your server own PowerDNS service then you will have to copy the SPF the DKIM if your data over.