keat63

Well-Known Member
Nov 20, 2014
1,961
266
113
cPanel Access Level
Root Administrator
I found this entry in exim reject log.
I understand why it was rejected, as its listed in an RBL.

2022-06-17 01:18:49 H=(one-of-my-domains.co.uk) [62.197.136.14]:53666 F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (one-of-my-domains.co.uk) [62.197.136.14]:53666 is in an RBL: https://www.spamhaus.org/query/ip/62.197.136.14"

However, what's worrying is that it looks like it came from one of my domains "F=<[email protected]"
cpanel doesn't exist, never has on this domain, 62.197.136.14 is nothing to do with me.

I did find an error in the cpanel against the DKIM record, which i've corrected.
I've no also created a dmark entry
Could someone been spoofing my domain, and would the faulty DKIM allow this ?
 

keat63

Well-Known Member
Nov 20, 2014
1,961
266
113
cPanel Access Level
Root Administrator
I checked out the IP address and there's an IIS server on the end of it.
So effectively, anyone could setup a domain name of microsft.com or google.com then send emails from it ??
Even with spf, dkim and dmarc configured, emails could still be sent from a cloned domain ???
 
Last edited:

sparek-3

Well-Known Member
Aug 10, 2002
2,112
251
388
cPanel Access Level
Root Administrator
SPF and DKIM are both measures aimed at alleviating email spoofing - which is a major cause of spam and phishing messages.

SPF works by including a list or range of IPs that legitimate messages from a domain name will be sent from within the domain name's DNS. When a sending mail server connects to a remote mail server, it's connecting IP is identified. If that SMTP message says to be from an @gmail.com email address AND if the connecting sending mail server IP is NOT listed in gmail.com's SPF record, then the message is very likely a spam or phishing message that is trying to spoof an @gmail.com email address.

(Going slightly off-topic for a bit, but in my opinion, this is why ?all and ~all directives in an SPF record are useless. These operators are saying: "these are probably the only IP addresses that should be sending legitimate mail from this domain." What? You mean you don't know what IP addresses are going to be responsible for sending legitimate mail from your domain name? Figure out what IP addresses are going to be sending out mail from your IP address and set up your SPF record properly and use -all.)

DKIM is similar to SPF but different. DKIM is a utilization of a public/private encryption key pair. The private key is held in secret on the sending server and the public key is added to the domain's DNS record. Using certain defined headers in the message, the sending server will encrypt and create a signature of those headers using the private key. When a receiving server gets the message the DKIM header will tell the receiving server what domain name to look up the public key on, as well as a selector. Selectors allow different messages to be signed with different keys - this tends to have more meaning in larger corporations where billing, sales, marketing, support, etc may be more divided. The receiving server will take this information, as well as the list of headers and compare the included encryption signature with the receiving server's calculation of those headers against the public key encryption signature. If they match, then the message was sent from a server that had the DKIM private key, so it's probably legit.

So if a receiving server gets a message that matches a sending IP address defined in the domain's SPF record AND it's properly signed by a DKIM key, then by all accounts, that message is probably legit.

Now... that still doesn't mean the message isn't spam. People tend to use very weak and stupid passwords for their email accounts, so if a spammer or hacker is able to retrieve that information and send out their spam message through the server hosting that domain... then you're going to get spam that verifies against SPF and verifies against DKIM.

BUT... theoretically, no mail server is going to be able to duplicate IP matching SPF and DKIM matching keys for major email service providers - like Gmail, Microsoft, Yahoo, etc. So while someone on your server can still send a message pretending to be from @gmail.com or @hotmail.com - those messages aren't going to very against SPF and DKIM. Still can get your server blacklisted though, because receiving servers are going to see your server attempting to spoof email addresses.