E-mail Spoofing and Spamming

[nkc]

Greetings,

We have started to encounter initially a Spamming through using our User E-mail (10 Accounts have already done this as of today) as a relay to send thousands of E-mails to several E-mails that we have no contact with or is outside of our country.

Then this October, we started to receive a spoofed e-mail that is using the names of our employee and replying to an e-mail thread that they have previously sent but it is from a different e-mail (not from our domain either), it sometimes contains a Word (.doc) file.

I've done several actions already on the cPanel and WHM.

Please see below changes I've done.

- Reset the Password of the E-mail User that is being a relay of Spam and check their workstations for Malwares.
- Configured the sending per hour limit of the E-mails to avoid thousands of being sent.
- Configured Spam Assassin on cPanel.
- Configured further the Spam Assassin on WHM (Exim Configuration Manager).

But prior to the configurations I have done, the issues still occur, receiving Spoofed E-mails and Spamming relay from our E-mail Users.

Seeking assistance the necessary settings that I need to further fortify the receiving of spoofing or an automated response also from the spammed users ( I have somehow observed that the spammed users from the relay are also victims thus we are also receiving a spam from them and some has spoofed our own Names/E-mail).

* What is the best Apache SpamAssassin™ score (Outgoing), current score I placed is 15.5 but spamming (via relay) is still happening.
* What is the best Apache SpamAssassin™ reject spam score 15.5 also, we are still receiving spam and spoofed e-mails
* What other settings should I do both on the cPanel and WHM.

 

[cPanelLauren]

Hello,


When you're saying spoofed email what do you mean exactly? An example of the header might be helpful in order to direct you to the best solution.

Then this October, we started to receive a spoofed e-mail that is using the names of our employee and replying to an e-mail thread that they have previously sent but it is from a different e-mail (not from our domain either), it sometimes contains a Word (.doc) file.

Headers of this would be helpful as well - I can't see how an email could be spoofed with their actual response to it.

Another thing to note is that spoofing does not go hand in hand with outbound mail spam-sending - if your users themselves are finding that mail is being sent from their account that is not mail they sent, the first step to resolve this would be as you noted to change the password. If the mail is originating from your server but through a PHP script you'd need to identify the script that is sending the mail and changing the password of the user would have no effect.

* What is the best Apache SpamAssassin™ score (Outgoing), current score I placed is 15.5 but spamming (via relay) is still happening.

15.5 is pretty conservative but this absolutely would not affect the inbound mail.

* What is the best Apache SpamAssassin™ reject spam score 15.5 also, we are still receiving spam and spoofed e-mails

I can't tell you what the best score for you would be, the internal score is usually sufficient though and most find they don't need to modify this on outbound mail.

* What other settings should I do both on the cPanel and WHM.

• Do you have SpamAssassin for inbound mail configured? If so what are the settings for that?
• What are the settings for unrouted mail at cPanel>>Email>>Default Address?
• Do you have SPF and DKIM enabled on the domain/s?

 

[nkc]

Thank you for the response.

Please see below feedback to your comments/response.

*When you're saying spoofed email what do you mean exactly? An example of the header might be helpful in order to direct you to the best solution. *

We are receiving E-mails that has the name of our Employee but upon inspection it is from a different E-mail Address, sometimes it i from an e-mail thread that was sent by the E-mail User (Our Employee) or a thread from an E-mail User (Our Employee) that has been a part of a thread. Therefore some of our Employees will think of the E-mail as an actual E-mail from our Employee when not inspected.

The signature of those spoofed e-mails usually has the name of our employees and their actual e-mail address, even our resigned employees have been sending a spoofed e-mail.

• Do you have SpamAssassin for inbound mail configured? If so what are the settings for that?

- Yes, in the cPanel it is currently Set to 3.
- I've added a Global Filters further reject Spam/Spoofed Mails.
- As with that we are still experiencing receiving Spoofed Mails and Spams.

• What are the settings for unrouted mail at cPanel>>Email>>Default Address?

-

• Do you have SPF and DKIM enabled on the domain/s?

- Yes.


**** Update ****

As to this writing of the response, we are experiencing thousands of spam being relayed again from our Mail Server.

It is using again the [email protected] as the sender.

I was able to trace the E-mail Account that it is riding to send the spam E-mails therefore somehow stopping this from sending as of the moment.

 

[cPanelLauren]

This doesn't sound like spoofing, what you're describing sounds like a compromised account, which is probably receiving a ton of bouncebacks in relation to the spam it's sending. Have you identified how the mail is being sent? Either through a password or a script?

 

[nkc]

Good day Lauren,


My apologies for the late response.

- Initially we are receiving E-mails that has the name of our Employee or its configured name. I suspect that this may have used one of our users contact list that is why it is able to copy and send to users and also as mentioned above, it was able to reply/ride a message on an e-mail thread on which the copied/spoofed Name was part of.


- As for the spam relay sending, I am able to trace the e-mail that it is relaying to via the SSH Access, but with that, the E-mail being used as a relay is not on the User itself it looks like a Script, as the user is not using their devices during the time it is sending, and there is no trace on their device that they are sending, it is only either by being able to check their sending on the SSH logs or via the bounceback they are receiving due to excessive sending, I have also observed that there have been (2-3) users that despite I've reset their password, their account was still able to spam relay.

I am not familiar on how to trace or further check if their is a malicious script that is being run through to our VPS, may I seek assistance on this or any guidlines I can follow safely to check the spamming source.

 

[cPanelLauren]

as the user is not using their devices during the time it is sending, and there is no trace on their device that they are sending

A password compromise would not reflect the mail being sent from their devices. A password compromise means a remote entity has access to the account's credentials and is able to send mail using their user and password from another location.

I think a good way to identify this is to use a script we created in house for our analysts to quickly identify and assist with these issues:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

 

[nkc]

Good day,

Lauren. thank you for the response. We have somehow been able to stop the spamming.

We did some further tweaking in the Exim.

I will keep this thread updated again once we encounter.