Email Spoofing Exim How Can This Be Stopped

E

esse

Member
Oct 3, 2006
22
0
151
I just tested my server and found that I could send spoofed e-mail. Good news is the headers show the originating IP address. I'd like to know how to defeat this process;

I did this from Windows XP without using any credentials whatsoever:

run > cmd > enter
telnet > enter
o mail.myserver.com 25 > enter
Mail from: [email protected] > enter
RCPT to: [email protected] > enter
DATA > enter
From: [email protected] > enter
TO: [email protected] > enter
Hello. > enter
This is a spoofed email from my server > enter
. > enter
> enter


[email protected] gets the email from the forged [email protected]
 
S

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
You can't stop this. This is how SMTP works.

Best to look into something like SPF or DomainKeys which are used in conjunction with a recipient's mail server to check the validity of the sending server, and whether or not that sending server is suppose to be allowed to send out mail from mydomain.com.
 
E

esse

Member
Oct 3, 2006
22
0
151
I have SPF and domain keys configured properly. The server also passes the open relay tests. So you're saying anyone from anywhere can send e-mail as anyone from anywhere in this fashion?
 
Last edited:
E

esse

Member
Oct 3, 2006
22
0
151
I can't say it's been a problem for me, but I have had a couple of these turn up over the years and I had no idea where they came from.

Do spammers have a script they can use to exploit this or is this limited to sending one e-mail at a time?
 
E

esse

Member
Oct 3, 2006
22
0
151
I have it turned on and I also have the SMTP tweak setup. Give it a shot on your server and see if you get the same results.

Don't use the > (greater than signs) I just put those in to say do this next.
 
E

esse

Member
Oct 3, 2006
22
0
151
I don't use bind on my server. I use and external DNS server. I changed the theme on the main site from x to x3 and enabled SPF authentication in Cpanel and so far it looks like I am no longer able to send like this.

I did a hard bounce -all

Does this mean that SPF authentication has to be turned on in CPanel?

I setup all my domain keys manually way back when they were still experimental in cpanel. It won't take too much effort to go in and setup all the SPF records for the domains I host if this will do the trick.
 
E

esse

Member
Oct 3, 2006
22
0
151
rhenderson said:
Nope mine stops it:

530 Relaying not allowed ( Please enable smtp authentication on your email client; )

Pm me and I will let you try it.
Click to expand...
I believe you. Where did you setup pop before smtp. I did it in the tweak section. Should I be doing it somewhere else?
 
E

esse

Member
Oct 3, 2006
22
0
151
I got WARNING! Your server could be an open relay. I've got something configured wrong.
 
E

esse

Member
Oct 3, 2006
22
0
151
rhenderson said:
Go to WHM >> Main >> Service Configuration >> Service Manager and see if tailwatchd is checked for enabled and monitoring.
Click to expand...
It was not set for monitoring
Also all the sub items are checked.
x cPbandwd
x Eximstats
x Antirelayd
 
E

esse

Member
Oct 3, 2006
22
0
151
No I don't see it.

BTW thanks for taking the time to help me. I am going to reset the exim.conf to default.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
I help: blok email spoofing Email 2
S How to Reject Fake/Spoofing Email? Email 1
R a lot spoofing. remote email are being sent using local envelope Email 9
williama5 Email Spoofing Exim How Can This Be Stopped Email 2
B Disable email spoofing with exim Email 1
Similar threads
help: blok email spoofing
How to Reject Fake/Spoofing Email?
a lot spoofing. remote email are being sent using local envelope
Email Spoofing Exim How Can This Be Stopped
Disable email spoofing with exim
Top Bottom