The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email Spoofing Exim How Can This Be Stopped

Discussion in 'E-mail Discussions' started by esse, Dec 8, 2008.

  1. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I just tested my server and found that I could send spoofed e-mail. Good news is the headers show the originating IP address. I'd like to know how to defeat this process;

    I did this from Windows XP without using any credentials whatsoever:

    run > cmd > enter
    telnet > enter
    o mail.myserver.com 25 > enter
    Mail from: myadminacct@mydomain.com > enter
    RCPT to: anyaddress@anydomain.com > enter
    DATA > enter
    From: myadminacct@mydomain.com > enter
    TO: anyaddress@anydomain.com > enter
    Hello. > enter
    This is a spoofed email from my server > enter
    . > enter
    > enter


    anyaddress@anydomain.com gets the email from the forged myadminacct@mydomain.com
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You can't stop this. This is how SMTP works.

    Best to look into something like SPF or DomainKeys which are used in conjunction with a recipient's mail server to check the validity of the sending server, and whether or not that sending server is suppose to be allowed to send out mail from mydomain.com.
     
  3. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I have SPF and domain keys configured properly. The server also passes the open relay tests. So you're saying anyone from anywhere can send e-mail as anyone from anywhere in this fashion?
     
    #3 esse, Dec 8, 2008
    Last edited: Dec 8, 2008
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    That is correct.
     
  5. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I can't say it's been a problem for me, but I have had a couple of these turn up over the years and I had no idea where they came from.

    Do spammers have a script they can use to exploit this or is this limited to sending one e-mail at a time?
     
  6. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Won't authentication before SMTP stop this? I thought it was the whole point.
     
  7. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I have it turned on and I also have the SMTP tweak setup. Give it a shot on your server and see if you get the same results.

    Don't use the > (greater than signs) I just put those in to say do this next.
     
  8. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Nope mine stops it:

    530 Relaying not allowed ( Please enable smtp authentication on your email client; )

    Pm me and I will let you try it.
     
  9. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I don't use bind on my server. I use and external DNS server. I changed the theme on the main site from x to x3 and enabled SPF authentication in Cpanel and so far it looks like I am no longer able to send like this.

    I did a hard bounce -all

    Does this mean that SPF authentication has to be turned on in CPanel?

    I setup all my domain keys manually way back when they were still experimental in cpanel. It won't take too much effort to go in and setup all the SPF records for the domains I host if this will do the trick.
     
  10. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I believe you. Where did you setup pop before smtp. I did it in the tweak section. Should I be doing it somewhere else?
     
  11. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    cPanel has domain keys setup now. But without them you should not be able to send if you have authentication set.

    Have you tested your mail server with

    http://mxtoolbox.com/
     
  12. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Go to WHM >> Main >> Service Configuration >> Service Manager and see if tailwatchd is checked for enabled and monitoring.
     
  13. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I got WARNING! Your server could be an open relay. I've got something configured wrong.
     
  14. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    It was not set for monitoring
    Also all the sub items are checked.
    x cPbandwd
    x Eximstats
    x Antirelayd
     
  15. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Check and see if it is running

    root@[~]# ps faux | grep tail

    It probably failed at some point and was not restarted, then you have an open relay, if not running start it (should have monitoring checked IMO)

    /usr/local/cpanel/bin/tailwatchd --start

    Then try the mxtools again.
     
  16. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    root 18460 0.0 0.0 5016 660 pts/0 S+ 23:49 0:00 \_ grep tail
    root 5749 0.0 0.2 9108 6112 ? Ss 22:29 0:00 tailwatchd
     
  17. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Hmmm, I figured it would not be running. You have custom Exim entries?
     
  18. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Do you not have chkservd in that list?
     
  19. esse

    esse Member

    Joined:
    Oct 3, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    No I don't see it.

    BTW thanks for taking the time to help me. I am going to reset the exim.conf to default.
     
  20. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    What version of cPanel are you using? Were on 11.24.2 - CentOs and I think it has been there a while.
     
Loading...

Share This Page