Email Spoofing Exim How Can This Be Stopped

esse

Member
Oct 3, 2006
22
0
151
I just tested my server and found that I could send spoofed e-mail. Good news is the headers show the originating IP address. I'd like to know how to defeat this process;

I did this from Windows XP without using any credentials whatsoever:

run > cmd > enter
telnet > enter
o mail.myserver.com 25 > enter
Mail from: [email protected] > enter
RCPT to: [email protected] > enter
DATA > enter
From: [email protected] > enter
TO: [email protected] > enter
Hello. > enter
This is a spoofed email from my server > enter
. > enter
> enter


[email protected] gets the email from the forged [email protected]
 

sparek-3

Well-Known Member
Aug 10, 2002
2,042
230
368
cPanel Access Level
Root Administrator
You can't stop this. This is how SMTP works.

Best to look into something like SPF or DomainKeys which are used in conjunction with a recipient's mail server to check the validity of the sending server, and whether or not that sending server is suppose to be allowed to send out mail from mydomain.com.
 

esse

Member
Oct 3, 2006
22
0
151
I have SPF and domain keys configured properly. The server also passes the open relay tests. So you're saying anyone from anywhere can send e-mail as anyone from anywhere in this fashion?
 
Last edited:

esse

Member
Oct 3, 2006
22
0
151
I can't say it's been a problem for me, but I have had a couple of these turn up over the years and I had no idea where they came from.

Do spammers have a script they can use to exploit this or is this limited to sending one e-mail at a time?
 

esse

Member
Oct 3, 2006
22
0
151
I have it turned on and I also have the SMTP tweak setup. Give it a shot on your server and see if you get the same results.

Don't use the > (greater than signs) I just put those in to say do this next.
 

esse

Member
Oct 3, 2006
22
0
151
I don't use bind on my server. I use and external DNS server. I changed the theme on the main site from x to x3 and enabled SPF authentication in Cpanel and so far it looks like I am no longer able to send like this.

I did a hard bounce -all

Does this mean that SPF authentication has to be turned on in CPanel?

I setup all my domain keys manually way back when they were still experimental in cpanel. It won't take too much effort to go in and setup all the SPF records for the domains I host if this will do the trick.
 

esse

Member
Oct 3, 2006
22
0
151
Nope mine stops it:

530 Relaying not allowed ( Please enable smtp authentication on your email client; )

Pm me and I will let you try it.
I believe you. Where did you setup pop before smtp. I did it in the tweak section. Should I be doing it somewhere else?
 

esse

Member
Oct 3, 2006
22
0
151
I got WARNING! Your server could be an open relay. I've got something configured wrong.
 

esse

Member
Oct 3, 2006
22
0
151
Go to WHM >> Main >> Service Configuration >> Service Manager and see if tailwatchd is checked for enabled and monitoring.
It was not set for monitoring
Also all the sub items are checked.
x cPbandwd
x Eximstats
x Antirelayd
 

esse

Member
Oct 3, 2006
22
0
151
No I don't see it.

BTW thanks for taking the time to help me. I am going to reset the exim.conf to default.