Hello cPanel community,
TL;DR version:
Latest cPanel version as of now: CentOS 6.7 x86_64 WHM 56.0 (build 14)
domain: example.com
People with mailboxes in @example.com receive spam with MAIL FROM: <some random people>@example.com that originates from random IP addresses around the world.
What's the proper way to fix this ?
Long version:
Over the past few weeks, I've noticed the following behavior on one of the cPanel servers currently under my administration.
We have a domain, let's call it example.com . In this domain, we have a number of mailboxes, let's say 50, with a number of forwarders, and so on. We also have some generic mailboxes that are in use, stuff like [email protected], [email protected], [email protected], and generic-name mailboxes like [email protected], [email protected], etc. All of the mailboxes are in use (contact@ and office@ are forwarders, the rest are actual mailboxes).
Over the past few weeks, people in @example.com started complaining of receiving spam from the above-mentioned mailboxes. For example, [email protected] receives spam from [email protected], [email protected], [email protected] even [email protected], and of course, some more generic names that don't exist on our systems, like [email protected], [email protected], so on. The fact that it looks to be originate from our domain, example.com actually looks convincing to users, enough to make them click on the links, download the attachments, etc.
Looking over the headers of the e-mails, I can see that they're originating from random IP addresses, ranging from the US to Europe and Asia, most likely some infected computers, using random EHLO's.
Is there a way to do some checks in exim before delivering said received e-mails ? I was thinking of something like "if the domain is declared locally, and the MAIL FROM seems to be from someone in the local domain, but the connection is not local, then drop it".
I was thinking of building an exim ACL, but my experience with ACL's in exim is not that rich, and I'm not entirely sure that's the best approach.
Thank you for taking the time and reading this.
Best regards,
-tbone
TL;DR version:
Latest cPanel version as of now: CentOS 6.7 x86_64 WHM 56.0 (build 14)
domain: example.com
People with mailboxes in @example.com receive spam with MAIL FROM: <some random people>@example.com that originates from random IP addresses around the world.
What's the proper way to fix this ?
Long version:
Over the past few weeks, I've noticed the following behavior on one of the cPanel servers currently under my administration.
We have a domain, let's call it example.com . In this domain, we have a number of mailboxes, let's say 50, with a number of forwarders, and so on. We also have some generic mailboxes that are in use, stuff like [email protected], [email protected], [email protected], and generic-name mailboxes like [email protected], [email protected], etc. All of the mailboxes are in use (contact@ and office@ are forwarders, the rest are actual mailboxes).
Over the past few weeks, people in @example.com started complaining of receiving spam from the above-mentioned mailboxes. For example, [email protected] receives spam from [email protected], [email protected], [email protected] even [email protected], and of course, some more generic names that don't exist on our systems, like [email protected], [email protected], so on. The fact that it looks to be originate from our domain, example.com actually looks convincing to users, enough to make them click on the links, download the attachments, etc.
Looking over the headers of the e-mails, I can see that they're originating from random IP addresses, ranging from the US to Europe and Asia, most likely some infected computers, using random EHLO's.
Is there a way to do some checks in exim before delivering said received e-mails ? I was thinking of something like "if the domain is declared locally, and the MAIL FROM seems to be from someone in the local domain, but the connection is not local, then drop it".
I was thinking of building an exim ACL, but my experience with ACL's in exim is not that rich, and I'm not entirely sure that's the best approach.
Thank you for taking the time and reading this.
Best regards,
-tbone
