Exim acl to drop remote mail from local configured domain

tbone

Registered
May 11, 2016
1
0
1
Bucharest/Romania
cPanel Access Level
Root Administrator
Hello cPanel community,

TL;DR version:
Latest cPanel version as of now: CentOS 6.7 x86_64 WHM 56.0 (build 14)
domain: example.com

People with mailboxes in @example.com receive spam with MAIL FROM: <some random people>@example.com that originates from random IP addresses around the world.
What's the proper way to fix this ?

Long version:
Over the past few weeks, I've noticed the following behavior on one of the cPanel servers currently under my administration.

We have a domain, let's call it example.com . In this domain, we have a number of mailboxes, let's say 50, with a number of forwarders, and so on. We also have some generic mailboxes that are in use, stuff like [email protected], [email protected], [email protected], and generic-name mailboxes like [email protected], [email protected], etc. All of the mailboxes are in use ([email protected] and [email protected] are forwarders, the rest are actual mailboxes).

Over the past few weeks, people in @example.com started complaining of receiving spam from the above-mentioned mailboxes. For example, [email protected] receives spam from [email protected], [email protected], [email protected] even [email protected], and of course, some more generic names that don't exist on our systems, like [email protected], [email protected], so on. The fact that it looks to be originate from our domain, example.com actually looks convincing to users, enough to make them click on the links, download the attachments, etc.

Looking over the headers of the e-mails, I can see that they're originating from random IP addresses, ranging from the US to Europe and Asia, most likely some infected computers, using random EHLO's.

Is there a way to do some checks in exim before delivering said received e-mails ? I was thinking of something like "if the domain is declared locally, and the MAIL FROM seems to be from someone in the local domain, but the connection is not local, then drop it".

I was thinking of building an exim ACL, but my experience with ACL's in exim is not that rich, and I'm not entirely sure that's the best approach.

Thank you for taking the time and reading this.

Best regards,
-tbone
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Is there a way to do some checks in exim before delivering said received e-mails ? I was thinking of something like "if the domain is declared locally, and the MAIL FROM seems to be from someone in the local domain, but the connection is not local, then drop it".

I was thinking of building an exim ACL, but my experience with ACL's in exim is not that rich, and I'm not entirely sure that's the best approach.
Hello,

You could enable the "Reject SPF failures" option via the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor". The option is documented at:

Exim Configuration Manager - Basic Editor - Documentation - cPanel Documentation

Thank you.