External emails from and to the same email address

Arvy

Well-Known Member
Oct 3, 2006
129
10
168
Brazil
cPanel Access Level
Root Administrator
Twitter
Hi,

several users are complaining about receiving messages "from themselves". The message says that the client computer is being watched, and the hacker sent the email using his username and password (fake), and asks bitcoins not to post a porn video about the client.

I know that all of this is fake, the message has a fake "From:", but users will never understand this.

How can I prevent unauthenticated messages from external IPs using a local domain? Example:

2020-11-08 15:16:18 1kbpEe-0007sZ-Tw <= [email protected] H=([102.110.201.104]) [102.110.201.104]:2022 P=esmtp S=9236 [email protected] T="Proposta de neg\363cio" for [email protected]

Thanks.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,067
283
213
cPanel Access Level
Root Administrator
Hey hey! The short answer is that there is no way you can completely stop this type of activity.

The longer answer is that you can ensure your local DNS is setup to help prove legitimate emails from your domain are authentic, which will help other be blocked in the future. You can also adjust your server to be more strict about the emails that it accepts.

We have some additional detail in our article here about both these options:


so I'd recommend checking those out. Let me know if you need clarification on that and I'll be here!
 

Arvy

Well-Known Member
Oct 3, 2006
129
10
168
Brazil
cPanel Access Level
Root Administrator
Twitter
Hello,

yes, the DNS is set up, with DKIM, DMARC, SPF (with "-all") and so, to normal situations (server to server, delivery). But in this case is not a real mail server, is a virus/trojan that connects directly to the MX server to send a message directly to the user.

I was looking for a way to create a SpamAssassin rule or ACL to block if from=to and originating IP is not the local server (or a valid domain's MX).

Thanks.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,067
283
213
cPanel Access Level
Root Administrator
You might find the discussions here helpful/interesting:


 
  • Like
Reactions: Arvy