External emails from and to the same email address

Arvy · Nov 9, 2020

Hi,

several users are complaining about receiving messages "from themselves". The message says that the client computer is being watched, and the hacker sent the email using his username and password (fake), and asks bitcoins not to post a porn video about the client.

I know that all of this is fake, the message has a fake "From:", but users will never understand this.

How can I prevent unauthenticated messages from external IPs using a local domain? Example:

2020-11-08 15:16:18 1kbpEe-0007sZ-Tw <= [email protected] H=([102.110.201.104]) [102.110.201.104]:2022 P=esmtp S=9236 [email protected] T="Proposta de neg\363cio" for [email protected]

Thanks.

cPRex · Nov 9, 2020

Hey hey! The short answer is that there is no way you can completely stop this type of activity.

The longer answer is that you can ensure your local DNS is setup to help prove legitimate emails from your domain are authentic, which will help other be blocked in the future. You can also adjust your server to be more strict about the emails that it accepts.

We have some additional detail in our article here about both these options:

Preventing spoofed emails

Symptoms If you've had an email delivered that was sent from your address, and you know you didn't send the message, that's an example of a spoofed email. These are often used in phishing scams or...

support.cpanel.net

so I'd recommend checking those out. Let me know if you need clarification on that and I'll be here!

Arvy · Nov 9, 2020

Hello,

yes, the DNS is set up, with DKIM, DMARC, SPF (with "-all") and so, to normal situations (server to server, delivery). But in this case is not a real mail server, is a virus/trojan that connects directly to the MX server to send a message directly to the user.

I was looking for a way to create a SpamAssassin rule or ACL to block if from=to and originating IP is not the local server (or a valid domain's MX).

Thanks.

cPRex · Nov 10, 2020

You might find the discussions here helpful/interesting:

Display Name Spoofing Attack

Is there a feature in cPanel/WHM to detect and control Display Name Spoofing Attack?

forums.cpanel.net

I need help writing a global email rule to filter spam.

I would like to add a statement to my global email filter that drops emails that contains the recipient’s email information in the format used by a group of spammers that are a real nuisance. They use a new IP address for every message via relays all over the world and always use a unique from...

forums.cpanel.net

Thread starter	Similar threads	Forum	Replies	Date
A	Adding warning message to external emails originating outside the server	Email	2	Feb 13, 2019
M	no external emails arrive and it does not show error	Email	3	Mar 22, 2018
T	Problems with sending emails to external domains	Email	1	Sep 27, 2017
K	SOLVED Newly registered domain not receiving external emails	Email	2	Jul 5, 2017
S	SOLVED No sites can send emails via PHP (local or external)	Email	2	Feb 21, 2017

Search

Search

External emails from and to the same email address

Arvy

Well-Known Member

cPRex

Jurassic Moderator