Fake Return-Path header address

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
Hi,

I'm running a VPS server, 1 of my clients called me today, he was exposed to a phishing scam, he sent a big amount of money to a wrong IBAN number.

I checked the conversation emails, I found the FROM address is coming from a trusted well-known (Company A) but in the Return-Path there is a fake email address ([email protected])

My questions:

Where did this fake email in Return-Path come from ?
Who's guilty ?
  1. My server ?
  2. My client (For not looking in the email header) ?
  3. My client computer (MS Outlook, Windows, Antivirus) ?
  4. Company A mail server ?
  5. Company A computer (Sending emails with injected Return-Path) ?
How can I know ? Please help

Thanks
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
I setup SPF, DKIM and DMARC. Still receiving spoofed emails. What should I do ?
Hello,

These records will help remote mail servers verify the integrity of emails from your domain name. However, if you want to verify incoming emails, you'd need to consider enabling SpamAssassin (it includes SPF verification), and also consider enabling the following option under "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor":

Reject DKIM failures

This option and other potentially useful options are documented at:

Exim Configuration Manager - Basic Editor - Documentation - cPanel Documentation

Thank you.
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
Hello,

These records will help remote mail servers verify the integrity of emails from your domain name. However, if you want to verify incoming emails, you'd need to consider enabling SpamAssassin (it includes SPF verification), and also consider enabling the following option under "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor":

Reject DKIM failures

This option and other potentially useful options are documented at:

Exim Configuration Manager - Basic Editor - Documentation - cPanel Documentation

Thank you.
SpamAssassin is already enabled, anyway i have some questions.
if i trurn on "Allow DKIM verification for incoming messages" and leave "Reject DKIM failures" turned off. What will happen to the emails ?

What does it mean "This verification process can degrade your server's performance." ? It will slow down the mail exchange ? Websites and apps ? Ftp transfer ?

Do you think A new version of MS Outlook, Windows and Internet Security will make any difference regarding those emails ?

Thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
if i trurn on "Allow DKIM verification for incoming messages" and leave "Reject DKIM failures" turned off. What will happen to the emails ?
This allows Exim to check the DKIM records on incoming messages, but doesn't actually reject emails that fail verification.

What does it mean "This verification process can degrade your server's performance." ? It will slow down the mail exchange ? Websites and apps ? Ftp transfer ?
It can lead to increased CPU usage and potentially slow email delivery due to the extra work required for Exim to verify DKIM records for incoming emails. You are more likely to see an issue on systems with high volumes of incoming email.

Do you think A new version of MS Outlook, Windows and Internet Security will make any difference regarding those emails ?
The email client itself won't prevent the delivery of spoofed emails.

Thank you.