The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

foil spoofing

Discussion in 'E-mail Discussions' started by keat63, Jun 8, 2016.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    We've had an SPF fail notice today regarding one of our email addresses.
    It seems, reading between the lines, that this has been spoofed and rejected because of SPF failure (which is good)
    The email address in particular is one we would deem a throw away.
    If we were to throw it away, would this help all in the event that SPF failed ?

    In otherwords, if the email didn't exist, could it still be spoofed and accepted by other mailservers ?
     
  2. amdbuilder

    amdbuilder Member
    PartnerNOC

    Joined:
    Feb 5, 2013
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Durham, NC
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The account existing isn't likely to make much difference with it being spoofed. I would recommend looking into DMARC, when used in conjunction with DKIM and SPF you should be able to stop spoofed emails from your domain. Well, at least control what happens to them on servers supporting DMARC.
     
  3. Kailash1

    Kailash1 Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    252
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, I agree with amdbuilderaax. You should set DMARC record for your domain.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The spoofed email appears to have originated from a server in the same datacentre as mine, which is a bit worrying.
    I took this up with the server team who said that they couldn't see it ever leaving that server.
    And that the hackers not only spoofed my email address but also spoofed the server from which it was sent.

    How would they spoof an IP address, server name, email address and for it all to be in the same data centre. I'm not sure i buy it, but who am i to argue.

    I did have DMARC configured on one of my lesser used domains, but didn't understand how it worked so removed it.
    Maybe I'll try again.
     
    #4 keat63, Jun 10, 2016
    Last edited: Jun 10, 2016
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    1. Spoofing those fields is possible by manipulating the message headers before sending the message. It's common practice with spammers to find active domain names and send SPAM. You should report the abuse to your data center with a copy of the message headers.

    2. Users setting up DMARC records may find the following thread helpful:

    Dmarc authentication

    You can vote and add feedback to the existing feature request for DMARC at:

    DMARC config in email authentication section

    Thank you.
     

Share This Page