Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How do I stop these Return-path x-sender emails getting through.

Discussion in 'E-mail Discussion' started by GQsm, Aug 21, 2018.

Tags:
  1. GQsm

    GQsm Registered

    Joined:
    Sep 30, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Hi.

    A customer has been subject to fraud emails today. The emails look like they come from the boss and request the accounts dept transfer money. They look very genuine and a dodgy email address is only visible to the end user if they click reply.
    I thought I had everything configured correctly to stop this sort these sort of emails getting through and am wondering if something is malfunctioning.
    SPF is configured for customer.com but there is no mention of it in header, not even in regards badpersondomain.com having no SPF record.

    Can anyone help?

    Header is below with obvious privacy changes.
    Code:
    Return-path: <fraudster@badpersondomain.com>
    Envelope-to: accounts@customer.com
    Delivery-date: Tue, 21 Aug 2018 08:31:22 +0100
    Received: from xxxxxxx.prod.phx3.secureserver.net ([216.69.xxx.xx]:41336 helo=p3plwbeout25-01.prod.phx3.secureserver.net)
       by myserver.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
       (Exim 4.86)
       (envelope-from <fraudster@badpersondomain.com>)
       id 1fs18J-1001jA-W0
       for accounts@Customer.com; Tue, 21 Aug 2018 08:31:21 +0100
    Received: from xxxxxxxxx.prod.phx3.secureserver.net ([10.36.152.31])
       by :WBEOUT: with SMTP
       id s179favlaUbxes179f5RO3; Tue, 21 Aug 2018 00:30:07 -0700
    X-SID: s179favlaUbxe
    Received: (qmail 94736 invoked by uid 99); 21 Aug 2018 07:30:07 -0000
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/html; charset="utf-8"
    X-Originating-IP: 89.238.167.168
    User-Agent: Workspace Webmail 6.9.46
    Message-Id: <20180821003004.6cb1bab1b323d3bc104aa4eff9066a76.228f84ddf6.wbe@email25.godaddy.com>
    From: "Boss Man" <boss@customer.com>
    X-Sender: fraudster@badpersondomain.com
    Reply-To: "Boss Man" <fraudster@DIFFERENTDomain.com>
    To: accounts@Customer.com
    Subject: Payments
    Date: Tue, 21 Aug 2018 00:30:04 -0700
    Mime-Version: 1.0
    X-CMAE-Envelope: MS4wfOmiOJC3WMsezNfrdAKrBSynNJFF+qHFf4SBf+lKhca2CnkToJD5lJV8ylStzGOCRNKpRfRThRu0HujQn1WyNbyKpaR3FTx8U4V4X68+a
     NIFDKH6xj1oII9Rtz8yplauRkxP+F+y33P54lOKD4SzGlowoNuxkgoBssE8GAiMuutjvx+Wl6vJ3QoLU1gWo5PRA0v+dL03Rw9zwkoPHo4g2tfaq8DOmZzwr
    X-Spam-Status: No, score=2.6
    X-Spam-Score: 26
    X-Spam-Bar: ++
    X-Ham-Report: Spam detection software, running on the system "myserver.com",
     has NOT identified this incoming email as spam.  The original
     message has been attached to this so you can view it or label
     similar future email.  If you have any questions, see
     root\@localhost for details.
     Content preview:  Hi, can you make some payments for me? [...]
     Content analysis details:   (2.6 points, 5.0 required)
      pts rule name              description
     ---- ---------------------- --------------------------------------------------
     -0.5 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
      0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                                 domains are different
      0.0 HTML_MESSAGE           BODY: HTML included in message
      0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                                 [score: 0.4934]
      0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
     -0.5 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
                                 anti-forgery methods
      2.1 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
    
    
     
    #1 GQsm, Aug 21, 2018
    Last edited by a moderator: Aug 21, 2018
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,272
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @GQsm,

    Features such as DKIM checking and Greylisting can help protect against this type of SPAM. The following options are available under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor:

    Allow DKIM verification for incoming messages
    Reject DKIM failures

    Greylisting is enabled through WHM >> Mail >> Greylisting.

    Regarding SPF, keep in mind that enabling SPF on a domain will setup the SPF record for outgoing email from the domain, but SPF verification for incoming email is handled through SpamAssassin. Here's a link to a post with workaround instructions if you prefer to have Exim directly reject incoming emails when SPF verification fails:

    SPF Verification

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice