How do I stop these Return-path x-sender emails getting through.

GQsm

Member
Sep 30, 2010
7
1
53
Hi.

A customer has been subject to fraud emails today. The emails look like they come from the boss and request the accounts dept transfer money. They look very genuine and a dodgy email address is only visible to the end user if they click reply.
I thought I had everything configured correctly to stop this sort these sort of emails getting through and am wondering if something is malfunctioning.
SPF is configured for customer.com but there is no mention of it in header, not even in regards badpersondomain.com having no SPF record.

Can anyone help?

Header is below with obvious privacy changes.
Code:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Tue, 21 Aug 2018 08:31:22 +0100
Received: from xxxxxxx.prod.phx3.secureserver.net ([216.69.xxx.xx]:41336 helo=p3plwbeout25-01.prod.phx3.secureserver.net)
   by myserver.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
   (Exim 4.86)
   (envelope-from <[email protected]>)
   id 1fs18J-1001jA-W0
   for [email protected]; Tue, 21 Aug 2018 08:31:21 +0100
Received: from xxxxxxxxx.prod.phx3.secureserver.net ([10.36.152.31])
   by :WBEOUT: with SMTP
   id s179favlaUbxes179f5RO3; Tue, 21 Aug 2018 00:30:07 -0700
X-SID: s179favlaUbxe
Received: (qmail 94736 invoked by uid 99); 21 Aug 2018 07:30:07 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 89.238.167.168
User-Agent: Workspace Webmail 6.9.46
Message-Id: <[email protected]mail25.godaddy.com>
From: "Boss Man" <[email protected]>
X-Sender: [email protected]
Reply-To: "Boss Man" <[email protected]>
To: [email protected]
Subject: Payments
Date: Tue, 21 Aug 2018 00:30:04 -0700
Mime-Version: 1.0
X-CMAE-Envelope: MS4wfOmiOJC3WMsezNfrdAKrBSynNJFF+qHFf4SBf+lKhca2CnkToJD5lJV8ylStzGOCRNKpRfRThRu0HujQn1WyNbyKpaR3FTx8U4V4X68+a
 NIFDKH6xj1oII9Rtz8yplauRkxP+F+y33P54lOKD4SzGlowoNuxkgoBssE8GAiMuutjvx+Wl6vJ3QoLU1gWo5PRA0v+dL03Rw9zwkoPHo4g2tfaq8DOmZzwr
X-Spam-Status: No, score=2.6
X-Spam-Score: 26
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "myserver.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hi, can you make some payments for me? [...]
 Content analysis details:   (2.6 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.5 KAM_COUK               Scoring .co.uk emails higher due to poor registry security.
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                             domains are different
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.4934]
  0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 -0.5 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
                             anti-forgery methods
  2.1 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @GQsm,

Features such as DKIM checking and Greylisting can help protect against this type of SPAM. The following options are available under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor:

Allow DKIM verification for incoming messages
Reject DKIM failures

Greylisting is enabled through WHM >> Mail >> Greylisting.

Regarding SPF, keep in mind that enabling SPF on a domain will setup the SPF record for outgoing email from the domain, but SPF verification for incoming email is handled through SpamAssassin. Here's a link to a post with workaround instructions if you prefer to have Exim directly reject incoming emails when SPF verification fails:

SPF Verification

Thank you.