How to block spoofed emails

linkup

Active Member
Jan 29, 2007
34
1
156
Recently I have been getting emails FROM myself that are obviously spoofed. The mails are addressed to one of my email accounts, it shows coming from my server, but the headers shows it was received from another server, in this example, in Belgium. I thought there was a method to differentiate mails that were originated from my server vs. ones originating on another server spoofed to show coming from my server.

Return-Path: <>
Delivered-To: (MY EMAIL ADDRESS)
Received: from (MY SERVER)
by (MY SERVER) with LMTP
id B5xPMrFAomIAKQAAk1qiSg
(envelope-from <>)
for <MY EMAIL>; Thu, 09 Jun 2022 12:49:21 -0600
Return-path: <>
Envelope-to: (MY EMAIL ADDY)
Delivery-date: Thu, 09 Jun 2022 12:49:21 -0600
Received: from [89.32.41.127] (port=37267 helo=solden.be)
by (MY SERVER) with esmtp (Exim 4.95)
id 1nzNDf-0002jD-5k
for(MY EMAIL ADDY);
Thu, 09 Jun 2022 12:49:21 -0600
Received: from 10.221.57.15
by atlas108.aol.mail.ne1.yahoo.com with HTTPS; Thu, 9 Jun 2035 12:34:30 +0000
X-Originating-Ip: [40.92.75.106]
Received-SPF: pass (domain of hotmail.com designates 40.92.75.106 as permitted sender)
Authentication-Results: atlas108.aol.mail.ne1.yahoo.com;
dkim=pass [email protected] header.s=selector1;
spf=pass smtp.mailfrom=hotmail.com;
dmarc=pass(p=NONE) header.from=hotmail.com;
*************************
Isn't there a method for cPanel to recognize that the from isn't the from? I get so much spam anyway that I use Mailwasher to review mail on my server where I manage it and deleted the spam I can detect at the server so it doesn't come down to my email program (Thunderbird).

cPanel & WHM v102.0.18

Because Mailwasher thinks they are coming from me, it doesn't detect them as spam so I have to manually delete them in MW before downloading mail. If possible, I would like the server to stop them from even being put into my email server.

Thanks so much!
Lew
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,718
1,862
363
cPanel Access Level
Root Administrator
Hey there! The short answer is "you can't" - if there was a foolproof way to handle these it would be famous and implemented everywhere by now. The best recommendation would be to review the details here and ensure everything is set up on your side as best it can be to help authenticate legitimate messages from your server:

 

linkup

Active Member
Jan 29, 2007
34
1
156
Pardon my ignorance as I haven't programmed in 30 years, but since it "knows" the mail didn't originate on my server, how hard is it to determine it is spoofed? Thanks for the link!
 

linkup

Active Member
Jan 29, 2007
34
1
156
Hey there! The short answer is "you can't" - if there was a foolproof way to handle these it would be famous and implemented everywhere by now. The best recommendation would be to review the details here and ensure everything is set up on your side as best it can be to help authenticate legitimate messages from your server:

The link talks about the three deliverability settings which were enabled at the server level and I checked the domain in question and were set up there. If that is all I can do....then I guess I will have to deal with manual deletion. Thanks again!
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,718
1,862
363
cPanel Access Level
Root Administrator
You're very welcome! As far as the "it should know" issue, the mailserver isn't always the smartest when it comes to handling those. It reads the data from the header as best it can, but there isn't a "check to see if this email address exists locally even though it came in remotely" function.
 
  • Like
Reactions: linkup

linkup

Active Member
Jan 29, 2007
34
1
156
You're very welcome! As far as the "it should know" issue, the mailserver isn't always the smartest when it comes to handling those. It reads the data from the header as best it can, but there isn't a "check to see if this email address exists locally even though it came in remotely" function.
I wasn't so much referring to the email address, but instead the IP address. It should be able to see the "from" address isn't the server's address. Seems like a quick easy check. I wrote a mail to my cousin who is an amazing programmer and very familiar with Unix so I will be curious to hear what he says. Thanks
 
  • Like
Reactions: cPRex

DennisMidjord

Well-Known Member
Sep 27, 2016
322
64
78
Denmark
cPanel Access Level
Root Administrator
@cPRex
The article mentioned covers preventing inbound spoof emails, what about preventing outgoing spoof emails from servers?
You can't prevent spoofed mails 100% but setting up SPF and DKIM gets you a long way.
SPF lets you specify which IP's/hosts that your email may be sent from.
DKIM adds a digital signiture to the email which lets the receiving server verify that the message actually comes from your server.
Additionally, you can also setup DMARC which allows you to specify what the receiving server should do with the message in case SPF and/or DKIM fails.

It's still up to the receiving email server to support all those options, though, and you're never going to be able to prevent spoofing completely.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,718
1,862
363
cPanel Access Level
Root Administrator
I'm not sure how you would be detecting outbound spoofed messages? Do you have an example from a log that you could share of such a message being sent from your machine?

As @DennisMidjord mentioned, the same tools apply as they are DNS-level verification, so they'd help with either direction.
 

lowraxe

Member
Aug 22, 2022
8
1
3
Atlanta, GA
cPanel Access Level
Website Owner
I read through this thread, but didn't see that what I'm trying to do was clearly addressed. Perhaps I somehow missed it, but I think the responses have generally been that what I'm aiming to do is not possible for some reason. Here's my situation:

I have cPanel set so that any emails that arrive from my domain are whitelisted. In this way, even if one of the other folks on my domain sent me a spam, it would come through.

Recently, I have been receiving emails from spammers that are spoofing my domain, so, of course, those emails are coming through per my whitelist, which, as far as I can tell, only looks at the envelope-from line to identify who sent the email.

However, if I look at the headers for any of the spoofed emails, I can find clear differences between a valid email, sent from me or from any other sender on my domain, and one sent from a spammer. In particular, if I send an email from my domain to one of my other addresses on a different domain, I can see that there are distinct items that I would think I can filter based on. So, for example, if a particular item does not exist in the header, use the filter to send it to the spam folder.

So the question is, can't I set up a simple filter that looks for key items in the header of any email sent from my domain (or "sent from my domain") to identify it as validly sent from my domain, rather than from a spammer?

Thanks!
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,718
1,862
363
cPanel Access Level
Root Administrator
So the question is, can't I set up a simple filter that looks for key items in the header of any email sent from my domain (or "sent from my domain") to identify it as validly sent from my domain, rather than from a spammer?
Not really? If it were that easy, every email system on the planet would already have it in place and there would be no more spoofing.
 

lowraxe

Member
Aug 22, 2022
8
1
3
Atlanta, GA
cPanel Access Level
Website Owner
OK, while I was waiting for a response though, I just set up a filter that says if "from" contains my domain, and "any header" does not contain a certain line that my emails appear to consistently contain (in this case, X-authenticated-sender: <my host>) then send the email to spam. Is there a reason this is not a valid way to address what I've posed?
 

lowraxe

Member
Aug 22, 2022
8
1
3
Atlanta, GA
cPanel Access Level
Website Owner
Looks like it's working OK so far (last 20 minutes or so). I ran a couple of test emails through the filter test and it looked OK. I'll try to remember to report back here after a few weeks with an update on how it works out.

I'm not too concerned about a few spam spoofs slipping through. My bigger concern would be with rejecting too many valid emails. However, I'm working on a very specific case here, which is to filter out emails that are supposedly from my domain, but aren't actually. It seems like a controlled enough case that this (or something else) should be a reasonable solution.

If anyone on this forum who knows more than me about these issues (pretty much anyone) sees a flaw in what I'm doing, please let me know so I can modify my approach, or just give up altogether.

Thanks!
 
  • Like
Reactions: cPRex

lowraxe

Member
Aug 22, 2022
8
1
3
Atlanta, GA
cPanel Access Level
Website Owner
Well, I found a problem pretty quickly. It appears the headers do not always necessarily contain the "X-authenticated-sender" line.

With that in mind, is there a way in cPanel to add some custom content to the header of any email that is sent out from my domain so that I can then filter based on that content?