How to block spoofed emails

[linkup]

Recently I have been getting emails FROM myself that are obviously spoofed. The mails are addressed to one of my email accounts, it shows coming from my server, but the headers shows it was received from another server, in this example, in Belgium. I thought there was a method to differentiate mails that were originated from my server vs. ones originating on another server spoofed to show coming from my server.

Return-Path: <>
Delivered-To: (MY EMAIL ADDRESS)
Received: from (MY SERVER)
by (MY SERVER) with LMTP
id B5xPMrFAomIAKQAAk1qiSg
(envelope-from <>)
for <MY EMAIL>; Thu, 09 Jun 2022 12:49:21 -0600
Return-path: <>
Envelope-to: (MY EMAIL ADDY)
Delivery-date: Thu, 09 Jun 2022 12:49:21 -0600
Received: from [89.32.41.127] (port=37267 helo=solden.be)
by (MY SERVER) with esmtp (Exim 4.95)
id 1nzNDf-0002jD-5k
for(MY EMAIL ADDY);
Thu, 09 Jun 2022 12:49:21 -0600
Received: from 10.221.57.15
by atlas108.aol.mail.ne1.yahoo.com with HTTPS; Thu, 9 Jun 2035 12:34:30 +0000
X-Originating-Ip: [40.92.75.106]
Received-SPF: pass (domain of hotmail.com designates 40.92.75.106 as permitted sender)
Authentication-Results: atlas108.aol.mail.ne1.yahoo.com;
dkim=pass [email protected] header.s=selector1;
spf=pass smtp.mailfrom=hotmail.com;
dmarc=pass(p=NONE) header.from=hotmail.com;
*************************
Isn't there a method for cPanel to recognize that the from isn't the from? I get so much spam anyway that I use Mailwasher to review mail on my server where I manage it and deleted the spam I can detect at the server so it doesn't come down to my email program (Thunderbird).

cPanel & WHM v102.0.18

Because Mailwasher thinks they are coming from me, it doesn't detect them as spam so I have to manually delete them in MW before downloading mail. If possible, I would like the server to stop them from even being put into my email server.

Thanks so much!
Lew

 

[cPRex]

Hey there! The short answer is "you can't" - if there was a foolproof way to handle these it would be famous and implemented everywhere by now. The best recommendation would be to review the details here and ensure everything is set up on your side as best it can be to help authenticate legitimate messages from your server:

Preventing spoofed emails

Symptoms If you've had an email delivered that was sent from your address, and you know you didn't send the message, that's an example of a spoofed email. These are often used in phishing scams or...

support.cpanel.net

 

[linkup]

Pardon my ignorance as I haven't programmed in 30 years, but since it "knows" the mail didn't originate on my server, how hard is it to determine it is spoofed? Thanks for the link!

 

[linkup]

Hey there! The short answer is "you can't" - if there was a foolproof way to handle these it would be famous and implemented everywhere by now. The best recommendation would be to review the details here and ensure everything is set up on your side as best it can be to help authenticate legitimate messages from your server:

Preventing spoofed emails

Symptoms If you've had an email delivered that was sent from your address, and you know you didn't send the message, that's an example of a spoofed email. These are often used in phishing scams or...

support.cpanel.net

The link talks about the three deliverability settings which were enabled at the server level and I checked the domain in question and were set up there. If that is all I can do....then I guess I will have to deal with manual deletion. Thanks again!

 

[cPRex]

You're very welcome! As far as the "it should know" issue, the mailserver isn't always the smartest when it comes to handling those. It reads the data from the header as best it can, but there isn't a "check to see if this email address exists locally even though it came in remotely" function.

 

[linkup]

You're very welcome! As far as the "it should know" issue, the mailserver isn't always the smartest when it comes to handling those. It reads the data from the header as best it can, but there isn't a "check to see if this email address exists locally even though it came in remotely" function.

I wasn't so much referring to the email address, but instead the IP address. It should be able to see the "from" address isn't the server's address. Seems like a quick easy check. I wrote a mail to my cousin who is an amazing programmer and very familiar with Unix so I will be curious to hear what he says. Thanks

 

[Jonathan.c]

@cPRex
The article mentioned covers preventing inbound spoof emails, what about preventing outgoing spoof emails from servers?

 

[DennisMidjord]

@cPRex
The article mentioned covers preventing inbound spoof emails, what about preventing outgoing spoof emails from servers?

You can't prevent spoofed mails 100% but setting up SPF and DKIM gets you a long way.
SPF lets you specify which IP's/hosts that your email may be sent from.
DKIM adds a digital signiture to the email which lets the receiving server verify that the message actually comes from your server.
Additionally, you can also setup DMARC which allows you to specify what the receiving server should do with the message in case SPF and/or DKIM fails.

It's still up to the receiving email server to support all those options, though, and you're never going to be able to prevent spoofing completely.

 

[cPRex]

I'm not sure how you would be detecting outbound spoofed messages? Do you have an example from a log that you could share of such a message being sent from your machine?

As @DennisMidjord mentioned, the same tools apply as they are DNS-level verification, so they'd help with either direction.

 

[lowraxe]

I read through this thread, but didn't see that what I'm trying to do was clearly addressed. Perhaps I somehow missed it, but I think the responses have generally been that what I'm aiming to do is not possible for some reason. Here's my situation:

I have cPanel set so that any emails that arrive from my domain are whitelisted. In this way, even if one of the other folks on my domain sent me a spam, it would come through.

Recently, I have been receiving emails from spammers that are spoofing my domain, so, of course, those emails are coming through per my whitelist, which, as far as I can tell, only looks at the envelope-from line to identify who sent the email.

However, if I look at the headers for any of the spoofed emails, I can find clear differences between a valid email, sent from me or from any other sender on my domain, and one sent from a spammer. In particular, if I send an email from my domain to one of my other addresses on a different domain, I can see that there are distinct items that I would think I can filter based on. So, for example, if a particular item does not exist in the header, use the filter to send it to the spam folder.

So the question is, can't I set up a simple filter that looks for key items in the header of any email sent from my domain (or "sent from my domain") to identify it as validly sent from my domain, rather than from a spammer?

Thanks!

 

[cPRex]

So the question is, can't I set up a simple filter that looks for key items in the header of any email sent from my domain (or "sent from my domain") to identify it as validly sent from my domain, rather than from a spammer?

Not really? If it were that easy, every email system on the planet would already have it in place and there would be no more spoofing.

 

[lowraxe]

OK, while I was waiting for a response though, I just set up a filter that says if "from" contains my domain, and "any header" does not contain a certain line that my emails appear to consistently contain (in this case, X-authenticated-sender: <my host>) then send the email to spam. Is there a reason this is not a valid way to address what I've posed?

 

[cPRex]

It's possible that will work well for you, but spammers that send out millions of emails can manipulate the headers any way they choose, so this may not work for every situation.

 

[lowraxe]

Looks like it's working OK so far (last 20 minutes or so). I ran a couple of test emails through the filter test and it looked OK. I'll try to remember to report back here after a few weeks with an update on how it works out.

I'm not too concerned about a few spam spoofs slipping through. My bigger concern would be with rejecting too many valid emails. However, I'm working on a very specific case here, which is to filter out emails that are supposedly from my domain, but aren't actually. It seems like a controlled enough case that this (or something else) should be a reasonable solution.

If anyone on this forum who knows more than me about these issues (pretty much anyone) sees a flaw in what I'm doing, please let me know so I can modify my approach, or just give up altogether.

Thanks!

 

[lowraxe]

Well, I found a problem pretty quickly. It appears the headers do not always necessarily contain the "X-authenticated-sender" line.

With that in mind, is there a way in cPanel to add some custom content to the header of any email that is sent out from my domain so that I can then filter based on that content?

 

[cPRex]

Told ya

There is a way with Exim itself, but that work would need to be researched and performed outside of cPanel tools, and our tools don't get to that level of Exim customization.