Is there a way to reject messages if...

tui

Well-Known Member
Jun 15, 2007
142
39
78
Mexico
cPanel Access Level
Root Administrator
A very common spammers practice is to send a mails hiding the real senders and recipients, let me explain:

First example: They send spam/scam/phishing mails from [email protected] but in the FROM: field on the email client (webmail or any other app) it shows like is coming from [email protected]

Second example: Spammers send mails from [email protected] that in the FROM field on the email client (webmail or any other app) shows like is coming from [email protected] AND they send scam mails to any valid mail like [email protected] BUT on the TO: field on the email client (webmail or any other app) it shows that the mail is TO any other fake user like [email protected]

On the first example the spammers/scammers wants to make people think that it comes from a legitimate account [email protected] when it actually comes from [email protected]

On the second example, the spammers/scammers wants to make people think that it comes from a legitimate account [email protected] when it actually comes from [email protected], but also, they wants to make people think that the mail arrived on its mailbox by mistake because the TO: field says [email protected] when the mail actually was targeted to [email protected]

The problem with this emails is that they actually comes from a real accounts/domains, the domains have correct spf, rdn and dkim records, and the accounts actually exists, so all dkim, spf and rdn and other checks pass and this mails goes directly to inbox.

There is no way to see at naked eye that the emails really comes from other accounts or they are targeted to real accounts only if you see the headers or see the real sender making some taps or clicks on the "FROM" field on the email client, and this is a very big problem and security issue.

My clients and i receive dozens of this mails everyday... so my question:

Is there a way to reject mails that the FROM: AND/OR TO: fields do not match on the real sender/recipient that are on the headers?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,743
1,868
363
cPanel Access Level
Root Administrator
Hey there! The short answer is no, not really, because if it were that easy everyone would already be doing it and these types of spam and phishing messages would quickly die out. They specifically send these types of messages because they are hard to block.

I'm sure there are Exim tricks that could be used for specific situations, but I don't have a general cure available for this issue.
 

tui

Well-Known Member
Jun 15, 2007
142
39
78
Mexico
cPanel Access Level
Root Administrator
To bad :( i was looking a way on exim website and github to make a request on something that could help to mitigate this mails but i could not find any, i do not think it would be difficult to implement something that could help on this but idk... :rolleyes:

Is there a way we can make requests like this to exim devs? Or a way we can make some rules or something? im thinking only on something like

if ("to:" != "for") {reject}
if ("to:" != "envelope-to") {reject}
if ("envelope-from" != ""from:"){reject}