The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail spoofing

Discussion in 'E-mail Discussions' started by EdwardRC, Sep 29, 2013.

  1. EdwardRC

    EdwardRC Registered

    Joined:
    Sep 29, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Hello, I need your help guys.
    All the replies that I got from providers are not acceptable for me.
    Here's the thing.

    Cpanel account, small company of 10 guys with a mail account for each one.
    Each user only knows his mail's password.
    So, as the hosting is configured, someone could send mails from another real mail account. How?
    Quick and simple example: John only knows his user/pass and he did set the profile in Outlook.
    Steve is mad with John and just created a profile in the mail client with john's mail, knowing only john@somedomain.com. He left the password input in blank and he could be able to send a mail in John's names.
    AFAIK, setup SPF is not helping here, cause it's not a matter of IPs. For some reason, the mail's account doesn't ask for SMTP authentication.
    I hear about Exim as the unique option in Cpanel and postfix like a possible solution with other control panel.
    The goal here is that each mail account which is set in any mail client without the right password, should be prompted to fill the mail's password.

    Any idea how to do this?

    Thanks in advance for your help/time.
    Edward
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This scenario should not be possible with the default configuration of Exim on a cPanel server. While it's possible to spoof the "FROM" address, it's not possible to authenticate via SMTP without a password or without first logging in with that same account via POP3. Have you consulted with your web hosting provider in order to have them reproduce the issue?

    Thank you.
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Steve could easily set the FROM address in his email client to john@domain.com but continue to SMTP Authenticate using steve@domain.com. There is no way around that.

    If a person has SMTP authentication credentials (i.e. an email account set up), they can send mail as anyone they want as long as they authenticate first. I could set up an email account on a mailserver called m@mydomain.com. I could send email with the FROM address of anyone@fromanywhere.ext if I wanted to, by simply setting the FROM address to whatever I want and authenticating as m@mydomain.com. Sure, some remote mail systems might detect that it is spoofed depending upon the domain I'm pretending to be from and how the remote mailserver is configured. But for the most part ,there is no way around this.

    If you have a problem with Steve being mad at John and Steve faking emails as John, Steve oughta be canned. That's not acceptable practice, or shouldn't be.

    M
     
  4. EdwardRC

    EdwardRC Registered

    Joined:
    Sep 29, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Thanks for the relpy.

    That's exactly what I need.
    Sounds more than logic to me. If you wanna send an email from an account, you should have to fill the password (if it isn't saved in the mail client). If you check via pop3 the account before send, ok, let it go but if you didn't, ask me for credentials.
    The hosting (host.gat.or) said that cPanel and Exim can't prevent that cause postfix is not supported.
    How could I be sure that the right settings are running on my hosting service?

    Thanks
     
  5. EdwardRC

    EdwardRC Registered

    Joined:
    Sep 29, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    If this is really true...I'm done :(
    But I reproduce the issue on Outlook Express. I didn't have to fill user/pass with Steve information. I just complete the user with any real mail account (created in cPanel) leaving the password input in blank.
    The mail was sent knowing only a real mail address.

    I can't believe that there is not a solution for this simple security problem.

    Take that as simple example. Can you imagine any small company allowing people to send mails in the name of other guy? Spoofing is not a simple problem, I got it, but to ask for the right credentials of the sender address mail I guess is basic.

    I'm not an expert on this matter, but why other mail system ask for a mandatory authentication before any receive/sending?

    Thanks


    M
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You will need to consult with your web hosting provider if you were able to send emails from an account without entering a password. This indicates a custom configuration not native to cPanel. You are welcome to have them submit a support ticket to us to investigate the issue if they are not sure why that's happening.

    Thank you.
     
Loading...

Share This Page