The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New to email spoofing. please direct me right thread.

Discussion in 'E-mail Discussions' started by hetch, Feb 4, 2009.

  1. hetch

    hetch Active Member

    Joined:
    Feb 4, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I am new to hosting thing. I am receiving spam from my OWN email address.

    My host said, somebody spamming from my vps.

    Can anybody direct me a thread that explains how to stop this? I did search the forums. It is too confusing. Everybody told some solution but If something is working on one site, it is not working on other.

    thanks much.
     
  2. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    If the username part (left of the @ symbol) of the forged FROM address is not a mailbox that you set up in your Control Panel, then you are receiving the unwanted messages through your default address. To stop receiving these messages, you could set your default address to ":fail: no such address here" so that you will no longer receive mail addressed to non-existent addresses at@yourdomain.com. Or, if you want to keep your default account, but just want to disable incoming email for one particular address, you can create a forward in your Control Panel for the unwanted address and set it to forward to ":fail: no such address here" to bounce the email or ":blackhole:" to simply delete it.

    If the forged email address is one that is important to you, that you need to receive email at, there is nothing that can be done short of using the email filters in your Control Panel to blacklist the FROM addresses in the undeliverable notices, such as postmaster@yourdomain.com. However, this is not recommended because messages FROM those type of addresses are often important and most of the time you will want to receive them.
     
  3. hetch

    hetch Active Member

    Joined:
    Feb 4, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    My host said they are using my vps to send spam.

    Can I enable this setting under WHM > Tweak settings - "Allow mail account authentication using the password of the domain owner's account". So spammers can't use smtp?

    I am worried abour my main IP will be blacklisted.

    I set up SPF record,
    no open relay,
    All accounts default address set to :fail:
    No script with 777 chmoded directories.

    So can I enable "Allow mail account authentication using the password of the domain owner's account"?

    Any disadvantages?

    thanks much.
     
  4. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would suggest looking into CSF. It has additional settings not normally available in the WHM Security settings that will help to filter out who can send email from your server with SMTP.
    Try these links:
    http://www.configserver.com/free/spammers.html
    http://www.configserver.com/cp/csf.html
    Is your PHP compiled with SU_PHP? Doing so will help to track down where the exploited scripts are, if there are any on your system... it will cause the script to execute as the actual owner, instead of as "nobody", and using extended mail headers, you will be able to track down where the actual script is located (if there is one).
     
  5. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    That would be a good start. No disadvantages, you may have to set you computer email software to use the authentication when sending email after you enable it on your server.

    It could be a script running in the /tmp directory, the CSF firewall listed above could help you in finding a script like this.

    Also securing the /tmp directory would be a good ideal. It can be tough on some VPS's, you might ask your provider for help on that. Generally on a VPS you have to edit the /etc/fstab with something along the lines of
    Code:
    /tmp /var/tmp none bind,nosuid,nodev,noexec,rw 0 0
    /var/tmp /tmp none bind,nosuid,nodev,noexec,rw 0 0
    /dev/shm none bind,nosuid,noexec,rw 0 0
    
    Another good way to find out where the spam is comeing from is to enable SuPhp, but be ready to fix some scripts. Enabling this will make the email being sent come from the username to whom is sending it instead of coming from nobody@yourserver.com

    Good luck!
     
  6. hetch

    hetch Active Member

    Joined:
    Feb 4, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Thanks both of you!

    I enabled mail authentication.

    My host enabled suphp for my VPS.

    Still I am receiving spam from my OWN EMAIL.

    Any other things I need to take care of?

    If I ask my host to install CSF, it will break next upgrades of cpanel?

    My host said to enable spamassassin. Spamassassin just blocks these spam emails to my account. NOT actually stops te spammer. He will sending spam from my vps happily. So it won't be much use to me.

    thanks.
     
  7. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    CSF is simple to install, go to configserver.com and click on the CSF firewall and read the readme file.

    If your email addressed was hijacked about all you can do is enable a SPF record and let it run the course. If you install CSF you can use your logs to find the spammers IP and block them.
     
  8. hetch

    hetch Active Member

    Joined:
    Feb 4, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Thanks. I will ask my host to checkout CSF.

    One last questin (I hope):
    For a spammer to spoof an email from my domain, that email address ACTUALLY SHOULD EXISTS on my site as a POP3 or alias?

    (All my sites have catch-all set to :fail: )

    thanks very much.
     
  9. hetch

    hetch Active Member

    Joined:
    Feb 4, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Any cpanel gurus please answer my question?

    -------------
    For a spammer to spoof an email from my domain, that email address ACTUALLY SHOULD EXISTS on my site as a POP3 or alias?

    (All my sites have catch-all set to :fail: )
    -------------

    thanks.
     
  10. vwiley1

    vwiley1 Well-Known Member

    Joined:
    Oct 4, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Could you post the full email headers? Perhaps this will give the community some clues to solve your problem.
     
  11. britsenigma

    britsenigma Well-Known Member

    Joined:
    Dec 14, 2008
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    How many emails we talking about here? Just 1 or 100?

    An email account doesn't have to exist, if you're server is setup for SMTP Authentication, you can use it send email from any address you choose, unless there is an anti spam system to force domain only checks of some kind.

    Secondly, the emails might not have come from your server. I could send emails from my server to your destination b server, providing server B doesn't do a reverse lookup to see my hostname/ip is actually allowed to send email from that address.

    To help fight this turn on Domain Keys and SPF under Email Authentication, which is Icon available when you're browsing as a user.

    As previously stated, the received has to be setup properly to make heads and tails of those anti spam systems.
     
Loading...

Share This Page