Outbound email using authentication: identify_local_connection

[hendranata]

helo

i still curious how the spammer send big email(spam).
when spammer happen in my server, i take a note that almost spammer use similar to this:

Event: failure error
Sender User: domain
Sender Domain: domain.com
From Address: [EMAIL][email protected][/EMAIL]
Sender: domain
Sent Time: Sep 5, 2017 9:06:21 PM
Sender Host: localhost
Sender IP: 127.0.0.1
[B]Authentication: identify_local_connection[/B]
Spam Score:
Recipient: [EMAIL][email protected][/EMAIL]
Delivered To:
Delivery User: -system-
Delivery Domain:
Router: fail_remote_domains
Transport: fail
Out Time: Sep 5, 2017 9:06:21 PM
ID: 1dpEUQ-00410G-VI
Delivery Host:
Delivery IP:
Size: 14.17 KB

i have read this as well
How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

except SMTP restrictions is still disable since i need user to be able to use external mail server.


Authentication: identify_local_connection <-- i dont know how they achieve that,,but i am pretty sure they are using php script to send email spam..
until now i dont have any idea to prevent that..

prevent no body already enable, spamassasin global on, spam score as well, and many more.

i have no luck to prevent spammer such of that... any idea?

 

[hendranata]

another example email that send using Authentication: identify_local_connection

Event: success 
Sender User: root
Sender Domain: -system-
From Address: [EMAIL][email protected][/EMAIL]
Sender: root
Sent Time: Sep 6, 2017 7:39:19 PM
Sender Host: localhost.localdomain
Sender IP: 127.0.0.1
[B]Authentication: identify_local_connection [/B]
Spam Score: 2.6
Recipient: [EMAIL][email protected][/EMAIL]
Delivered To: [EMAIL][email protected][/EMAIL]
Delivery User: -remote-
Delivery Domain:
Router: lookuphost
Transport: remote_smtp
Out Time: Sep 6, 2017 7:59:19 PM
ID: 1dpZbd-0037XA-RS
Delivery Host: gmail-smtp-in.l.google.com
Delivery IP: 74.125.68.26
Size: 37.31 KB
Result: Accepted

yes above quote is a normal email which is send by cpanel itself..
but sometime spammer use similar method i guess..since they use "Authentication: identify_local_connection"

 

[cPanelMichael]

Hello,

You can configure Exim to put the actual sender in the header by enabling the Experimental: Rewrite From: header to match actual sender option in WHM's Exim Configuration Manager interface (Home >> Exim Service Configuration >> Exim Configuration Manager).

This is documented at:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

Additionally, if you can't enable "SMTP Restrictions", I suggest using a third-party firewall management utility such as CSF instead:

ConfigServer Security & Firewall

There are options that allow you to restrict SMTP similar to the SMTP Restrictions option in WHM, while also excluding certain users from that protection.

Note that you may also want to review some of the threads listed at the below URL to see how other users are combating this type of SPAM:

outgoingspam | cPanel Forums

Thank you.

 

[hendranata]

Csf installed already.
I thought that enable smtp restiction from whm is similar to smtp_block = 1 in csf..

Hmm will try later to make sure

 

[cPanelMichael]

I thought that enable smtp restiction from whm is similar to smtp_block = 1 in csf..

Yes, that's true, however CSF allows you to exclude users so you can enable it globally and allow specific accounts the ability to send via a remote server with the "SMTP_ALLOWUSER" rule.

Thank you.

 

[hendranata]

yes CSF is very helpful.

i enable SMTP_BLOCK = 1 and SMTP_REDIRECT = 1
it seems nobody can relay my mail server without SMTP authentication first.

Rejected relay attempt: '76.164.xxx.xx' From: '[email protected]' To: '[email protected]'

but i dont know who did that.. since the sender : System

i have check exim logs, there is no clue..

however interesting area, if i restart exim (without change any settings, just restart), then likely spammer can relay mail server again... i guess it is because firewall setting from CSF has been overwrite by exim..
the solution after restart exim, next i need to restart CSF again..

but i am not sure if we did restart CSF, it might be some settings in Exim has been overwrite by CSF..

any idea?

 

[cPanelMichael]

Hello,

That question is better asked to CSF directly. You can find their support forums at:

General Discussion (csf) - ConfigServer Community Forum

Thank you.