Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Outbound email using authentication: identify_local_connection

Discussion in 'E-mail Discussions' started by hendranata, Sep 6, 2017.

Tags:
  1. hendranata

    hendranata Member

    Joined:
    Aug 24, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    sby
    cPanel Access Level:
    Root Administrator
    helo

    i still curious how the spammer send big email(spam).
    when spammer happen in my server, i take a note that almost spammer use similar to this:

    Code:
    Event: failure error
    Sender User: domain
    Sender Domain: domain.com
    From Address: [EMAIL]noreplay@example.org[/EMAIL]
    Sender: domain
    Sent Time: Sep 5, 2017 9:06:21 PM
    Sender Host: localhost
    Sender IP: 127.0.0.1
    [B]Authentication: identify_local_connection[/B]
    Spam Score:
    Recipient: [EMAIL]000000@xxxxxx.com[/EMAIL]
    Delivered To:
    Delivery User: -system-
    Delivery Domain:
    Router: fail_remote_domains
    Transport: fail
    Out Time: Sep 5, 2017 9:06:21 PM
    ID: 1dpEUQ-00410G-VI
    Delivery Host:
    Delivery IP:
    Size: 14.17 KB
    

    i have read this as well
    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    except SMTP restrictions is still disable since i need user to be able to use external mail server.


    Authentication: identify_local_connection <--
    i dont know how they achieve that,,but i am pretty sure they are using php script to send email spam..
    until now i dont have any idea to prevent that..

    prevent no body already enable, spamassasin global on, spam score as well, and many more.

    i have no luck to prevent spammer such of that... any idea?
     
    #1 hendranata, Sep 6, 2017
    Last edited by a moderator: Sep 6, 2017
  2. hendranata

    hendranata Member

    Joined:
    Aug 24, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    sby
    cPanel Access Level:
    Root Administrator
    another example email that send using Authentication: identify_local_connection

    Code:
    Event: success 
    Sender User: root
    Sender Domain: -system-
    From Address: [EMAIL]cpanel@xx.xxxxxxxx.net[/EMAIL]
    Sender: root
    Sent Time: Sep 6, 2017 7:39:19 PM
    Sender Host: localhost.localdomain
    Sender IP: 127.0.0.1
    [B]Authentication: identify_local_connection [/B]
    Spam Score: 2.6
    Recipient: [EMAIL]xxxx@gmail.com[/EMAIL]
    Delivered To: [EMAIL]xxxx@gmail.com[/EMAIL]
    Delivery User: -remote-
    Delivery Domain:
    Router: lookuphost
    Transport: remote_smtp
    Out Time: Sep 6, 2017 7:59:19 PM
    ID: 1dpZbd-0037XA-RS
    Delivery Host: gmail-smtp-in.l.google.com
    Delivery IP: 74.125.68.26
    Size: 37.31 KB
    Result: Accepted
    
    yes above quote is a normal email which is send by cpanel itself..
    but sometime spammer use similar method i guess..since they use "Authentication: identify_local_connection"
     
    #2 hendranata, Sep 6, 2017
    Last edited by a moderator: Sep 6, 2017
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can configure Exim to put the actual sender in the header by enabling the Experimental: Rewrite From: header to match actual sender option in WHM's Exim Configuration Manager interface (Home >> Exim Service Configuration >> Exim Configuration Manager).

    This is documented at:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    Additionally, if you can't enable "SMTP Restrictions", I suggest using a third-party firewall management utility such as CSF instead:

    ConfigServer Security & Firewall

    There are options that allow you to restrict SMTP similar to the SMTP Restrictions option in WHM, while also excluding certain users from that protection.

    Note that you may also want to review some of the threads listed at the below URL to see how other users are combating this type of SPAM:

    outgoingspam | cPanel Forums

    Thank you.
     
  4. hendranata

    hendranata Member

    Joined:
    Aug 24, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    sby
    cPanel Access Level:
    Root Administrator
    Csf installed already.
    I thought that enable smtp restiction from whm is similar to smtp_block = 1 in csf..

    Hmm will try later to make sure
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Yes, that's true, however CSF allows you to exclude users so you can enable it globally and allow specific accounts the ability to send via a remote server with the "SMTP_ALLOWUSER" rule.

    Thank you.
     
  6. hendranata

    hendranata Member

    Joined:
    Aug 24, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    sby
    cPanel Access Level:
    Root Administrator
    yes CSF is very helpful.

    i enable SMTP_BLOCK = 1 and SMTP_REDIRECT = 1
    it seems nobody can relay my mail server without SMTP authentication first.

    Code:
    Rejected relay attempt: '76.164.xxx.xx' From: 'someusr@example.com' To: 'someusr@domain.co.uk'
    but i dont know who did that.. since the sender : System

    i have check exim logs, there is no clue..

    however interesting area, if i restart exim (without change any settings, just restart), then likely spammer can relay mail server again... i guess it is because firewall setting from CSF has been overwrite by exim..
    the solution after restart exim, next i need to restart CSF again..

    but i am not sure if we did restart CSF, it might be some settings in Exim has been overwrite by CSF..

    any idea?
     
    #6 hendranata, Sep 7, 2017
    Last edited by a moderator: Sep 8, 2017
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,364
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page