Prevent email forging / incoming email that seems to come from self

Anastasios Pikri

Registered
Apr 15, 2019
2
0
1
Athens, Greece
cPanel Access Level
Root Administrator
In our server many email users (including me) find sometimes spam emails that seems to come from their own email address.

Looking into the email headers it's obvious that these emails come from other servers (sometimes even the real email address can be found). Though that doesn't seem to be a critical case, most of these messages try to terrify the user and make him believe his/her account was hacked and blackmail them.

Is there any simple option to enable (or rule to add) in order to prevent that email to be delivered? Something like: if from_address == to_address AND from_server != to_server -> block email. Any instructions on how to apply such option/rule would be appreciated.

Thank you in advance!!
 

keat63

Well-Known Member
Nov 20, 2014
1,387
108
93
cPanel Access Level
Root Administrator
Folks

As this seems to be a re-occuring theme, what are your thoughts on a simple global filter.

Could one be created along the lines

If from contains mydomain.com
and any header does not contain something else
then fail
 
Last edited:

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
Until SPF and DKIM adoption is taken seriously (or if someone can come up with a better, similar solution), this is going to continue to be a problem.

Any other "fix" is just going to be a temporary band-aid solution.

What is utterly shocking though... is that it's taken the general population this long to realize that email senders can be faked.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
Well... by adoption, I meant on the receiving end.

Signing your messages with DKIM doesn't do jack if the receiving end doesn't accept/deny wholly based on that signature verifying.

And there are way too many people that don't sign their messages or sign their message improperly (i.e. anyone that forwards mail sent to mydomain.tld to their gmail address because they want to look more professional with their mydomain.tld email address... but don't really want to leave Gmail behind).

... And no, we don't wholly accept/deny messages based on SPF and DKIM either. Can you imagine the backlash we'd get when little Johnny can't get email from some company because that company doesn't use DKIM or SPF or otherwise has it done improperly? That's what I mean about adoption of SPF and DKIM being taken seriously (and perhaps a tongue-in-cheek way of saying... it ain't ever going to happen).
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Is there any simple option to enable (or rule to add) in order to prevent that email to be delivered? Something like: if from_address == to_address AND from_server != to_server -> block email. Any instructions on how to apply such option/rule would be appreciated.
Hello @Anastasios Pikri,

Here's a response from another thread that should help in your situation:

One additional option to consider is Require remote (domain) HELO found under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor. This option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction.
This should be useful in your case because the emails are sent to an email account hosted locally on the cPanel server.

Remember to vote and add feedback to the following feature request if you'd like to see a way to prevent this behavior built into cPanel & WHM:

Prevent users from being implicitly authenticating to Exim on the local host

Thank you.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
One additional option to consider is Require remote (domain) HELO found under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor. This option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction.
Doesn't this just force a remote mail server to use a HELO/EHLO name that does not exist on the server? How does that prevent MAIL FROM forging?

It's rather trivial to use any name in the HELO/EHLO exchange.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Doesn't this just force a remote mail server to use a HELO/EHLO name that does not exist on the server? How does that prevent MAIL FROM forging?

It's rather trivial to use any name in the HELO/EHLO exchange.
Hello,

You are correct. It remains possible to circumvent the option by using a different domain during the HELO/EHLO exchange. While it doesn't address the core of the issue, I've seen multiple reports where it's been effective as a temporary mitigation strategy because it's common for spammers to setup their scripts/bots to automatically use the local domain they are sending "to" during the HELO/EHLO exchange.

Thank you.
 

Nahoo

Member
Oct 7, 2004
22
0
151
London, UK
cPanel Access Level
Root Administrator
Twitter
I've added this to the Email Filters:

Body - Matches Regex:

[Hh]ow\s+[Tt]o\s+[Bb]uy\s+[Bb]itcoin|[Aa]\s+fair\s+price\s+for\s+our\s+little\s+secret

Then Discard Message.

I would prefer to add something server-wide to identify these self-addressed emails.
 

MediaServe

Well-Known Member
PartnerNOC
Apr 9, 2004
138
2
168
Nashville, TN USA
cPanel Access Level
DataCenter Provider
Twitter
When this started happening here we had SpamAssassin scoring that should have filtered it. We could manually run “spamassassin -t” on the emails and they would be scored much higher than the spam theshold, but they weren’t being filtered when received. Eventually it was discovered that the emails seemed to be just over 200KB in size, allowing the emails to get through because we had never changed the default size (200KB) at which SpamAssassin does not scan (set in the basic Exim configuration).

These spammers seem to realize that many of us have left this default in place, and they’re getting these emails through by making sure they are larger than 200KB.
 

nosajix

Well-Known Member
Jul 30, 2005
63
2
158
This may help, but it may also block legitimate email if an email users intentionally sends themselves email messages.

Thank you.
I meant that if it is from your self, then add plus 10 if it also fails spf as it is unlikely that these spammers are actually sending from an approved server.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
When this started happening here we had SpamAssassin scoring that should have filtered it. We could manually run “spamassassin -t” on the emails and they would be scored much higher than the spam theshold, but they weren’t being filtered when received. Eventually it was discovered that the emails seemed to be just over 200KB in size, allowing the emails to get through because we had never changed the default size (200KB) at which SpamAssassin does not scan (set in the basic Exim configuration).

These spammers seem to realize that many of us have left this default in place, and they’re getting these emails through by making sure they are larger than 200KB.
Hello @MediaServe,

The default value for the Apache SpamAssassin™: message size threshold to scan value was changed to 1000KB in cPanel & WHM version 78:

Implemented case CPANEL-23522: Change default minimum spam scan size to 1000K.

Thank you.
 
  • Like
Reactions: Jean Boudreau