Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Prevent email forging / incoming email that seems to come from self

Discussion in 'E-mail Discussion' started by Anastasios Pikri, Apr 16, 2019.

  1. Anastasios Pikri

    Anastasios Pikri Registered

    Joined:
    Apr 15, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Athens, Greece
    cPanel Access Level:
    Root Administrator
    In our server many email users (including me) find sometimes spam emails that seems to come from their own email address.

    Looking into the email headers it's obvious that these emails come from other servers (sometimes even the real email address can be found). Though that doesn't seem to be a critical case, most of these messages try to terrify the user and make him believe his/her account was hacked and blackmail them.

    Is there any simple option to enable (or rule to add) in order to prevent that email to be delivered? Something like: if from_address == to_address AND from_server != to_server -> block email. Any instructions on how to apply such option/rule would be appreciated.

    Thank you in advance!!
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,257
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,257
    Likes Received:
    86
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Folks

    As this seems to be a re-occuring theme, what are your thoughts on a simple global filter.

    Could one be created along the lines

    If from contains mydomain.com
    and any header does not contain something else
    then fail
     
    #3 keat63, Apr 16, 2019
    Last edited: Apr 16, 2019
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,920
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Until SPF and DKIM adoption is taken seriously (or if someone can come up with a better, similar solution), this is going to continue to be a problem.

    Any other "fix" is just going to be a temporary band-aid solution.

    What is utterly shocking though... is that it's taken the general population this long to realize that email senders can be faked.
     
  5. Anastasios Pikri

    Anastasios Pikri Registered

    Joined:
    Apr 15, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Athens, Greece
    cPanel Access Level:
    Root Administrator
    Note that the accounts have SPF, DKIM and DMARC entries set.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,920
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Well... by adoption, I meant on the receiving end.

    Signing your messages with DKIM doesn't do jack if the receiving end doesn't accept/deny wholly based on that signature verifying.

    And there are way too many people that don't sign their messages or sign their message improperly (i.e. anyone that forwards mail sent to mydomain.tld to their gmail address because they want to look more professional with their mydomain.tld email address... but don't really want to leave Gmail behind).

    ... And no, we don't wholly accept/deny messages based on SPF and DKIM either. Can you imagine the backlash we'd get when little Johnny can't get email from some company because that company doesn't use DKIM or SPF or otherwise has it done improperly? That's what I mean about adoption of SPF and DKIM being taken seriously (and perhaps a tongue-in-cheek way of saying... it ain't ever going to happen).
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,272
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Anastasios Pikri,

    Here's a response from another thread that should help in your situation:

    This should be useful in your case because the emails are sent to an email account hosted locally on the cPanel server.

    Remember to vote and add feedback to the following feature request if you'd like to see a way to prevent this behavior built into cPanel & WHM:

    Prevent users from being implicitly authenticating to Exim on the local host

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,920
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Doesn't this just force a remote mail server to use a HELO/EHLO name that does not exist on the server? How does that prevent MAIL FROM forging?

    It's rather trivial to use any name in the HELO/EHLO exchange.
     
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,272
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You are correct. It remains possible to circumvent the option by using a different domain during the HELO/EHLO exchange. While it doesn't address the core of the issue, I've seen multiple reports where it's been effective as a temporary mitigation strategy because it's common for spammers to setup their scripts/bots to automatically use the local domain they are sending "to" during the HELO/EHLO exchange.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Nahoo

    Nahoo Member

    Joined:
    Oct 7, 2004
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've added this to the Email Filters:

    Body - Matches Regex:

    [Hh]ow\s+[Tt]o\s+[Bb]uy\s+[Bb]itcoin|[Aa]\s+fair\s+price\s+for\s+our\s+little\s+secret

    Then Discard Message.

    I would prefer to add something server-wide to identify these self-addressed emails.
     
  11. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    If from self then spf fail +10?
     
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,272
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,272
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    This may help, but it may also block legitimate email if an email users intentionally sends themselves email messages.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Jean Boudreau likes this.
  14. MediaServe

    MediaServe Well-Known Member PartnerNOC

    Joined:
    Apr 9, 2004
    Messages:
    138
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Nashville, TN USA
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    When this started happening here we had SpamAssassin scoring that should have filtered it. We could manually run “spamassassin -t” on the emails and they would be scored much higher than the spam theshold, but they weren’t being filtered when received. Eventually it was discovered that the emails seemed to be just over 200KB in size, allowing the emails to get through because we had never changed the default size (200KB) at which SpamAssassin does not scan (set in the basic Exim configuration).

    These spammers seem to realize that many of us have left this default in place, and they’re getting these emails through by making sure they are larger than 200KB.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. nosajix

    nosajix Well-Known Member

    Joined:
    Jul 30, 2005
    Messages:
    61
    Likes Received:
    2
    Trophy Points:
    158
    I meant that if it is from your self, then add plus 10 if it also fails spf as it is unlikely that these spammers are actually sending from an approved server.
     
  16. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,272
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @MediaServe,

    The default value for the Apache SpamAssassin™: message size threshold to scan value was changed to 1000KB in cPanel & WHM version 78:

    Implemented case CPANEL-23522: Change default minimum spam scan size to 1000K.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Jean Boudreau likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice