Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Prevent FROM address spoofing

Discussion in 'E-mail Discussion' started by vqq, Mar 13, 2019.

Tags:
  1. vqq

    vqq Registered

    Joined:
    Jan 5, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    turkey
    cPanel Access Level:
    Root Administrator
    I noticed a huge number of spams being sent from my server which I figured must be coming from a compromised mail account. I changed the password and cleaned the queue after discovering it.
    spam-cpanel.jpg

    This passed the spam filters. How can I prevent this in future? I think if I can force the "sender" and the "from address" to be the same, it would be enough as I don't see a case for else way.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:

    Hello @vqq,

    The delivery to Gmail succeeded in the example you provided because the sender successfully authenticated via SMTP. You can enable the following option under the Mail tab in WHM >> Exim Configuration Manager >> Basic Editor to ensure the FROM address is accurate:

    EXPERIMENTAL: Rewrite From: header to match actual sender

    Per it's description:

    If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.

    The best way to prevent this in the future is to address the source of the issue (the email account compromise). Do you use cPHulk brute force detection on this server? Also, do you enforce password strength levels for email accounts in WHM >> Password Strength Configuration?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. vqq

    vqq Registered

    Joined:
    Jan 5, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    turkey
    cPanel Access Level:
    Root Administrator
    We have migrated a few hundred accounts recently from a plesk panel, some of the passwords could be inadequate for the moment. I have changed the password to the said account and the problem seems to be gone.

    This will still send the spam mail but with my real address instead of spam "from address" if I am reading it correctly. I want to do something like

    if from address matches sender address
    deliver
    else
    mark as spam.

    So legitimate@company.com can send a mail where sender and from address are both legitimate@company.com.

    But the spam mail which has masqueradesas@bank.com in its from address and legitimate@company.com in its sender won't deliver.

    I think I saw something like this in this thread as an exim filter but I don't know if what I want is possible.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @vqq,

    Yes, that is correct. The option is designed to ensure the actual FROM address appears in the message header, but it doesn't actually block the outgoing email.

    I don't know of a specific filter rule to share (it likely requires the use of a custom regular expression in the filter), but the Exim-User's mailing list is often a good resource when searching for custom Exim filter rules to implement. If the spammer is sending multiple outgoing emails, then the following document offers some additional steps you can take to prevent delivery:

    How to Prevent Spam with Mail Limiting Features - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice