SOLVED Prevent receive "rewritten" address sent behalf of cPanel user

[Shood]

Hello,
We have an issue with some domains in our server which receiving an email from a spammer sending behalf of our cPanel user name.
This appears in exim_mainlog like this:
From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]

Is there anyway to mark this kind of emails as spam?, while already "Separated SpamBox" is enabled
I wrote many filters in exim/sysfilter/options but doesn't work, e.g.
if $h_from: header contains "rewritten was" then fail

Thanks

 

[cPanelLauren]

Is there a log of these in your exim mainlog? The header indicates the actual sender is the cPanel user.

You can find it at /var/log/exim_mainlog

 

[rackaid]

If you can post the full exim log for a message like this that would be helpful. Unless I am reading this incorrectly, this suggests that your cpanel user is spoofing the yahoo.com domain name in an email. That would be outbound spam - not inbound spam.

 

[Shood]

Thank you very much @cPanelLauren & @rackaid for your replies
This's a log from exim_mainlog:

1ithng-0006CV-SF <= [email protected] U=cPanelUserName P=local S=552 T="Message from [spammer name]" for [email protected]
1ithng-0006CV-SF Sender identification U=cPanelUserName D=myDomain.com S=cPanelUserName
1ithng-0006CV-SF From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
1ithng-0006CV-SF From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
2020-01-21 00:53:49 1ithng-0006CV-SF => info <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> xSYcOpxLJl4mXQAA3zlVNA Saved"

Regards

 

[rackaid]

From your email logs, you appear to have a security issue that allows spammers to send email from that domain. This is most likely being done via a web script. I recommend you review the account in question for security issues, such as outdated software.


In WHM, you may want to consider rate-limits for email senders to unknown users.

I am not sure you want to put a filter on the sender rewritten header. There could be legitimate web apps that send from a different user than the cPanel user. The would be caught as well.

 

[cPanelLauren]

Actually,

@Shood can you show me the output of the following:

 egrep 'rewrite_from|srs' /etc/exim.conf.localopts

 

[Shood]

Actually,

@Shood can you show me the output of the following:

 egrep 'rewrite_from|srs' /etc/exim.conf.localopts

-----
The output is:
srs=0
rewrite_from=all

 

[cPanelLauren]

-----
The output is:
srs=0
rewrite_from=all

This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

 

[Shood]

This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Thank you @cPanelLauren, this's the output

1 /home/cPanelUser1/public_html
1 /home/cPanelUser2/public_html/assets
2 /home/cPanelUser3/public_html/assets
3 /home/cPanelUser4/public_html
3 /root
4 /home/cPanelUser5/public_html
5 /home/cPanelUser6/public_html
5 /home/cPanelUser7/public_html
13 /home/cPanelUser8/public_html
15 /home/cPanelUser9
16 /home/cPanelUser10/public_html/site
22 /home/cPanelUser11/public_html
1375 /home/cPanelUser12
1522 /etc/csf

Addition info if it assists:
1- I have about 60 domains on this server, not 12
2- cPanelUser2 in the output above is the affected account in the question.

Regards

 

[cPanelLauren]

This doesn't list all the users on the server, it lists all the users listed in the current exim log who are sending email, via a script (by excluding mail originating from directories other than /var/spool/

cPanelUser2 being the user in question shows only 1 email originating from one of its directories - where cPanelUser12 shows 1375 in the current email log. If the issue isn't occurring still or if the issue stopped/started prior to the log rotation that includes those dates, you may need to check if you're archiving exim logs.

Otherwise, the full exim transaction would be necessary to identify the source.

exigrep <MsgID> /var/log/exim_mainlog

 

[Shood]

Thank you @cPanelLauren
This issue stopped occurring, maybe because I blocked the real spammer email address on user cPanel
You've asked for "the full exim transaction", I have listed it in my 2nd reply above

 

[cPanelLauren]

That can't be the entire transaction, but if the spammer was sending email to your user, then your user was forwarding it, it might account for this behavior.

 

[Shood]

Thank you @cPanelLauren
Because this issue has stopped occurring and there's no more log details exist in (olds exim_mainlog-...gz) than I've listed above so please consider this ticket as resolved.
Regards.

 

[erol.cakar]

Hi everyone i think my problem related with this topic
I new in whm, i read so many forum but i cant resolved my problem
I have same problem about email that deliveries to <[email protected]> instead of <[email protected]>
Also i attached one of Delivery Event Detail
How can i solve this problem

 

[Shood]

Hi @erol.cakar

Your attachment is unavailable, however this occurred when the email address is not exist and your Tweak Settings is set to ‘System account’ by default.

To ensure: go to Tweak Settings, look for option: [Initial default/catch-all forwarder destination]

You’ll find three options:

System account, Fail and Blackhole

For me I prefer Fail option

Also take a look at this document on cPanel, could be helpful for you.

 

[erol.cakar]

Hi again
very appreciate for answer
I changed server to solve this i was opened a ticket but after changing server i closed it

it is saying for Fail option "collect spam mails" but these are not spam
In this it appearing delivered



but it going to <[email protected]> instead of <[email protected]>
I changed [Initial default/catch-all forwarder destination] to Fail
But not solved still same


sorry for attachment
recipient and Delivered is different

 

[Shood]

Fail option in Tweak Settings controls how your server will respond to this kind of emails, however receiving spam emails is a normal issue for any server, I receive a ton each day

In other words: you can’t prevent spammers from sending spam email to your server, however receiving spam email isn't a security issue itself, I mean isn't that risk unless it contains malicious links and you clicked it
Also may you enable “Spam Filter” in cPanel by switch on the option: Move New Spam to a Separate Folder, in this case you won’t see Spam Emails in your inbox anymore

 

[erol.cakar]

Sorry but there is a misunderstand
These are not spam email
i setup new server to correct this problem
i create new account it was working
After i transfer all accounts it is same problem


these two different server but same domain
It is a big headache
please help...

 

[cPRex]

@erol.cakar - could you open a support ticket directly with our team so we can check this issue?