SOLVED Prevent receive "rewritten" address sent behalf of cPanel user

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
Hello,
We have an issue with some domains in our server which receiving an email from a spammer sending behalf of our cPanel user name.
This appears in exim_mainlog like this:
From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]

Is there anyway to mark this kind of emails as spam?, while already "Separated SpamBox" is enabled
I wrote many filters in exim/sysfilter/options but doesn't work, e.g.
if $h_from: header contains "rewritten was" then fail

Thanks
 

rackaid

Well-Known Member
Jan 18, 2003
89
28
168
Jacksonville, FL
cPanel Access Level
DataCenter Provider
If you can post the full exim log for a message like this that would be helpful. Unless I am reading this incorrectly, this suggests that your cpanel user is spoofing the yahoo.com domain name in an email. That would be outbound spam - not inbound spam.
 

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
Thank you very much @cPanelLauren & @rackaid for your replies
This's a log from exim_mainlog:

Code:
1ithng-0006CV-SF <= [email protected] U=cPanelUserName P=local S=552 T="Message from [spammer name]" for [email protected]
1ithng-0006CV-SF Sender identification U=cPanelUserName D=myDomain.com S=cPanelUserName
1ithng-0006CV-SF From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
1ithng-0006CV-SF From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
2020-01-21 00:53:49 1ithng-0006CV-SF => info <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> xSYcOpxLJl4mXQAA3zlVNA Saved"
Regards
 

rackaid

Well-Known Member
Jan 18, 2003
89
28
168
Jacksonville, FL
cPanel Access Level
DataCenter Provider
From your email logs, you appear to have a security issue that allows spammers to send email from that domain. This is most likely being done via a web script. I recommend you review the account in question for security issues, such as outdated software.


In WHM, you may want to consider rate-limits for email senders to unknown users.

I am not sure you want to put a filter on the sender rewritten header. There could be legitimate web apps that send from a different user than the cPanel user. The would be caught as well.
 
  • Like
Reactions: Shood

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
-----
The output is:
srs=0
rewrite_from=all
This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following:
Bash:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
 

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following:
Bash:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Thank you @cPanelLauren, this's the output
Code:
1 /home/cPanelUser1/public_html
1 /home/cPanelUser2/public_html/assets
2 /home/cPanelUser3/public_html/assets
3 /home/cPanelUser4/public_html
3 /root
4 /home/cPanelUser5/public_html
5 /home/cPanelUser6/public_html
5 /home/cPanelUser7/public_html
13 /home/cPanelUser8/public_html
15 /home/cPanelUser9
16 /home/cPanelUser10/public_html/site
22 /home/cPanelUser11/public_html
1375 /home/cPanelUser12
1522 /etc/csf
Addition info if it assists:
1- I have about 60 domains on this server, not 12
2- cPanelUser2 in the output above is the affected account in the question.

Regards
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
This doesn't list all the users on the server, it lists all the users listed in the current exim log who are sending email, via a script (by excluding mail originating from directories other than /var/spool/

cPanelUser2 being the user in question shows only 1 email originating from one of its directories - where cPanelUser12 shows 1375 in the current email log. If the issue isn't occurring still or if the issue stopped/started prior to the log rotation that includes those dates, you may need to check if you're archiving exim logs.

Otherwise, the full exim transaction would be necessary to identify the source.
Code:
exigrep <MsgID> /var/log/exim_mainlog
 
  • Like
Reactions: Shood

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
That can't be the entire transaction, but if the spammer was sending email to your user, then your user was forwarding it, it might account for this behavior.
 
  • Like
Reactions: Shood

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
Hi @erol.cakar

Your attachment is unavailable, however this occurred when the email address is not exist and your Tweak Settings is set to ‘System account’ by default.

To ensure: go to Tweak Settings, look for option: [Initial default/catch-all forwarder destination]

You’ll find three options:

System account, Fail and Blackhole

For me I prefer Fail option

Also take a look at this document on cPanel, could be helpful for you.
 

erol.cakar

Registered
Jan 12, 2021
3
0
1
Bucharest
cPanel Access Level
Root Administrator
Hi again
very appreciate for answer
I changed server to solve this i was opened a ticket but after changing server i closed it

it is saying for Fail option "collect spam mails" but these are not spam
In this it appearing delivered

1613475404411.png

but it going to <[email protected]> instead of <[email protected]>
I changed [Initial default/catch-all forwarder destination] to Fail
But not solved still same


sorry for attachment
recipient and Delivered is different

email_problem.png


1613475404411.png
 

Shood

Well-Known Member
Aug 12, 2015
85
17
133
Middle East
cPanel Access Level
Root Administrator
Fail option in Tweak Settings controls how your server will respond to this kind of emails, however receiving spam emails is a normal issue for any server, I receive a ton each day

In other words: you can’t prevent spammers from sending spam email to your server, however receiving spam email isn't a security issue itself, I mean isn't that risk unless it contains malicious links and you clicked it
Also may you enable “Spam Filter” in cPanel by switch on the option: Move New Spam to a Separate Folder, in this case you won’t see Spam Emails in your inbox anymore
 

erol.cakar

Registered
Jan 12, 2021
3
0
1
Bucharest
cPanel Access Level
Root Administrator
Sorry but there is a misunderstand
These are not spam email
i setup new server to correct this problem
i create new account it was working
After i transfer all accounts it is same problem

2021-Cl-7-001704.png
these two different server but same domain
It is a big headache
please help...