SOLVED Prevent receive "rewritten" address sent behalf of cPanel user

[Shood]

Hello,
We have an issue with some domains in our server which receiving an email from a spammer sending behalf of our cPanel user name.
This appears in exim_mainlog like this:
From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]

Is there anyway to mark this kind of emails as spam?, while already "Separated SpamBox" is enabled
I wrote many filters in exim/sysfilter/options but doesn't work, e.g.
if $h_from: header contains "rewritten was" then fail

Thanks

 

[cPanelLauren]

Is there a log of these in your exim mainlog? The header indicates the actual sender is the cPanel user.

You can find it at /var/log/exim_mainlog

 

[rackaid]

If you can post the full exim log for a message like this that would be helpful. Unless I am reading this incorrectly, this suggests that your cpanel user is spoofing the yahoo.com domain name in an email. That would be outbound spam - not inbound spam.

 

[Shood]

Thank you very much @cPanelLauren & @rackaid for your replies
This's a log from exim_mainlog:

1ithng-0006CV-SF <= [email protected] U=cPanelUserName P=local S=552 T="Message from [spammer name]" for [email protected]
1ithng-0006CV-SF Sender identification U=cPanelUserName D=myDomain.com S=cPanelUserName
1ithng-0006CV-SF From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
1ithng-0006CV-SF From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
2020-01-21 00:53:49 1ithng-0006CV-SF => info <ma[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> xSYcOpxLJl4mXQAA3zlVNA Saved"

Regards

 

[rackaid]

From your email logs, you appear to have a security issue that allows spammers to send email from that domain. This is most likely being done via a web script. I recommend you review the account in question for security issues, such as outdated software.


In WHM, you may want to consider rate-limits for email senders to unknown users.

I am not sure you want to put a filter on the sender rewritten header. There could be legitimate web apps that send from a different user than the cPanel user. The would be caught as well.

 

[cPanelLauren]

Actually,

@Shood can you show me the output of the following:

 egrep 'rewrite_from|srs' /etc/exim.conf.localopts

 

[Shood]

Actually,

@Shood can you show me the output of the following:

 egrep 'rewrite_from|srs' /etc/exim.conf.localopts

-----
The output is:
srs=0
rewrite_from=all

 

[cPanelLauren]

-----
The output is:
srs=0
rewrite_from=all

This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

 

[Shood]

This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Thank you @cPanelLauren, this's the output

1 /home/cPanelUser1/public_html
1 /home/cPanelUser2/public_html/assets
2 /home/cPanelUser3/public_html/assets
3 /home/cPanelUser4/public_html
3 /root
4 /home/cPanelUser5/public_html
5 /home/cPanelUser6/public_html
5 /home/cPanelUser7/public_html
13 /home/cPanelUser8/public_html
15 /home/cPanelUser9
16 /home/cPanelUser10/public_html/site
22 /home/cPanelUser11/public_html
1375 /home/cPanelUser12
1522 /etc/csf

Addition info if it assists:
1- I have about 60 domains on this server, not 12
2- cPanelUser2 in the output above is the affected account in the question.

Regards

 

[cPanelLauren]

This doesn't list all the users on the server, it lists all the users listed in the current exim log who are sending email, via a script (by excluding mail originating from directories other than /var/spool/

cPanelUser2 being the user in question shows only 1 email originating from one of its directories - where cPanelUser12 shows 1375 in the current email log. If the issue isn't occurring still or if the issue stopped/started prior to the log rotation that includes those dates, you may need to check if you're archiving exim logs.

Otherwise, the full exim transaction would be necessary to identify the source.

exigrep <MsgID> /var/log/exim_mainlog

 

[Shood]

Thank you @cPanelLauren
This issue stopped occurring, maybe because I blocked the real spammer email address on user cPanel
You've asked for "the full exim transaction", I have listed it in my 2nd reply above

 

[cPanelLauren]

That can't be the entire transaction, but if the spammer was sending email to your user, then your user was forwarding it, it might account for this behavior.

 

[Shood]

Thank you @cPanelLauren
Because this issue has stopped occurring and there's no more log details exist in (olds exim_mainlog-...gz) than I've listed above so please consider this ticket as resolved.
Regards.