SOLVED Prevent receive "rewritten" address sent behalf of cPanel user

Shood

Well-Known Member
Aug 12, 2015
82
16
133
Middle East
cPanel Access Level
Root Administrator
Hello,
We have an issue with some domains in our server which receiving an email from a spammer sending behalf of our cPanel user name.
This appears in exim_mainlog like this:
From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]

Is there anyway to mark this kind of emails as spam?, while already "Separated SpamBox" is enabled
I wrote many filters in exim/sysfilter/options but doesn't work, e.g.
if $h_from: header contains "rewritten was" then fail

Thanks
 

rackaid

Well-Known Member
Jan 18, 2003
89
27
168
Jacksonville, FL
cPanel Access Level
DataCenter Provider
If you can post the full exim log for a message like this that would be helpful. Unless I am reading this incorrectly, this suggests that your cpanel user is spoofing the yahoo.com domain name in an email. That would be outbound spam - not inbound spam.
 

Shood

Well-Known Member
Aug 12, 2015
82
16
133
Middle East
cPanel Access Level
Root Administrator
Thank you very much @cPanelLauren & @rackaid for your replies
This's a log from exim_mainlog:

Code:
1ithng-0006CV-SF <= [email protected] U=cPanelUserName P=local S=552 T="Message from [spammer name]" for [email protected]
1ithng-0006CV-SF Sender identification U=cPanelUserName D=myDomain.com S=cPanelUserName
1ithng-0006CV-SF From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
1ithng-0006CV-SF From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
2020-01-21 00:53:49 1ithng-0006CV-SF => info <ma[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> xSYcOpxLJl4mXQAA3zlVNA Saved"
Regards
 

rackaid

Well-Known Member
Jan 18, 2003
89
27
168
Jacksonville, FL
cPanel Access Level
DataCenter Provider
From your email logs, you appear to have a security issue that allows spammers to send email from that domain. This is most likely being done via a web script. I recommend you review the account in question for security issues, such as outdated software.


In WHM, you may want to consider rate-limits for email senders to unknown users.

I am not sure you want to put a filter on the sender rewritten header. There could be legitimate web apps that send from a different user than the cPanel user. The would be caught as well.
 
  • Like
Reactions: Shood

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
-----
The output is:
srs=0
rewrite_from=all
This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following:
Bash:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
 

Shood

Well-Known Member
Aug 12, 2015
82
16
133
Middle East
cPanel Access Level
Root Administrator
This is the rewrite_from rewriting the sender to the *actual* sender. What's the output of the following:
Bash:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Thank you @cPanelLauren, this's the output
Code:
1 /home/cPanelUser1/public_html
1 /home/cPanelUser2/public_html/assets
2 /home/cPanelUser3/public_html/assets
3 /home/cPanelUser4/public_html
3 /root
4 /home/cPanelUser5/public_html
5 /home/cPanelUser6/public_html
5 /home/cPanelUser7/public_html
13 /home/cPanelUser8/public_html
15 /home/cPanelUser9
16 /home/cPanelUser10/public_html/site
22 /home/cPanelUser11/public_html
1375 /home/cPanelUser12
1522 /etc/csf
Addition info if it assists:
1- I have about 60 domains on this server, not 12
2- cPanelUser2 in the output above is the affected account in the question.

Regards
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
This doesn't list all the users on the server, it lists all the users listed in the current exim log who are sending email, via a script (by excluding mail originating from directories other than /var/spool/

cPanelUser2 being the user in question shows only 1 email originating from one of its directories - where cPanelUser12 shows 1375 in the current email log. If the issue isn't occurring still or if the issue stopped/started prior to the log rotation that includes those dates, you may need to check if you're archiving exim logs.

Otherwise, the full exim transaction would be necessary to identify the source.
Code:
exigrep <MsgID> /var/log/exim_mainlog
 
  • Like
Reactions: Shood

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
That can't be the entire transaction, but if the spammer was sending email to your user, then your user was forwarding it, it might account for this behavior.
 
  • Like
Reactions: Shood