The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Prevent spoofing of "From:" header.

Discussion in 'E-mail Discussions' started by thevali, Oct 22, 2012.

  1. thevali

    thevali Member

    Joined:
    Aug 9, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hey,
    What is the best way to prevent spoofing of "from: " address?
    I do have SPF and DKIM enabled but the issue is that spammers are using a valid "return-path" header while they are spoofing the "from:" header making the email coming from myself.
    Let's say my address is office@domain.com and I see in my outlook a spam email coming from myself(office@domain.com).
    If I look at the headers the "return-path" header is something@otherdomain.com. otherdomain.com doesn't have SPF implemented and therefore the email will pass SPF filters and it will hit my inbox. The "from:" address is spoofed and outlook shows me the email coming from myself.

    How can this be avoided?
    Thank!
    Vali
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In your cPanel > Mail section > Default Address, what are your settings here?
     
  3. thevali

    thevali Member

    Joined:
    Aug 9, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    It is: Forward to your system account “XXXXX”
    However the emails are being sent to a valid email address. My own address.
    I do have WHM access, this is happening for multiple accounts not only for mine.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    office@ yourdomain.com, is one of many, many generic email accounts most spammers would email, IMHO. office@, sue@, john@, mary@ support@ and more, all would be avoided if that setting was set properly to:

    In WHM > Tweak Settings > Mail tab, also, set:
    ... to Fail.
     
  5. thevali

    thevali Member

    Joined:
    Aug 9, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Infopro, thank you for your answer but I don't see why would this affect anything?
    The email office@ mydomain.com it's a valid email. It exists and I'm using it actively. That's not a catch all emails issue. The issue is that the spammer is spoofing the "from:" header and SPF is not able to filter the email because it is looking at "return-path:" header... does it makes sense?
    Vali
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    You cannot "prevent" spoofing of the FROM: address. At most you can use various means of email authentication (SPF / DKIM / Domainkeys / etc) to give remote mailservers some tools to determine if a [forged] email from you is legit or not. But if the receiving mailsystem doesn't make use of SPF / DKIM / Domainkeys / etc to score such mails negatively or reject them, then there is absolutely nothing you can do.

    Anybody anywhere can forge your FROM address if they want to.

    M
     
  7. thevali

    thevali Member

    Joined:
    Aug 9, 2011
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    mtindor, you are perfectly right.
    What about my case, when they are sending emails to me spoofing my own address ?
    Can I instruct EXIM somehow to drop the messages if they are coming from outside the server but the from: address is a local one?
     
  8. realmxofxnoise

    realmxofxnoise Registered

    Joined:
    Dec 7, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Please delete post - found more info on my issue!
     
    #8 realmxofxnoise, Oct 29, 2012
    Last edited: Oct 29, 2012
  9. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    There currently is not functionality to do this. You might be able to put something together, however it wouldn't be reliable until 11.34.1 ships with the nobody user detection system.

    If its something you really want, I'd recommend requesting it on features.cpanel.net.
     
  10. realmxofxnoise

    realmxofxnoise Registered

    Joined:
    Dec 7, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi Everyone,

    Any advice on a similar issue would be appreciated. I've enabled SMTP authentication to hopefully combat the stupid junk mailer daemon's (returned mail) saying it's coming from me to someone else with a different reply to. I never send these messages and somehow they are still coming in. How is someone still able to send email from my server if I have that on? Here's an example of what I get:
    ------------------------------------------------------------------------------------------------
    Code:
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
    sultantabassum@hotmail.com
    SMTP error from remote mail server after RCPT TO:<sultantabassum@hotmail.com>:
    host mx1.hotmail.com [65.55.92.152]: 550 Requested action not taken:
    mailbox unavailable
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <myemail@mydomain.com>
    Received: from [64.77.236.162] (port=1726 helo=dashboard.unipacla.com)
    by myserver-from-serverbeach.com with esmtpsa (TLSv1:RC4-MD5:128)
    (Exim 4.80)
    (envelope-from <myemail@mydomain.com>)
    id 1TTimp-0003db-Mw
    for sultantabassum@hotmail.com; Wed, 31 Oct 2012 20:37:08 -0400
    MIME-Version: 1.0
    Date: Wed, 31 Oct 2012 17:37:30 -0700
    X-Priority: 3 (Normal)
    X-Mailer: Sylpheed version 1.8.4 (GTK+ 2.9.87;
    i586-pc-tommie-gnu)
    Subject: Job offer: #0-83-2 position of Part-Time Coordinator wanted
    From: myemail@mydomain.com
    Reply-To: Claudiaqby296@hotmail.com
    To: sultantabassum@hotmail.com
    Content-Type: text/plain;
    charset="utf-8"
    Content-Transfer-Encoding: quoted-printable
    Message-ID: <OUTLOOK-IDM-60591c38-88dc-5613-2869-430e7c9db93b@dashboard.unipacla.com>
    ------------------------------------------------------------------------------------------------

    Sorry for the lengthy post, this is just getting really annoying, and any help would be greatly appreciated.

    Thank you,

    Nick
     
  11. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    What about the output of the following?

    Also if some scripts are sending emails & if detailed logging is enabled on server, you will be able to find the script location using the following command.

    Cheers!!!
     
  12. Sannin

    Sannin Active Member

    Joined:
    May 19, 2011
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I have detailed logging enabled but i only get:

    cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TzJFC-002igP-3i

    from the spam mails....
     
  13. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Whats the full log of the id "1TzJFC-002igP-3i" ? Paste or attach it here. Normally it will contain the user/email account that's used to authenticate for sending emails.

    Cheers!!!
     
  14. Sannin

    Sannin Active Member

    Joined:
    May 19, 2011
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Indeed, it contains the account that is used, but that account has over 20 addon domains. I would like to pinpoint the location of the spam script.
     
  15. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Could you please paste / attach the full log here ?
     
  16. Sannin

    Sannin Active Member

    Joined:
    May 19, 2011
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Yes, sorry that i didn' t post that in full from the start:

    Code:
     2013-01-29 18:33:05 [344251] 1U0E7N-001RYR-2H <= user@localhost U=user P=local S=2594 T="=?UTF-8?B?0J/QvtGB0LzQvtGCcNC40YLQtSANCtCxb9C70YzRiG/QuQ0K0YHRjtGA0L/RgNC40LcgDQrQvtGCIA0K0J5k0L/Qvm" from <user@localhost> for arabovkin@mail.ru
    2013-01-29 18:33:05 [344253] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1U0E7N-001RYR-2H
    2013-01-29 18:33:05 [344253] 1U0E7N-001RYR-2H SMTP connection outbound 1359477185 1U0E7N-001RYR-2H domain arabovkin@mail.ru
    2013-01-29 18:33:05 [344253] 1U0E7N-001RYR-2H ** arabovkin@mail.ru F=<user@localhost> P=<user@localhost> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mxs.mail.ru [94.100.176.20]: 550 spam message rejected. Please visit http://mail.ru/notspam/abuse?c=cyOr2WVOdOKYEXfQAnatQ5q1K0BOVsPrFRo3nqUmE1ANAAAAzjgAAEsGdQo~ or report details to abuse@corp.mail.ru. Error code: D9AB2373E2744E65D077119843AD7602402BB59AEBC3564E9E371A15501326A5. ID: 0000000D000038CE0A75064B.
    2013-01-29 18:33:05 [344257] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1U0E7N-001RYR-2H
    2013-01-29 18:33:06 [344257] 1U0E7N-001RYX-VJ <= <> R=1U0E7N-001RYR-2H U=mailnull P=local S=3763 T="Mail delivery failed: returning message to sender" from <> for user@localhost
    2013-01-29 18:33:06 [344259] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1U0E7N-001RYX-VJ
    2013-01-29 18:33:06 [344253] 1U0E7N-001RYR-2H Completed QT=1s
    2013-01-29 18:33:06 [344259] 1U0E7N-001RYX-VJ => user <user@localhost> F=<> P=<> R=localuser T=local_delivery S=3862 QT=1s DT=0s
    2013-01-29 18:33:06 [344259] 1U0E7N-001RYX-VJ Completed QT=1s
    2013-01-29 18:33:19 [233924] SMTP connection from [94.71.212.96]:4152 I=[176.9.84.71]:25 (TCP/IP connection count = 1)
    2013-01-29 18:33:19 [344281] cwd=/ 3 args: SENDMAIL -t -i
    2013-01-29 18:33:19 [344281] 1U0E7b-001RYv-Jt <= user@localhost U=user P=local S=2332 T="=?UTF-8?B?0KXQtdC70LvQvtGDLiANCtCU0LXQvNGH0LXQstCwDQog0KDQvtC30LANCiDQktGP0YfQtdGB0LvQsNCy0L7QstC90L" from <user@localhost> for efomina63@mail.ru
    2013-01-29 18:33:19 [344283] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1U0E7b-001RYv-Jt
    2013-01-29 18:33:19 [344283] 1U0E7b-001RYv-Jt SMTP connection outbound 1359477199 1U0E7b-001RYv-Jt domain efomina63@mail.ru
    2013-01-29 18:33:20 [344283] 1U0E7b-001RYv-Jt ** efomina63@mail.ru F=<user@localhost> P=<user@localhost> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mxs.mail.ru [94.100.176.20]: 550 spam message rejected. Please visit http://mail.ru/notspam/abuse?c=R69GDf8YDVSI6PHsUm1Zq5q1K0BOVsPrPPwsvVficqoDAAAAvTgAAI3GwQ8~ or report details to abuse@corp.mail.ru. Error code: 0D46AF47540D18FFECF1E888AB596D52402BB59AEBC3564EBD2CFC3CAA72E257. ID: 00000003000038BD0FC1C68D.
    2013-01-29 18:33:20 [344289] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1U0E7b-001RYv-Jt
    2013-01-29 18:33:20 [344289] 1U0E7c-001RZ3-GV <= <> R=1U0E7b-001RYv-Jt U=mailnull P=local S=3501 T="Mail delivery failed: returning message to sender" from <> for user@localhost
    2013-01-29 18:33:20 [344291] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1U0E7c-001RZ3-GV

    Almost all of the spam mails are like that. I have hidden the real user and localhost but rest is the same. Note that i have enable mailheaders in easyapache.
     
  17. ovisopa

    ovisopa Member

    Joined:
    Apr 12, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I'm also interested in a solution to stop receiving emails with Spoofed FROM header, lately I receive ~10 emails/day that have the same FROM and TO fields (my email address) but ar sent from a different server, this is realy annoying, there must be something that cna stop those emails, there's realy no way to compare the ENVELOPE-FROM with FROM headers ?

    Code:
    Received: from [181.54.130.52] (port=52727 helo=Dynamic-IP-18154013052.cable.net.co)
            by secure4.xtreme--.com with esmtp (Exim 4.80)
            [COLOR="Red"](envelope-from <amphibiousvrh1@travidia.com>)[/COLOR] [COLOR="Purple"]<- REAL SENDER[/COLOR]
            id 1UKrBt-00087p-8G
            for [email]ovis@domain.ro[/email]; Wed, 27 Mar 2013 16:19:03 +0200
    ....
    From: <ovis@domain.ro> [COLOR="purple"]<- SPOOFED SENDER[/COLOR]
    To: <ovis@domain.ro> 
    
     
    #17 ovisopa, Mar 28, 2013
    Last edited: Mar 28, 2013
  18. NetVicious

    NetVicious Registered

    Joined:
    Feb 4, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    What about setting correctly the SPF of your domain with -all and enabling the SPF checks.

    When you receive one spoofed email it will check the SPF dns entries and it should deny the sending of the email because the email it's sent from one ip address without authorisation
     
  19. ovisopa

    ovisopa Member

    Joined:
    Apr 12, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    As far as I know SPF is corectly configured, here are my configs :

    Reject SPF failures [?] On

    spf_dkim.jpg

    I also checked the logs, I can find alot of mails rejected with this message :

    Code:
    2013-04-04 00:55:36 H=(28.51.130.46.in-addr.mts.am) [46.130.51.28]:2557 F=<descantedsjwm@rambler.ru> rejected RCPT <bogdanov@medimp---.ro>: SPF: 46.130.51.28 is not allowed to send mail from rambler.ru
    
    2013-04-04 01:17:28 H=12.81.221.87.dynamic.jazztel.es [87.221.81.12]:61549 F=<emmanuelag92@google.com> temporarily rejected RCPT <mihaelad@www.sib---.ro>: lowest numbered MX record points to local host
    but in the same time there also alot of mesages passing over the SPF:

    Code:
    2013-04-03 03:34:47 1UNBf5-0004mG-B0 H=(240-155-189-190.cab.prima.net.ar) [190.189.155.240]:41760 Warning: "SpamAssassin as lu----pa detected message as NOT spam (4.7)"
    2013-04-03 03:34:47 1UNBf5-0004mG-B0 H=(240-155-189-190.cab.prima.net.ar) [190.189.155.240]:41760 Warning: Message has been scanned: no virus or other harmful content was found
    2013-04-03 03:34:47 1UNBf5-0004mG-B0 <= plastererhi8@google.com H=(240-155-189-190.cab.prima.net.ar) [190.189.155.240]:41760 P=esmtp S=3629 id=9611545440.Y0J77EWV457388@ijrsoaplxrlzxec.uwdcqyldatdmjd.info T="Munc\304\203 la domiciliu." for concurs@sib---.ro vsv@sib---.ro
    2013-04-03 03:34:47 1UNBf5-0004mG-B0 => concurs <concurs@sib---.ro> R=virtual_user T=virtual_userdelivery
    2013-04-03 03:34:47 1UNBf5-0004mG-B0 => vsv <vsv@sib---.ro> R=virtual_user T=virtual_userdelivery
    2013-04-03 03:34:47 1UNBf5-0004mG-B0 Completed
    
    any ideas ?
     
  20. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Alright, this thread has been hijacked by 3 different people. For some of you, sounds like you're receiving backscatter. If you're receiving messages saying an email has bounced, or is "undeliverable", and you're sure that the email could not have come from you (or malware on your computer/server), then you're receiving backscatter. If you're using Exim, you can make the following change to cut down the amount of backscatter you receive:

    1. Go to WHM »Service Configuration »Exim Configuration Manager
    2. Click on "Advanced Editor"
    3. Look for "custom_begin_rbl".
    4. Paste the following code in that box:
      Code:
      deny senders = : MAILER-DAEMON@* postmaster@*
      dnslists = ips.backscatterer.org
      log_message = $sender_host_address listed at $dnslist_domain
      message = Backscatter: $dnslist_text
      
    5. Save. I think this restarts Exim... if not, do it yourself.

    What this does is check the backscatterer.org blacklist, and blocks only the automated bounced messages that come from those domains.
     
Loading...

Share This Page