Reject email (spam) when from address IP not match mail server IP

[Ashtor]

Hi Guys,

Problem: foreign SPAM devices sending a ton of e-mails from my e-mail address to my e-mail address. For example:

Sender User: example
Sender Domain: example.com
From Address: [email protected]
Sender: [email protected]
Sender Host: foreign.domain.name
Sender IP: 1.2.3.4 (foreign IP)
Authentication: forwarder
Recipient: [email protected]
Result: Accepted

Foreign sender does not have any DKIM-SPF-DMARC record. BUT I recieve email FULLY authenticated: SPF pass, DMARC pass, DKIM pass. Exim generating valid DKIM then forwards the original SPAM email.

I want to reject all email, when the sender domain is one of my added domain - and the sender IP does not match my mailserver's IP.

Thank you for your help: Ashtor

 

[cPRex]

Hey there! It's interesting that you say the messages are fully authenticated. Could you post the mail headers here, just removing any public details like domains or IPs?

 

[Ashtor]

Here it is:

Delivered-To: {{*privacy* MY_GMAIL}}
Received: by 2002:a17:90b:3601:0:0:0:0 with SMTP id ml1csp5302349pjb;
        Wed, 3 Mar 2021 10:36:46 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzQcytWGei8QrnPQAXYdBSVXEqlrb0wQeHKSzPAolUVRvqDc7CB03/uj23QZkhyCTe3DJnP
X-Received: by 2002:a17:906:fc1c:: with SMTP id ov28mr203083ejb.342.1614796606032;
        Wed, 03 Mar 2021 10:36:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614796606; cv=none;
        d=google.com; s=arc-20160816;
        b=iljbHVJrUTRhJJpe5B+5claRJh+zHeuJl5DrqVI6De5Dd0JPKrrJclRtS9JrzirL7e
         zZj+07VaTdLpUPycW7w4P8HcSgz8GXU3NV+1nixV9kfg2ZF9DFCetCC2b6Lh2mZHp5nq
         3ba5/5fQMs7ZsVPQCSsGDPCQiqc3kX8jUQHxgx2quPkkVdJSLJB+ZDJjLkB8jxekyadR
         4b+eetuXbZk0uEr0nOQtxhctIGyetX5fA2QwUtZ1Mb+vor8BKehAxEmLWJ3LjvmcE5nU
         H0YDXFtBUKzxwybSd5xEo6J3rKkzgxCPLlmDsRZXcAoU3pSt7QvMY+8dsKP2hE+qJ4/2
         ojDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:message-id:from:date:subject
         :to:dkim-signature;
        bh=1g/SB2vjVgVOydh3c6TA8OkGj1e24f9UOnnoTCBn65E=;
        b=f0HlNvwcT4HGuzrxJ9VqunKZiFWXl3FWjeoLTWI7WTpDQce/Hl82p1oh2FrMMiRmFc
         ynfc6179sM+HPs4waby83jyAXoCaOvxnrCV+88q6vxetJYdNsJXyF3SPoXlfFvlLTfyV
         B5IBIPKjg0k3hQySRgbtiyp3vy5FzDpvoioQHS0GFKYLYJciQdhgC0bdn32eH/16WFSi
         eTXZBx7ecxJ+gRuj6WPj5ExLo/mVS0GIV6DBnHs/O1LFz/tzbtCRwdcIthrAUKepzZ4w
         x/Zyfaz2kaacLTbrcpBlvKVKgwfvfA17hA0VkVyNhv6bmf7mbXPrm/SuWav6UH2Jp8LX
         WDqA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected]{{*privacy* MY_ADDON_DOMAIN}} header.s=default header.b="KjPKM0/5";
       spf=pass (google.com: domain of [email protected]{{*privacy* MY_ADDON_DOMAIN}} designates {{*privacy* MY_WHM_IP}} as permitted sender) [email protected]{{*privacy* MY_ADDON_DOMAIN}};
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from={{*privacy* MY_ADDON_DOMAIN}}
Return-Path: <[email protected]{{*privacy* MY_ADDON_DOMAIN}}>
Received: from {{*privacy* MY_WHM_HOST}} ({{*privacy* MY_WHM_HOST}}. [{{*privacy* MY_WHM_IP}}])
        by mx.google.com with ESMTPS id ly21si7285631ejb.128.2021.03.03.10.36.45
        for <{{*privacy* MY_GMAIL}}>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 03 Mar 2021 10:36:45 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected]{{*privacy* MY_ADDON_DOMAIN}} designates {{*privacy* MY_WHM_IP}} as permitted sender) client-ip={{*privacy* MY_WHM_IP}};
Authentication-Results: mx.google.com;
       dkim=pass [email protected]{{*privacy* MY_ADDON_DOMAIN}} header.s=default header.b="KjPKM0/5";
       spf=pass (google.com: domain of [email protected]{{*privacy* MY_ADDON_DOMAIN}} designates {{*privacy* MY_WHM_IP}} as permitted sender) [email protected]{{*privacy* MY_ADDON_DOMAIN}};
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from={{*privacy* MY_ADDON_DOMAIN}}
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d={{*privacy* MY_ADDON_DOMAIN}}; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:From:Date:Subject:To:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1g/SB2vjVgVOydh3c6TA8OkGj1e24f9UOnnoTCBn65E=; b=KjPKM0/5an1McrJH5IldcpWLcy 4S0ROX8V75MOlSgOpDskxkR8mNhoQ2E/H3M/aCU4DuZAnqhK1wqjgSXGpgAW2XdvjsLpEvLn+DETn chjuj6gPu6Pygw+rvSPo0V+GD1gvIpsJ9uSwsZLO+QYs86pePLS47ajEDpqj6urkLIe1wIs6WQAJr tMHPNwgsOffQxUwcNqAW7b0PIy0wrIssIg6Nsx+u2SYHzVqnZnNAYwHmA9+TXtyxh5vPVWpCt6BPz Knkhf6IIloj7ZZlvhv0M2HoGgFcm1ZN35scb1lN60fMSENJE9NqK+F3bsFg08rvv58KEMhFgttfq9 Dv5AK9zg==;
Received: from srv2.pixelstar.hu ([185.43.207.238]:42950 helo=pixelstar.hu) by {{privacy* MY_WHM_HOST}} with esmtp (Exim 4.94) (envelope-from <hello{{*privacy* MY_ADDON_DOMAIN}}>) id 1lHWMV-0002sI-P5 for [email protected]{{*privacy* MY_ADDON_DOMAIN}}; Wed, 03 Mar 2021 19:36:45 +0100
{{** Here is -> foreign hostname/IP **}}
Received: by pixelstar.hu (Postfix, from userid 33) id 8989023F98A; Wed,
  3 Mar 2021 19:36:03 +0100 (CET)
To: "[email protected]{{*privacy* MY_ADDON_DOMAIN}}" <[email protected]{{*privacy* MY_ADDON_DOMAIN}}>
Subject: DKIM teszt 4876
Date: Wed, 3 Mar 2021 19:36:03 +0100
From: "[email protected]{{*privacy* MY_ADDON_DOMAIN}}" <[email protected]{{*privacy* MY_ADDON_DOMAIN}}>
Message-ID: <[email protected]>
{{** E-mail sent from foreign domain name **}}
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_5b1265bd88dd11e72f08a64bd2b9f22d"
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=2.0
X-Spam-Score: 20
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "{{*privacy* MY_WHM_HOST}}", has NOT identified this incoming email as spam.
  The original message has been attached to this so you can view it or label similar future email.
  If you have any questions, see root\@localhost for details. Content preview:
  Kedves Címzett,Kérésére hamarosan válaszolunkFelado:
   [email protected]{{*privacy* MY_ADDON_DOMAIN}} Kedves Címzett, Kérésére hamarosan válaszolunk
     Content analysis details:
   (2.0 points, 5.0 required)
  pts rule name
              description ---- ---------------------- --------------------------------------------------
  1.5 SPF_SOFTFAIL
           SPF: sender does not match SPF record (softfail)
  0.0 HTML_MESSAGE
           BODY: HTML included in message
  0.5 KAM_NUMSUBJECT
         Subject ends in numbers excluding current years
X-Spam-Flag: NO
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - {{*privacy* MY_WHM_HOST}}
X-AntiAbuse: Original Domain - {{*privacy* MY_ADDON_DOMAIN}}
X-AntiAbuse: Originator/Caller UID/GID - [xx xx] / [xx xx]
X-AntiAbuse: Sender Address Domain - {{*privacy* MY_ADDON_DOMAIN}}
X-Get-Message-Sender-Via: {{*privacy* MY_WHM_HOST}}: redirect/forwarder owner [email protected]{{*privacy* MY_ADDON_DOMAIN}} -> {{*privacy* MY_GMAIL}}
X-Authenticated-Sender: {{*privacy* MY_WHM_HOST}}: [email protected]{{*privacy* MY_ADDON_DOMAIN}}

 

[cPRex]

Thanks for those details - this is the part that concerns me from those headers:

Received: from {{*privacy* MY_WHM_HOST}} ({{*privacy* MY_WHM_HOST}}. [{{*privacy* MY_WHM_IP}}])

Since the return path shows your WHM server's IP address, that seems to indicate the message was sent from your server. Do you see any evidence of this message coming outbound from your machine in the /var/log/exim_mainlog file?

 

[Ashtor]

Logs (new):

2021-03-04 00:27:35 1lHatx-0004JO-PI H=srv2.pixelstar.hu (pixelstar.hu) [185.43.207.238]:55996 Warning: "SpamAssassin as vj detected message as NOT spam (2.0)"
2021-03-04 00:27:35 1lHatx-0004JO-PI <= [email protected]{{*privacy* MY_WHM_HOST}} H=srv2.pixelstar.hu (pixelstar.hu) [185.43.207.238]:55996 P=esmtp S=2219 [email protected] T="DKIM teszt 9156" for [email protected]{{*privacy* MY_WHM_HOST}}
2021-03-04 00:27:35 SMTP connection from srv2.pixelstar.hu (pixelstar.hu) [185.43.207.238]:55996 closed by QUIT
2021-03-04 00:27:35 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lHatx-0004JO-PI
2021-03-04 00:27:35 1lHatx-0004JO-PI SMTP connection identification D={{*privacy* MY_WHM_HOST}} [email protected]{{*privacy* MY_WHM_HOST}} E={{*privacy* MY_GMAIL}} M=1lHatx-0004JO-PI U=XXX ID=XXXX B=redirect_resolver
2021-03-04 00:27:35 1lHatx-0004JO-PI Sender identification U=XXX D={{*privacy* MY_WHM_HOST}} [email protected]{{*privacy* MY_WHM_HOST}}
2021-03-04 00:27:35 1lHatx-0004JO-PI SMTP connection outbound 1614814055 1lHatx-0004JO-PI {{*privacy* MY_WHM_HOST}} {{*privacy* MY_GMAIL}}
2021-03-04 00:27:36 1lHatx-0004JO-PI => {{*privacy* MY_GMAIL}} ([email protected]{{*privacy* MY_WHM_HOST}}) <[email protected]{{*privacy* MY_WHM_HOST}}> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [108.177.127.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1614814056 p9si7439902edh.186 - gsmtp"
2021-03-04 00:27:36 1lHatx-0004JO-PI Completed

 

[cPRex]

Thanks for that information. It might be a good idea to work through the information on this page to see if you can get even more information:

How to find the source of spam emails

Introduction In this article, we will be exploring means to determine how spam emails were sent from your server. This is meant to guide you in the right direction in which a further, more in-dep...

support.cpanel.net

 

[Ashtor]

How to setup exim to reject this emails?

 

[cPRex]

If there was an easy way to block all spoofed messages, we would have included that directly in the product by default, but unfortunately there just isn't. Were you able to confirm if the message was indeed originating from your server as spam? If not, it would be good to confirm that first, and you're always welcome to open a support ticket with our team so we can examine the system directly.

 

[Ashtor]

Scrammer says: "I sent you an email from your account ... I hacked your system... pay me bitcoin... etc etc". Like those:

Bitcoin Abuse Database: 14GYvZHr5dCoVLK3jqW98zFeT5AVBpWsBG

www.bitcoinabuse.com

The blackmailer is right: DKIM, SPF pass. Wow, it's really scary. Change all of my passwords...

But scrammer don't know my password. My email server authenticating incoming spam messages than forwarding trustworthy :'(

Because of this, i bought a brand new expensive webserver and for security reasons, i bought WHM&Cpanel license. The same thing happens like my cheap own-configured webserver :'(

(ps.: sorry for my bad english, but this is really really scary.)

 

[Ashtor]

The solution sounds easy to me:

IF the sender address is one of my domains -> Check sender's IP address. -> IF it's different from my IP, THAN reject / stop forwarding.

 

[cPRex]

I still believe it would be best for you to open a ticket with our team. Since you have root access we could check the settings on the server for you and ensure things are secure.