Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Rewrite header to match actual sender for the incoming emails

Discussion in 'E-mail Discussion' started by amjad.q, Nov 27, 2017.

  1. amjad.q

    amjad.q Member

    Joined:
    Jul 2, 2016
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I receive emails show me it's coming from my domain , but when I check the source of email it's show me the real sender is different ,
    Example below source for email show me the email was coming from email@mydomain.com but the real sender is email@spam-domain.com

    the source of email as below
    Code:
    -------------------------------------------------------------------
    Return-Path: <email@spam-domain.com>
    Delivered-To: email@mydomain.com
    Received: from myserver.com
       by myserver.com with LMTP id 2IGOA+zUEYEBBW63
       for <email@mydomain.com>;  20 Oct 2017 11:09:00 +0200
    Return-path: <email@spam-domain.com>
    Envelope-to: email@mydomain.com
    Delivery-date: xxxxxxxx
    Received: from xxxserver.net ([xx.xx.xx.xx]:43674 helo=xxxserver.net)
       by myserver.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
       (Exim 4.89)
       (envelope-from <email@spam-domain.com>)
       id 1e6aTZ-00083o-Nj
       for email@mydomain.com; 20 Oct 2017 11:09:00 +0200
    Received: from xxxserver.net ([xx.xx.xx.xx])
       by :WBEOUT: with SMTP
       id yieryeruye4983947ufgd; 20 Oct 2017 11:09:00 +0200
    X-SID: 6aJweOOkTRt1B
    Received: (qmail 144488 invoked by uid 99); 20 Oct 2017 11:09:00 +0200
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/html; charset="utf-8"
    X-Originating-IP: xx.xx.xx.xx
    User-Agent: Workspace Webmail 6.8.14
    Message-Id: <xxxxxxxx>
    From: "name" <email@mydomain.com>
    X-Sender: email@spam-domain.com
    Reply-To: "name" <email@spam-domain.com>
    To: email@mydomain.com
    Subject: RE: xxxxxxx
    Date: xxxxxxx
    Mime-Version: 1.0
    X-CMAE-Envelope:
    -------------------------------------------------------------------
    
    I would like to know how can protect myself from them 'deceitful'
     
    #1 amjad.q, Nov 27, 2017
    Last edited by a moderator: Nov 27, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Is SpamAssassin enabled for this account? If so, SpamAssassin includes SPF verification by default to help avoid spoofed emails. You could also enable the following options under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor" if you wanted to verify DKIM records:

    Allow DKIM verification for incoming messages
    Reject DKIM failures


    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. amjad.q

    amjad.q Member

    Joined:
    Jul 2, 2016
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks for your replay , Yes SpamAssassin , SPF and DKIM both of them are enable
    The email pass from the check as email@spam-domain.com but in the email show me it's from email@mydomain.com


    Delivery Details as below
    -----------------------------------------------------
    Event: success success
    Sender User: myaccount
    Sender Domain: mydomain.com
    From Address: email@spam-domain.com
    Sender: email@mydomain.com
    Sent Time: xxxxxxxx
    Sender Host: spam-server.com
    Sender IP: xxxxx
    Authentication: forwarder
    Spam Score: 3.6
    Recipient: email@mydomain.com
    Delivered To: email@mydomain.com
    Delivery User: myaccount
    Delivery Domain: mydomain.com
    Router: virtual_user
    Transport: dovecot_virtual_delivery_no_batch
    Out Time: xxxxxxx
    ID: xxxxxxxxx
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 10.12 KB
    Result: Accepted
    -----------------------------------------------------
     
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    729
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. amjad.q

    amjad.q Member

    Joined:
    Jul 2, 2016
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I want to rewrite header "from" to match actual sender for any incoming email , not just for specific domain
    The email pass from the check as email@spam-domain.com so it should be show in the email it's from that email , not another email

    In the source of email we have X-Sender is email@spam-domain.com and from email@mydomain.com , but the user doesn't see the X-Sender which is the real sender , so we have to rewrite from to be match the real sender
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    That's for outgoing email from your domain name. You'd need to enable SpamAssassin and the following options under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor" if you wanted to verify SPF and DKIM records for incoming email:

    Allow DKIM verification for incoming messages
    Reject DKIM failures

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. amjad.q

    amjad.q Member

    Joined:
    Jul 2, 2016
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello ,

    I'm using SPF and DKIM to check the incoming emails too , option of SpamAssassin , Allow DKIM verification for incoming messages and Reject DKIM failures are enable

    The email pass from check of SPF and DKIM as email@spam-domain.com , you can check the details as below
    Code:
    -----------------------------------------------------
    Event: success success
    Sender User: myaccount
    Sender Domain: mydomain.com
    From Address: email@spam-domain.com
    Sender: email@mydomain.com
    Sent Time: xxxxxxxx
    Sender Host: spam-server.com
    Sender IP: xxxxx
    Authentication: forwarder
    Spam Score: 3.6
    Recipient: email@mydomain.com
    Delivered To: email@mydomain.com
    Delivery User: myaccount
    Delivery Domain: mydomain.com
    Router: virtual_user
    Transport: dovecot_virtual_delivery_no_batch
    Out Time: xxxxxxx
    ID: xxxxxxxxx
    Delivery Host: localhost
    Delivery IP: 127.0.0.1
    Size: 10.12 KB
    Result: Accepted
    -----------------------------------------------------
    
    so he pass the email form the check as email@spam-domain.com but in header of email show it's from email@mydomain.com, you can check the source of email as above show
     
    #7 amjad.q, Dec 1, 2017
    Last edited by a moderator: Dec 5, 2017
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. amjad.q

    amjad.q Member

    Joined:
    Jul 2, 2016
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks for your reply , I have already opened ticket ( ticket number 9066107 )

    They did not give a solution for this issue , the told me that (We are limited in how we can help you with spoofed emails like this except make suggestions. In this case, as a courtesy I have verified that all the major cPanel features for combating incoming unsolicited email are on and all the RBL blacklists are in use. )

    I wish if you can addition any help to have solution for this issue

    Thank you .
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    If the sender is passing DKIM and SPF verification, then it suggests abuse of the domain name for SPAM purposes. In such cases, you may want to consider reporting the issue to the administrator of the remote mail server, or blocking email from the mail server IP address used for sending.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. amjad.q

    amjad.q Member

    Joined:
    Jul 2, 2016
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks for your reply
    Blocking his IP or his hosting isn't solution he will use new server ,I must have solution to protect my server from fraud like this way

    What about if we can to use a filter in SpamAssassin or script for Exim to check the "X-Sender" if doesn't match the "From:" ignores the email !
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, it looks like you may have found an alternate solution (using the HEADER_FROM_DIFFERENT_DOMAINS SpamAssassin option) per ticket number 9066107. Feel free to update this thread once the ticket is closed to let us know how it works.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice