Rewrite header to match actual sender for the incoming emails

amjad.q

Member
Jul 2, 2016
22
2
3
India
cPanel Access Level
Root Administrator
Hello,

I receive emails show me it's coming from my domain , but when I check the source of email it's show me the real sender is different ,
Example below source for email show me the email was coming from [email protected] but the real sender is [email protected]

the source of email as below
Code:
-------------------------------------------------------------------
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from myserver.com
   by myserver.com with LMTP id 2IGOA+zUEYEBBW63
   for <[email protected]>;  20 Oct 2017 11:09:00 +0200
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: xxxxxxxx
Received: from xxxserver.net ([xx.xx.xx.xx]:43674 helo=xxxserver.net)
   by myserver.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
   (Exim 4.89)
   (envelope-from <[email protected]>)
   id 1e6aTZ-00083o-Nj
   for [email protected]; 20 Oct 2017 11:09:00 +0200
Received: from xxxserver.net ([xx.xx.xx.xx])
   by :WBEOUT: with SMTP
   id yieryeruye4983947ufgd; 20 Oct 2017 11:09:00 +0200
X-SID: 6aJweOOkTRt1B
Received: (qmail 144488 invoked by uid 99); 20 Oct 2017 11:09:00 +0200
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: xx.xx.xx.xx
User-Agent: Workspace Webmail 6.8.14
Message-Id: <xxxxxxxx>
From: "name" <[email protected]>
X-Sender: [email protected]
Reply-To: "name" <[email protected]>
To: [email protected]
Subject: RE: xxxxxxx
Date: xxxxxxx
Mime-Version: 1.0
X-CMAE-Envelope:
-------------------------------------------------------------------
I would like to know how can protect myself from them 'deceitful'
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Is SpamAssassin enabled for this account? If so, SpamAssassin includes SPF verification by default to help avoid spoofed emails. You could also enable the following options under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor" if you wanted to verify DKIM records:

Allow DKIM verification for incoming messages
Reject DKIM failures


Thank you.
 

amjad.q

Member
Jul 2, 2016
22
2
3
India
cPanel Access Level
Root Administrator
Hello,

Thanks for your replay , Yes SpamAssassin , SPF and DKIM both of them are enable
The email pass from the check as [email protected] but in the email show me it's from [email protected]


Delivery Details as below
-----------------------------------------------------
Event: success success
Sender User: myaccount
Sender Domain: mydomain.com
From Address: [email protected]
Sender: [email protected]
Sent Time: xxxxxxxx
Sender Host: spam-server.com
Sender IP: xxxxx
Authentication: forwarder
Spam Score: 3.6
Recipient: [email protected]
Delivered To: [email protected]
Delivery User: myaccount
Delivery Domain: mydomain.com
Router: virtual_user
Transport: dovecot_virtual_delivery_no_batch
Out Time: xxxxxxx
ID: xxxxxxxxx
Delivery Host: localhost
Delivery IP: 127.0.0.1
Size: 10.12 KB
Result: Accepted
-----------------------------------------------------
 

amjad.q

Member
Jul 2, 2016
22
2
3
India
cPanel Access Level
Root Administrator
Hello,

I want to rewrite header "from" to match actual sender for any incoming email , not just for specific domain
The email pass from the check as [email protected] so it should be show in the email it's from that email , not another email

In the source of email we have X-Sender is [email protected] and from [email protected] , but the user doesn't see the X-Sender which is the real sender , so we have to rewrite from to be match the real sender
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Thanks for your replay , Yes SpamAssassin , SPF and DKIM both of them are enable
The email pass from the check as [email protected] but in the email show me it's from [email protected]
Hello,

That's for outgoing email from your domain name. You'd need to enable SpamAssassin and the following options under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor" if you wanted to verify SPF and DKIM records for incoming email:

Allow DKIM verification for incoming messages
Reject DKIM failures

Thank you.
 

amjad.q

Member
Jul 2, 2016
22
2
3
India
cPanel Access Level
Root Administrator
Hello ,

I'm using SPF and DKIM to check the incoming emails too , option of SpamAssassin , Allow DKIM verification for incoming messages and Reject DKIM failures are enable

The email pass from check of SPF and DKIM as [email protected] , you can check the details as below
Code:
-----------------------------------------------------
Event: success success
Sender User: myaccount
Sender Domain: mydomain.com
From Address: [email protected]
Sender: [email protected]
Sent Time: xxxxxxxx
Sender Host: spam-server.com
Sender IP: xxxxx
Authentication: forwarder
Spam Score: 3.6
Recipient: [email protected]
Delivered To: [email protected]
Delivery User: myaccount
Delivery Domain: mydomain.com
Router: virtual_user
Transport: dovecot_virtual_delivery_no_batch
Out Time: xxxxxxx
ID: xxxxxxxxx
Delivery Host: localhost
Delivery IP: 127.0.0.1
Size: 10.12 KB
Result: Accepted
-----------------------------------------------------
so he pass the email form the check as [email protected] but in header of email show it's from [email protected], you can check the source of email as above show
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look?

Thank you.
 

amjad.q

Member
Jul 2, 2016
22
2
3
India
cPanel Access Level
Root Administrator
Hello,

Thanks for your reply , I have already opened ticket ( ticket number 9066107 )

They did not give a solution for this issue , the told me that (We are limited in how we can help you with spoofed emails like this except make suggestions. In this case, as a courtesy I have verified that all the major cPanel features for combating incoming unsolicited email are on and all the RBL blacklists are in use. )

I wish if you can addition any help to have solution for this issue

Thank you .
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

If the sender is passing DKIM and SPF verification, then it suggests abuse of the domain name for SPAM purposes. In such cases, you may want to consider reporting the issue to the administrator of the remote mail server, or blocking email from the mail server IP address used for sending.

Thank you.
 

amjad.q

Member
Jul 2, 2016
22
2
3
India
cPanel Access Level
Root Administrator
Hello,

Thanks for your reply
Blocking his IP or his hosting isn't solution he will use new server ,I must have solution to protect my server from fraud like this way

What about if we can to use a filter in SpamAssassin or script for Exim to check the "X-Sender" if doesn't match the "From:" ignores the email !
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

To update, it looks like you may have found an alternate solution (using the HEADER_FROM_DIFFERENT_DOMAINS SpamAssassin option) per ticket number 9066107. Feel free to update this thread once the ticket is closed to let us know how it works.

Thank you.