levelmeasure

Registered
Aug 9, 2018
2
0
1
USA
cPanel Access Level
Reseller Owner
I have a reseller account at a host with several client domains. One client has a number of email addresses that are getting email from themselves, containing spam.

From what I can tell, these emails are being passed as example from my parent host's servers (the company I buy my reseller account from).

Why don't these fail to authenticate when the fake sender sends, AND/OR when the real sender receives?

How do I keep other people from sending email through my client's account?

Example of Message Source in a fake email (names & numbers changed to protect privacy)
Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from rs2.parentserver.com
    by rs2.parentserver.com with LMTP id EiEiEi0
    for <[email protected]>; Wed, 08 Aug 2018 17:19:32 -0400
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 08 Aug 2018 17:19:32 -0400
Received: from adsl-001.001.001.001.bogus.gr ([002.002.002.002]:10500)
    by rs2.parentserver.com with esmtp (Exim 4.91)
    (envelope-from <[email protected]>)
    id 3c3c3c3c3c3c-OT
    for [email protected]; Wed, 08 Aug 2018 17:19:32 -0400
Message-ID: <[email protected]>
From: <[email protected]>
To: <[email protected]>
Subject: Welcome to our company
Date: 9 Aug 2018 02:05:48 +0200
MIME-Version: 1.0
Content-Type: text/plain;
    charset="cp-850"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
In track delivery the acceptance looks like this (changes to names & numbers)
Code:
Event:    success success
User:    -remote-
Domain:  
From Address:    [email protected]
Sender:  
Sent Time:    Aug 8, 2018, 4:19:16 PM
Sender Host:    adsl-001.001.001.001.bogus.gr
Sender IP:    002.002.002.002
Authentication:    localdelivery
Spam Score:  
Recipient:    [email protected]
Delivery User:    myclientrealusername
Delivery Domain:    example.com
Delivered To:    [email protected]
Router:    virtual_user
Transport:    dovecot_virtual_delivery
Out Time:    Aug 8, 2018, 4:19:16 PM
ID:    3c3c3c3c3c3c-OT
Delivery Host:    localhost
Delivery IP:    100.0.0.1
Size:    1.66 KB
Result:    Accepted
 
Last edited by a moderator:

levelmeasure

Registered
Aug 9, 2018
2
0
1
USA
cPanel Access Level
Reseller Owner
Hi @levelmeasure

Does your client have a valid SPF and DKIM? What your describing sounds a bit like spoofing.


Thanks!
Yes, SPF and DKIM are configured. The email server does not recognize it as coming from an unauthorized sender. It gets passed through as really having come from the recipient's own email account. My concern is not knowing who else is getting email that appears to come from my client.

Thanks
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

ProDesignz

Member
Mar 16, 2015
13
1
3
India
cPanel Access Level
Root Administrator
Hi I'm facing the same issue and my client is very serious about this. Client had zimbra before and Now on my recommendation they switch to cPanel.
Please help me cause this is very frequent now. We had changed passwords and there is only SSH connection is enabled on server.
Below is email header

Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.example.com
    by mail.example.com with LMTP id 0BBZJZ5X0Vu0CQAAM3BfSA
    for <[email protected]>; Thu, 25 Oct 2018 11:11:50 +0530
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 25 Oct 2018 11:11:50 +0530
Received: from [103.x.x.x] (port=56315 helo=[90.161.20.38])
    by mail.example.com with esmtp (Exim 4.91)
    (envelope-from <[email protected]>)
    id 1gFYOy-0000lo-Ff
    for [email protected]; Thu, 25 Oct 2018 11:11:50 +0530
From: <[email protected]>
To: <[email protected]>
Subject: account [email protected] is compromised
Date: 25 Oct 2018 08:22:47 +0100
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acjhjwjwwb06j869jhjwjwwb06j869==
Content-Language: en
x-cr-hashedpuzzle: 2D4= i2f4 r6sl qkom mci2 f4r6 slqk ommc i2f4 r6sl qkom mci2 f4r6 slqk ommc i2f4;1;r6slqkommci2f4r6slqkommci2f4r6slqkommci2f4r6slqk;Sosha1_v1;7;\{AD9937D4-1B03-7AF8-CC62-90A274F27046\};ZQB3AGUAZgi2f4r6slqkommci2f4r6slqkommci2f4r6slqk;25 Oct 2018 08:22:47 +0100;92aea0fbvpfmxk92
x-cr-puzzleid: \{AD9937D4-1B03-7AF8-CC62-90A274F27046\}
X-Spam-Status: No, score=1.2
X-Spam-Score: 12
X-Spam-Bar: +
X-Ham-Report: Spam detection software, running on the system "mail.example.com",
    has NOT identified this incoming email as spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.
    Content preview: Hello! I'm a hacker who cracked your email and device a few
    months ago. You entered a password on one of the sites you visited, and I
    intercepted it. Of course you can will change it, or already change
    Content analysis details: (1.2 points, 5.0 required)
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
    0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    See
    http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    for more information.
    [URIs: example.com]
    2.0 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
    0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
    0.2 FROM_IN_TO_AND_SUBJ From address is in To and Subject
X-Spam-Flag: NO

Please give some solution to this.
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello @ProDesignz


Are either of these your IP address?

Code:
Received: from [103.x.x.x] (port=56315 helo=[90.161.xx.xx])
Also can you show me the output of the transaction in the exim logs? The command to do this would be:

Code:
exigrep 1gFYOy-0000lo-Ff /var/log/exim_mainlog
Thanks!
 
Last edited by a moderator:

ProDesignz

Member
Mar 16, 2015
13
1
3
India
cPanel Access Level
Root Administrator
Hello @ProDesignz


Are either of these your IP address?

Code:
Received: from [103.x.x.x] (port=56315 helo=[90.161.xx.xx])
Also can you show me the output of the transaction in the exim logs? The command to do this would be:

Code:
exigrep 1gFYOy-0000lo-Ff /var/log/exim_mainlog
Thanks!
103.x.x.x is our Server's IP address, while 90.161.xx.xx is not our server IP, it is spammer's IP address.

Here is a exim log
Code:
2018-10-25 11:11:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gFYOy-0000lo-Ff

2018-10-25 11:11:48 1gFYOy-0000lo-Ff H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 Warning: Message has been scanned: no virus or other harmful content was found
2018-10-25 11:11:50 1gFYOy-0000lo-Ff H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 Warning: "SpamAssassin as example detected message as NOT spam (1.2)"
2018-10-25 11:11:50 1gFYOy-0000lo-Ff <= [email protected] H=([90.161.xx.xx]) [103.50.xxx.xx]:56315 P=esmtp S=4510 [email protected] T="account [email protected] is compromised" for [email protected]
2018-10-25 11:11:50 1gFYOy-0000lo-Ff SMTP connection identification D=example.com [email protected] [email protected] M=1gFYOy-0000lo-Ff U=example ID=1000 B=redirect_resolver
2018-10-25 11:11:50 1gFYOy-0000lo-Ff Sender identification U=example D=example.com [email protected]
2018-10-25 11:11:50 1gFYOy-0000lo-Ff SMTP connection outbound 1540446110 1gFYOy-0000lo-Ff example.com [email protected]
2018-10-25 11:11:50 1gFYOy-0000lo-Ff => someusr <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> 0BBZJZ5X0Vu0CQAAM3BfSA Saved"
2018-10-25 11:11:52 1gFYOy-0000lo-Ff => [email protected] ([email protected]) <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=aspmx.l.google.com [74.125.68.26] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1540446112 u10-v6si7275955pgg.180 - gsmtp"
2018-10-25 11:11:52 1gFYOy-0000lo-Ff Completed
 
Last edited by a moderator:

ProDesignz

Member
Mar 16, 2015
13
1
3
India
cPanel Access Level
Root Administrator
One more thing, the same thing is happening to another email server. Both servers are in different zones and nothing to do with this client. So, please give some solution to stop this kind of spam.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston

ProDesignz

Member
Mar 16, 2015
13
1
3
India
cPanel Access Level
Root Administrator
@cPanelLauren
These are all from different IP addresses, I can create filter to limit them based on subject or if from address = to address but it is actually not a full proof solution. It is kinda patch work. I wonder that we have enabled SMTP authentication, even though they are able to make such spamming. Is there anything else other than creating filters to prevent such kinda spam emails?
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @ProDesignz

Do you have SPF & DKIM implemented on the domain/s you're receiving this on? I am still concerned about the fact that it's not getting flagged as spam as it's not actually originating from your IP address.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
If you have implemented correctly set DKIM and SPF records, and mail with spoofed headers are not being flagged as spam, you may need to adjust your Spamassassin filters, or user, or global filters for the domain.

Spam and spoofing email headers like the from address has been around almost as long as email has existed, and everyone has been struggling to solve the problem by adding more and more layers to the protocol like RBL, SPF, DKIM and DMARC. This is far from being a complete solution, and what is really needed is a complete overhaul of the email systems and protocols.

cPanel do not write the email protocol or system, they use the existing industry standard tools and daemons and attempt to make your interaction with those tools easier by providing a graphical user interface (and for the most part, do an excellent job as well) so don't blame, or expect cPanel to be able to do very much about your problem of spoofed email headers.

Since the problem you are facing is a global one, the first mitigation can be by educating your users how to spot these obvious fraudulent emails.


As to filters; I should very much like to see an easy way of introducing some new Exim rules

e.g. If the from address matches the to address; test to establish and reject/flag as spam, if the sender user was 'remote' rather than a local or a known username within WHM.

I haven't had enough coffee yet to start writing a rule that might work for the above scenario, so if anyone wants to chip in, any contributions would be welcome :)

**EDIT **

Still not enough coffee but I have got
Code:
# Exim Filter
# Spoofed From
if first_delivery
$h_from: matches $h_to and
(sender user (need a variable for this) matches "remote")
then
seen finish
endif
DO NOT TRY AND RUN THIS CODE - IT IS ONLY A FLOW CONCEPT AND IS NOT FINISHED AND MAY BREAK YOUR EXIM

This is intended to try to explain the direction I wanted to move towards with an exim filter. Please contribute, or maybe a moderator would like to split this off into a new thread.
 
Last edited:
  • Like
Reactions: cPanelLauren

ProDesignz

Member
Mar 16, 2015
13
1
3
India
cPanel Access Level
Root Administrator
Hi @rpvw

Thanx for the practical solution :)

Anyone like me who facing this issue please follow the given steps. This is not permanent solution, it is work around.

Step 1 Create Custom Filter File

Code:
if $header_from matches $header_to
        and ($sender_host_address does not matches "134.xx.xx.xx")
        then
            save "/dev/null" 660
endif
Step 2 upload it to
/usr/local/cpanel/etc/exim/sysfilter/options

Step 3 Then Rebuild Exim Conf
execute /scripts/buildeximconf
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
Thank you @ProDesignz for the code.

Based on the theory that the sender_host_address will be empty if the message originated on the local host (server), and populated with the IP of the remote host if originated by someone trying to spoof the address, I would like to think that some better rule without a specific IP would be possible by testing for an empty string

It's making my head hurt :(
 
Last edited:
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
I'm glad that you were able to find a solution that worked for you @ProDesignz though I do want to point out that a rule like the one implemented here may not work for everyone. As indicated by @rpvw you may want to go with a solution that doesn't make use of a specific IP address.
 

ProDesignz

Member
Mar 16, 2015
13
1
3
India
cPanel Access Level
Root Administrator
@cPanelLauren , no luck :(
Now he change something from his end and sending same messages again. Even this time he is able to bypass the rule I set as Sender Host IP address is different but still able to send email.

Please give some solid solution to prevent such kind of spams.

Following is the Header of email.

Code:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.mydomain.com
    by mail.mydomain.com with LMTP id SBA8EaYL4FtcFQAAM3BfSA
    for <[email protected]>; Mon, 05 Nov 2018 14:51:42 +0530
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Mon, 05 Nov 2018 14:51:42 +0530
Received: from [xxx.xxx.xxx.xxx] (port=34552 helo=[181.75.107.32])
    by mail.mydomain.com with esmtp (Exim 4.91)
    (envelope-from <[email protected]>)
    id 1gJb4k-0001Pi-HN
    for [email protected]; Mon, 05 Nov 2018 14:51:42 +0530
Message-ID: <[email protected]>
From: <[email protected]>
To: <[email protected]>
Subject: Change your password immediately. Your account has been hacked.
Date: 6 Nov 2018 01:50:32 +0800
MIME-Version: 1.0
Content-type: text/plain;
    charset="ibm852"
Content-transfer-encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-Spam-Status: No, score=1.0
X-Spam-Score: 10
X-Spam-Bar: +
X-Ham-Report: Spam detection software, running on the system "mail.mydomain.com",
    has NOT identified this incoming email as spam. The original
    message has been attached to this so you can view it or label
    similar future email. If you have any questions, see
    root\@localhost for details.
    Content preview: I greet you! I have bad news for you. 11/08/2018 - on this
    day I hacked your operating system and got full access to your account [email protected]
    It is useless to change the password, my m
    Content analysis details: (1.0 points, 5.0 required)
    pts rule name description
    ---- ---------------------- --------------------------------------------------
    -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
    0.0 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
    0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    See
    http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    for more information.
    [URIs: mydomain.com]
    2.0 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
    0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
X-Spam-Flag: NO
 
  • Like
Reactions: Bill_H

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
We need a SOLID SOLUTION!
Indeed we do, but I am not sure that cPanel are in a position to provide it :(

I have been working on this Exim filter since this thread was opened, and have encountered the following issues, all caused by the way that Exim processes filter rules.

If we start from the premise that we need to compare the From address to the To address, and then check to see if the sender_host_address is empty or not we can create some sudo code like this:
Code:
# Exim Filter
# Spoofed From Address
if first_delivery
and ("$header_from:" matches "$header_to:")
and ("$sender_host_address:" is "")
then deliver
else
seen finish
endif
Now the problems as I see it are these (and I would love someone to tell me I am wrong, and that there is a better way of doing this)

1) Exim does not seem to be able to compare one variable against another; so it can compare eg "$header_from:" matches "[email protected]" but not "$header_from:" matches "$header_to:" as it expands the second variable literally and does not replace it with the content of the variable. This would limit one to having to make a filter per address rather than a global filter.

2) There is no clear way I have found of testing for an empty string. Exim can use "is/is not" or "contains/does not contain" or "matches/does not match" in the string comparison once both strings have been expanded. Since we ideally need to look for an string that is not empty in the $sender_host_address: variable (which is always empty if the from/to actually originates on the same server) and we have no idea what the string might be if it is a spoofed message, other than it will contain an IP and probably other information, we need to either test for a empty string OR test (contains) for a regex that would encompass anything that might populate the variable. This should be a Perl compatible regex, but so far, I have been unable to write one that is 100% reliable.

So if anyone has any ideas, please add then to the thread. I should prefer to get rid of the "else" line in the code and keep it simple, but I am not sure this will be possible, even if we can overcome the comparison of one string variable to another in the first place.

Again, whilst I do recognise the need for some filter of this nature, I don't think it is necessarily up to cPanel to provide it. If they can help us, that would be fantastic, but I also note that such a fundamental filter should be available from dozens/hundreds of sources on the internet if it were possible to achieve using the current Exim filters - the very fact that there are NO references to any such filter does somewhat reinforce my belief that it wont be possible under the current Exim filter rules.

I wonder if we should be looking at creating a custom Spamassassin rule instead ?
 

Spirogg

Well-Known Member
Feb 21, 2018
141
32
28
chicago
cPanel Access Level
Root Administrator
I am also getting this type of emails asking for randsome money ??

i ran this code exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog

The IP is the spammers

Code:
[[email protected] ~]# exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog
2018-11-19 04:30:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gOgoe-0003pl-Cw

2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: "SpamAssassin as ok2 detected message as spam (19.6)"
2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: Message has been scanned: no virus or other harmful content was found
2018-11-19 04:30:05 1gOgoe-0003pl-Cw <= [email protected]*****.com H=([37.106.108.86]) [37.106.108.86]:25230 P=esmtp S=5060 [email protected] T="[email protected]*****.com - this account has been hacked! Change all your passwords!" for [email protected]*****.com
2018-11-19 04:30:05 1gOgoe-0003pl-Cw => spiro <[email protected]*****.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]*****.com> gJ8hHq2Q8lu7OQAAup1nGg Saved"
2018-11-19 04:30:05 1gOgoe-0003pl-Cw Completed