Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spam email from self

Discussion in 'E-mail Discussion' started by levelmeasure, Aug 9, 2018.

Tags:
  1. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    We know what they are doing, and what is being sent !! There is little point in everyone posting more examples of the problem.

    What we need is constructive input towards how we are going to code a solution !
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Spirogg likes this.
  2. Spirogg

    Spirogg Active Member

    Joined:
    Feb 21, 2018
    Messages:
    31
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    chicago
    cPanel Access Level:
    Root Administrator
    So for sure this is just spam no one has compromised the servers ?

    @rpvw can we just block that port in csf ? or is that needed for emails to function ?

    im kina a newbie when it comes to spam spoof etc
     
    #22 Spirogg, Nov 19, 2018
    Last edited: Nov 19, 2018
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Do NOT start blocking ports in CSF unless you know what you are doing ! You could end up with all sorts of problems :)

    Look at the email originating Received header ; if it has an IP in it, it probably does not belong to any of your clients or your server. You can look up where it comes from using a tool like Welcome to Robtex!

    If the mail was genuinely sent from your client to your client; this field would be empty as the mail authenticated to the same server as it was received on.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,206
    Likes Received:
    478
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider

    But this message is being flagged as spam?
    Warning: "SpamAssassin as ok2 detected message as spam (19.6)"

    cPanel can't stop you from getting spam sent to your server altogether, in this instance SpamAssassin is working for you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,206
    Likes Received:
    478
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I am wondering if it's looked at from a different angle as well and you might try a Custom SpamAssassin rule with a heavy weight/point score. In the OP's instance, the issue was primarily that SpamAssassin wasn't actually seeing it as spam.

    WritingRules - Spamassassin Wiki

    Also there are some really amazing custom rules here as well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. plague

    plague Well-Known Member

    Joined:
    Sep 22, 2006
    Messages:
    52
    Likes Received:
    6
    Trophy Points:
    158
    Location:
    Brasil
    cPanel Access Level:
    Root Administrator
    Twitter:
    I have been facing this issue in a couple of server in the last months.
    Didn't bother to search the forums until today that a new case happened, found this thread and I would like to share my thoughts on this.

    So, as I noticed the previous posts didn't figure how this spam is being sent, and it's very simple: you don't need to authenticate to send local emails in the default EXIM config used on cPanel.

    You can just open a telnet connection on port 25, set the "mail from" and "rcpt to" as the same emails address and EXIM will deliver the email. Here is an example:

    Code:
    root@servidor [~]# telnet domain.com.br 25
    Trying 67.23.x.x...
    Connected to domain.com.br.
    Escape character is '^]'.
    220-server.x.com.br ESMTP Exim 4.91 #1 Tue, 29 Jan 2019 11:07:44 -0200
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    ehlo domain.com.br
    250-server.x.com.br Hello example.com [162.243.x.x]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250-STARTTLS
    250 HELP
    mail from: [EMAIL]teste@domain.com.br[/EMAIL]
    250 OK
    rcpt to: [EMAIL]teste@domain.com.br[/EMAIL]
    data
    teste
    .
    250 Accepted
    354 Enter message, ending with "." on a line by itself
    250 OK id=1goT8k-0000iR-4u
    And here is the delivery log on the destination server:

    Code:
    root@server [~]# grep 1goT8k-0000iR-4u /var/log/exim_mainlog
    2019-01-29 11:09:23 1goT8k-0000iR-4u H=example.com (domain.com.br) [162.243.x.x]:45757 I=[67.23.x.x]:25 Warning: "SpamAssassin as sorriaortorisoco detected message as spam (15.8)"
    2019-01-29 11:09:23 1goT8k-0000iR-4u <= [EMAIL]teste@domain.com.br[/EMAIL] H=example.com (domain.com.br) [162.243.21.57]:45757 I=[67.23.238.2]:25 P=esmtp S=1744 from <teste@domain.com.br> for [EMAIL]teste@domain.com.br[/EMAIL]
    2019-01-29 11:09:23 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1goT8k-0000iR-4u
    2019-01-29 11:09:23 1goT8k-0000iR-4u => teste <teste@domain.com.br> F=<teste@domain.com.br> R=virtual_user T=dovecot_virtual_delivery_no_batch S=1912 C="250 2.0.0 <teste@domain.com.br> KCt1D4NQUFzdegAAcWTs+w Saved"
    2019-01-29 11:09:23 1goT8k-0000iR-4u Completed
    As you can see, knowing an email address allows me to send emails to anyone on a Cpanel server.
    SpamAssassin is filtering the message, SPF and DKIM are being used on it's filters, but still this message shoud never be able to reach the account.

    Interesting fact that if you try to telnet on port 587, the connection is dropped before you can send the message:

    Code:
    root@servidor [~]# telnet domain.com.br 587
    ......
    mail from: teste@domain.com.br
    250 OK
    rcpt to: teste@domain.com.br
    550 SMTP AUTH is required for message submission on port 587

    Ok, so, how do I block this on my servers?

    Using some lines that I took from a VestaCP installation:

    - Go to Exim Config Editor > Advanced Editor on WHM
    - Find "custom_begin_recipient_post"
    - add this lines in that block:

    Code:
    deny    message       = smtp auth required
          sender_domains = +relay_domains
          !authenticated = *
    This will force authentication on port 25, but check your logs after this change, I have had problems with some redirections to and from Gmail accounts asking for authentication while redirecting emails received on the server. The workaround to this was to add Gmail IPs on the "Trusted SMTP IP addresses " list.

    Edit: Forgot to add the test after those changes:

    Code:
    root@servidor [~]# telnet domain.com.br 25
    Trying 67.23.x.x...
    Connected to domain.com.br.
    Escape character is '^]'.
    220-server.x.com.br ESMTP Exim 4.91 #1 Tue, 29 Jan 2019 11:32:24 -0200
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    ehlo domain.com.br
    250-server.srv1eua.com.br Hello example.com [162.243.x.x]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250-STARTTLS
    250 HELP
    mail from: ]teste@domain.com.br
    250 OK
    rcpt to: teste@domain.com.br
    550 smtp auth requried
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #26 plague, Jan 29, 2019
    Last edited by a moderator: Jan 31, 2019
    Emanuel Vicente likes this.
  7. plague

    plague Well-Known Member

    Joined:
    Sep 22, 2006
    Messages:
    52
    Likes Received:
    6
    Trophy Points:
    158
    Location:
    Brasil
    cPanel Access Level:
    Root Administrator
    Twitter:
    @cPanelLauren I think you guys should take a look at this.
    Not a big deal, but it's still some sort of security breach that can and should be closed in the default configuration.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Emanuel Vicente likes this.
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,311
    Likes Received:
    2,157
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @plague,

    The following section from our How To Prevent Email Abuse document offers a method for better identifying email sent from authenticated cPanel users using the method described in this thread:

    Additionally, I encourage you to vote and add feedback to the following feature request if you'd like to see a way to prevent this behavior:

    Prevent users from being implicitly authenticating to Exim on the local host

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #28 cPanelMichael, Jan 31, 2019
    Last edited: Feb 1, 2019
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,920
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    What server are you on when you do this telnet command?

    If you're on the same server that is hosting domain.com.br then at best, this is trivial.

    By and large, regular (non-root) users should not be able to open any connections directly on port 25. That is what SMTP Block in CSF and I think cPanel has something (I'm not sure what it's called) that prevents this. So a non-root user won't be able to make this connection.

    If it's not the server hosting domain.com.br, then you're not going to have any control over this. The SMTP transaction you posted is just a normal SMTP transaction, if you start tampering with that, then you're going to affect real, regular SMTP transactions.

    The bottom line throughout all of this is that people are going to have to learn that MAIL FROM (both the envelope-sender and the header From) can be faked and it's trivial to do.

    If you REALLY want to combat this, then DKIM and SPF are going to have to take a larger role (or something similar that is like these technologies). But as it stands, too many people don't understand the DKIM signing process or what an SPF record means, so they don't set them properly. This means recipient servers can't be completely bullish on how it handles that authentication ... "this messages doesn't pass DKIM... but that may just be because the sender's system doesn't understand how to use DKIM, so we'll allow it". And thus the perpetuation of spam continues on.

    There also has ramifications in how forwarders are used (the solution here... don't use forwarders).

    If every receiving mail server really scrutinized messages requiring hard DKIM checks, that would stop a lot of these fake messages. Legitimate messages that are sent would have to be properly signed with DKIM and recipient mail servers would only accept messages that are properly signed with DKIM.

    But how many billion email users are there in the world? How many millions of mail servers are there? If someone came out with a technology that ended spam completely right now... it would still take 10 years for all of that to filter down to the masses.
     
  10. vapetrov

    vapetrov Member

    Joined:
    May 24, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    301
    I can confirm SPF with "-all" rule do not prevent sending such mails.

    It looks like a bug in implementation of SPF checking during SMTP time.

    I am absolutely sure that proper SPF should stop such letters.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. plague

    plague Well-Known Member

    Joined:
    Sep 22, 2006
    Messages:
    52
    Likes Received:
    6
    Trophy Points:
    158
    Location:
    Brasil
    cPanel Access Level:
    Root Administrator
    Twitter:
    @cPanelMichael The server I used to telnet is another server, so the localhost rule does not apply.

    @sparek-3 with the adjustment I posted, I have control over this, just like you can't send that kind of message on port 587, I'm blocking it on port 25 too. After this fix I had one problem with one domain, over about 20k domains hosted, in a very specific situation with forwarders and filters to Gmail. I didn't spent time to figure out why that error happend in that situation, to be honest.
    I'd rather have the Gmail IP range whitelisted in some of my SMTP checks than have clients arguing about my server security or why and how someone had access to his email account to send this message to itself.
    As I said, I took those lines from a VestaCP server, and I never had problems sending or receiving emails on that panel, even though it uses thoses lines to block unanthenticated senders, as I am using on my Cpanel servers now.

    I aggree with you that faked headers are trivial, but on that cases you can show the client that it is a fake message and explain to them where it came from.
    In this case the headers are not faked. It is a regular message from an account to itself that the default EXIM config is allowing to be sent. All you can say is "well, yep, there's a hole on the server config allowing this guy to use your account to send this emails to you".
    Even if the spammer does not have access to the email data, this is not a good thing to hear from your webhosting support, right?

    I also aggree with you that SPF and DKIM should block this, but SPF and DKIM are filters that the user can enable/disable at will on Cpanel. In my opinion the best way to avoid that is to block it at SMTP time like it is already done on port 587, denying the spammer to even send the message than filtering it after it is was sent.

    With that said, how many Cpanel clients are facing this issue, and how many of them have found this thread to understand how can they block this? One time a client faces this issue and you just can't prove that this is a "fake header" situation (because it is not), this guy won't trust your server security level, and it doesn't matter if he could had block it himself activating the SPF and DKIM on his account.

    That's why I think Cpanel devs should care more about this thread, even if I already have found a fix for that on my servers. Relying on DKIM and SPF to block this messages seems just a weak workaround, not an actual fix for the issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Emanuel Vicente and Spirogg like this.
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,311
    Likes Received:
    2,157
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @plague,

    One additional option to consider is Require remote (domain) HELO found under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor. This option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. EX:

    Code:
     "REJECTED - Bad HELO - Host impersonating [testing.tld]"
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. plague

    plague Well-Known Member

    Joined:
    Sep 22, 2006
    Messages:
    52
    Likes Received:
    6
    Trophy Points:
    158
    Location:
    Brasil
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @cPanelMichael
    Thanks for your advice, but still able to send the message using some random domain in the HELO.
    This options are checked in the Exim Config:

    Require HELO before MAIL
    Require remote (hostname/IP address) HELO
    Require remote (domain) HELO
    Require RFC-compliant HELO

    Code:
    root@servidor [~]# telnet server.x.com.br 25
    Connected to server.x.com.br.
    .......
    ehlo hotmail.com
    250-server.x.com.br Hello servidor.x.eti.br [x.x.x.x]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250-STARTTLS
    250 HELP
    mail from: user@x.com.br
    250 OK
    rcpt to: user@x.com.br
    250 Accepted
    data
    354 Enter message, ending with "." on a line by itself
    teste
    .
    250 OK id=1gr8HT-001CUN-LH
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Emanuel Vicente likes this.
  14. Inner2019Peace

    Inner2019Peace Registered

    Joined:
    Feb 6, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    DreamLand
    cPanel Access Level:
    Root Administrator
    Hello everyone
    This is the first post for me and I'm happy to be with this great cPanel community. Indeed, I love you cPanel because you served my business for a while

    Back to work:
    In "Mail Delivery Reports" I see a lot of delivered email made by a spammer [from to] the same email address, example:
    From 123@domain.tld To 123@domain.tld
    From jeorge@domain.tld To jeorge@domain.tld
    (Where: account: 123 not exist, account jeorge exists)

    Report from exaim_mainlog returns this
    Code:
    1- (Name_OfSpammerDomain) [His_IP]:Warning: "SpamAssassin as [user_account] detected message as spam (34.5)"
    2- malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): Connection refused
    3- (Name_OfSpammerDomain) [His_IP]: Warning: Message has been scanned: no virus or other harmful content was found
    4- 123@domain.tld H=(Name_OfSpammerDomain) [His_IP]: P=esmtp S= id=xxxxx@domain.tld T="Caution! Attack hackers to your account!" for 123@domain.tld
    5- discover_sender_information failed to set the from header rewrite for 123@domain.tld
    6- jeorge+spam (jeorge@domain.tld) <123@domain.tld> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <jeorge+spam@domain.tld> Saved"
    7- Completed
    This happened with many domains on my server and for many emails for each domain
    Another domain shows the same report but with one different in line: 6

    Code:
    5- .....rewrite for notExistEmail@anotherdomain.tld
    6- .....<cpanel_accnout_name@MyServer.tld> Saved"
    Completed
    All contents of the messages are about that this spammer has hacked the email and asks to transfer money
    I know this kind of lies (I hope that :) ) but I'm asking about two things:

    1- Is really this email account hacked?
    2- Can the spammer using one of those account to send messages to an outer email like: @gmail.com, in this case he will sends to a lot of outer emails and get my server blocked

    Thank you
     
  15. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,896
    Likes Received:
    482
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,311
    Likes Received:
    2,157
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @plague,

    The Require remote (domain) HELO option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. It won't prevent the use of remote domain names as the FROM address, or prevent the activity completely. It's simply an added measure you can take to help prevent the FROM address from mimicking a domain name that exists locally on the cPanel server.

    To block the activity all together (other than the through the workaround you noted), the following feature request would need to be implemented:

    Enable SMTP authentication on local delivery

    @Inner2019Peace, See my post here for information on how you can block this behavior (specifically the use of a local domain as the FROM address).

    No, delivery attempts to a remote mail server using this method will fail because SMTP authentication is required for non-local addresses.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Juanpi

    Juanpi Registered

    Joined:
    Feb 14, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montevideo
    cPanel Access Level:
    Website Owner
    I was linked to the quoted post from a recent thread that I started because a simple telnet proved my mail server to be insecure (see linked post), and also the Anonymailer website bypasses my server checks.

    The emails are being sent with the following headers:

    FROM: me@mydomain.com
    TO: me@mydomain.com

    ... and are successfully delivered to my me@mydomain.com inbox.

    My server is configured as follows:

    upload_2019-2-16_11-49-46.png

    We are getting massive amounts of spam with spoofed email addresses, and trying to see whether fixing this hole could help control the spam issue.

    Thanks in advance!
     
    #37 Juanpi, Feb 16, 2019
    Last edited by a moderator: Feb 18, 2019
  18. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,311
    Likes Received:
    2,157
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Juanpi,

    Can you confirm if the incoming SPAM has continued since making the adjustments to the options in the screenshot you attached?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. jbourque

    jbourque Member

    Joined:
    Jul 18, 2008
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    I have an issue where I have a number of emails that are being spoofed saying email has been hacked. It appears and old database was compromised and the emails began coming in. How can I stop them? My mailscanner is NOT scanning it because it appears to be from my server.
    Code:
    Hi!
    As you may have noticed, I sent you an email from your account.
    This means that I have full access to your account.
    I've been watching you for a few months now.
    The fact is that you were infected with malware through an adult site that you visited.
    If you are not familiar with this, I will explain.
    Trojan Virus gives me full access and control over a computer or other device.
    This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
    I also have access to all your contacts and all your correspondence.
    Why your antivirus did not detect malware?
    Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
    I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you
     
    #39 jbourque, Feb 27, 2019
    Last edited by a moderator: Feb 27, 2019
  20. zefie

    zefie Member

    Joined:
    Jun 13, 2013
    Messages:
    15
    Likes Received:
    3
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Usually spam filters (either GMail's or cPanel's) will filter out most trash.

    However, this new string of emails being set by hackers claiming to have my password (but really smtp headers show its still from their server), has been making it past the filters and not only that, being enhanced by GMail rejecting any emails from my server, causing a Mailer Daemon Error and completely bringing the email from the scammer to my inbox every time (I blame both my config and google for this)

    For some reason, despite having set the option to only deliver from local addresses if authorized, as well as SPF, it still seems to come through. The message actually from Google, rejecting the forwarded email from cPanel server.

    While this mostly mentions gmail, the question I suppose is:

    How do I reject emails that pretend to be any account on the server's domains, and to NOT mailer daemon bounce back to itself....
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice