rpvw

Well-Known Member
Jul 18, 2013
1,088
446
113
Spain
cPanel Access Level
Root Administrator
We know what they are doing, and what is being sent !! There is little point in everyone posting more examples of the problem.

What we need is constructive input towards how we are going to code a solution !
 
  • Like
Reactions: Spirogg

Spirogg

Well-Known Member
Feb 21, 2018
68
11
8
chicago
cPanel Access Level
Root Administrator
So for sure this is just spam no one has compromised the servers ?

@rpvw can we just block that port in csf ? or is that needed for emails to function ?

im kina a newbie when it comes to spam spoof etc
 
Last edited:

rpvw

Well-Known Member
Jul 18, 2013
1,088
446
113
Spain
cPanel Access Level
Root Administrator
Do NOT start blocking ports in CSF unless you know what you are doing ! You could end up with all sorts of problems :)

Look at the email originating Received header ; if it has an IP in it, it probably does not belong to any of your clients or your server. You can look up where it comes from using a tool like Welcome to Robtex!

If the mail was genuinely sent from your client to your client; this field would be empty as the mail authenticated to the same server as it was received on.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,940
630
263
Houston
cPanel Access Level
DataCenter Provider
I am also getting this type of emails asking for randsome money ??

i ran this code exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog

The IP is the spammers

Code:
[root[email protected] ~]# exigrep 1gOgoe-0003pl-Cw /var/log/exim_mainlog
2018-11-19 04:30:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gOgoe-0003pl-Cw

2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: "SpamAssassin as ok2 detected message as spam (19.6)"
2018-11-19 04:30:05 1gOgoe-0003pl-Cw H=([37.106.108.86]) [37.106.108.86]:25230 Warning: Message has been scanned: no virus or other harmful content was found
2018-11-19 04:30:05 1gOgoe-0003pl-Cw <= [email protected]*****.com H=([37.106.108.86]) [37.106.108.86]:25230 P=esmtp S=5060 [email protected] T="[email protected]*****.com - this account has been hacked! Change all your passwords!" for [email protected]*****.com
2018-11-19 04:30:05 1gOgoe-0003pl-Cw => spiro <[email protected]*****.com> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]*****.com> gJ8hHq2Q8lu7OQAAup1nGg Saved"
2018-11-19 04:30:05 1gOgoe-0003pl-Cw Completed

But this message is being flagged as spam?
Warning: "SpamAssassin as ok2 detected message as spam (19.6)"

cPanel can't stop you from getting spam sent to your server altogether, in this instance SpamAssassin is working for you.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,940
630
263
Houston
cPanel Access Level
DataCenter Provider
Again, whilst I do recognise the need for some filter of this nature, I don't think it is necessarily up to cPanel to provide it. If they can help us, that would be fantastic, but I also note that such a fundamental filter should be available from dozens/hundreds of sources on the internet if it were possible to achieve using the current Exim filters - the very fact that there are NO references to any such filter does somewhat reinforce my belief that it wont be possible under the current Exim filter rules.
I am wondering if it's looked at from a different angle as well and you might try a Custom SpamAssassin rule with a heavy weight/point score. In the OP's instance, the issue was primarily that SpamAssassin wasn't actually seeing it as spam.

WritingRules - Spamassassin Wiki

Also there are some really amazing custom rules here as well.
 

plague

Well-Known Member
Sep 22, 2006
67
14
158
Brasil
cPanel Access Level
Root Administrator
Twitter
I have been facing this issue in a couple of server in the last months.
Didn't bother to search the forums until today that a new case happened, found this thread and I would like to share my thoughts on this.

So, as I noticed the previous posts didn't figure how this spam is being sent, and it's very simple: you don't need to authenticate to send local emails in the default EXIM config used on cPanel.

You can just open a telnet connection on port 25, set the "mail from" and "rcpt to" as the same emails address and EXIM will deliver the email. Here is an example:

Code:
[email protected] [~]# telnet domain.com.br 25
Trying 67.23.x.x...
Connected to domain.com.br.
Escape character is '^]'.
220-server.x.com.br ESMTP Exim 4.91 #1 Tue, 29 Jan 2019 11:07:44 -0200
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
ehlo domain.com.br
250-server.x.com.br Hello example.com [162.243.x.x]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: [EMAIL][email protected][/EMAIL]
250 OK
rcpt to: [EMAIL][email protected][/EMAIL]
data
teste
.
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1goT8k-0000iR-4u
And here is the delivery log on the destination server:

Code:
[email protected] [~]# grep 1goT8k-0000iR-4u /var/log/exim_mainlog
2019-01-29 11:09:23 1goT8k-0000iR-4u H=example.com (domain.com.br) [162.243.x.x]:45757 I=[67.23.x.x]:25 Warning: "SpamAssassin as sorriaortorisoco detected message as spam (15.8)"
2019-01-29 11:09:23 1goT8k-0000iR-4u <= [EMAIL][email protected][/EMAIL] H=example.com (domain.com.br) [162.243.21.57]:45757 I=[67.23.238.2]:25 P=esmtp S=1744 from <[email protected]> for [EMAIL][email protected][/EMAIL]
2019-01-29 11:09:23 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1goT8k-0000iR-4u
2019-01-29 11:09:23 1goT8k-0000iR-4u => teste <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_virtual_delivery_no_batch S=1912 C="250 2.0.0 <[email protected]> KCt1D4NQUFzdegAAcWTs+w Saved"
2019-01-29 11:09:23 1goT8k-0000iR-4u Completed
As you can see, knowing an email address allows me to send emails to anyone on a Cpanel server.
SpamAssassin is filtering the message, SPF and DKIM are being used on it's filters, but still this message shoud never be able to reach the account.

Interesting fact that if you try to telnet on port 587, the connection is dropped before you can send the message:

Code:
[email protected] [~]# telnet domain.com.br 587
......
mail from: [email protected]
250 OK
rcpt to: [email protected]
550 SMTP AUTH is required for message submission on port 587

Ok, so, how do I block this on my servers?

Using some lines that I took from a VestaCP installation:

- Go to Exim Config Editor > Advanced Editor on WHM
- Find "custom_begin_recipient_post"
- add this lines in that block:

Code:
deny    message       = smtp auth required
      sender_domains = +relay_domains
      !authenticated = *
This will force authentication on port 25, but check your logs after this change, I have had problems with some redirections to and from Gmail accounts asking for authentication while redirecting emails received on the server. The workaround to this was to add Gmail IPs on the "Trusted SMTP IP addresses " list.

Edit: Forgot to add the test after those changes:

Code:
[email protected] [~]# telnet domain.com.br 25
Trying 67.23.x.x...
Connected to domain.com.br.
Escape character is '^]'.
220-server.x.com.br ESMTP Exim 4.91 #1 Tue, 29 Jan 2019 11:32:24 -0200
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
ehlo domain.com.br
250-server.srv1eua.com.br Hello example.com [162.243.x.x]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: ][email protected]
250 OK
rcpt to: [email protected]
550 smtp auth requried
 
Last edited by a moderator:
  • Like
Reactions: Emanuel Vicente

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @plague,

So, as I noticed the previous posts didn't figure how this spam is being sent, and it's very simple: you don't need to authenticate to send local emails in the default EXIM config used on cPanel.
The following section from our How To Prevent Email Abuse document offers a method for better identifying email sent from authenticated cPanel users using the method described in this thread:

Experimental: Rewrite From: header to match actual sender
Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication. This can make it difficult for system administrators to determine which cPanel account sent the mail, especially when a malicious user spoofs an email address to disguise the origin of the email.

To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's Exim Configuration Manager interface (WHM >> Home >> Exim Service Configuration >> Exim Configuration Manager).

After you enable this feature, you will see output that is similar to the following in the /var/log/exim_mainlog file:

2014-04-23 08:09:52 1Wcwvu-0000On-Sb From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]


The actual_sender portion of the log entry shows that spammer is the cPanel account that sent the email. This information allows the system administrator to take action against the account to prevent additional spam.
Additionally, I encourage you to vote and add feedback to the following feature request if you'd like to see a way to prevent this behavior:

Prevent users from being implicitly authenticating to Exim on the local host

Thank you.
 
Last edited:

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
[email protected] [~]# telnet domain.com.br 25
What server are you on when you do this telnet command?

If you're on the same server that is hosting domain.com.br then at best, this is trivial.

By and large, regular (non-root) users should not be able to open any connections directly on port 25. That is what SMTP Block in CSF and I think cPanel has something (I'm not sure what it's called) that prevents this. So a non-root user won't be able to make this connection.

If it's not the server hosting domain.com.br, then you're not going to have any control over this. The SMTP transaction you posted is just a normal SMTP transaction, if you start tampering with that, then you're going to affect real, regular SMTP transactions.

The bottom line throughout all of this is that people are going to have to learn that MAIL FROM (both the envelope-sender and the header From) can be faked and it's trivial to do.

If you REALLY want to combat this, then DKIM and SPF are going to have to take a larger role (or something similar that is like these technologies). But as it stands, too many people don't understand the DKIM signing process or what an SPF record means, so they don't set them properly. This means recipient servers can't be completely bullish on how it handles that authentication ... "this messages doesn't pass DKIM... but that may just be because the sender's system doesn't understand how to use DKIM, so we'll allow it". And thus the perpetuation of spam continues on.

There also has ramifications in how forwarders are used (the solution here... don't use forwarders).

If every receiving mail server really scrutinized messages requiring hard DKIM checks, that would stop a lot of these fake messages. Legitimate messages that are sent would have to be properly signed with DKIM and recipient mail servers would only accept messages that are properly signed with DKIM.

But how many billion email users are there in the world? How many millions of mail servers are there? If someone came out with a technology that ended spam completely right now... it would still take 10 years for all of that to filter down to the masses.
 

vapetrov

Member
May 24, 2002
14
0
301
Does your client have a valid SPF and DKIM? What your describing sounds a bit like spoofing.
I can confirm SPF with "-all" rule do not prevent sending such mails.

It looks like a bug in implementation of SPF checking during SMTP time.

I am absolutely sure that proper SPF should stop such letters.
 

plague

Well-Known Member
Sep 22, 2006
67
14
158
Brasil
cPanel Access Level
Root Administrator
Twitter
@cPanelMichael The server I used to telnet is another server, so the localhost rule does not apply.

@sparek-3 with the adjustment I posted, I have control over this, just like you can't send that kind of message on port 587, I'm blocking it on port 25 too. After this fix I had one problem with one domain, over about 20k domains hosted, in a very specific situation with forwarders and filters to Gmail. I didn't spent time to figure out why that error happend in that situation, to be honest.
I'd rather have the Gmail IP range whitelisted in some of my SMTP checks than have clients arguing about my server security or why and how someone had access to his email account to send this message to itself.
As I said, I took those lines from a VestaCP server, and I never had problems sending or receiving emails on that panel, even though it uses thoses lines to block unanthenticated senders, as I am using on my Cpanel servers now.

I aggree with you that faked headers are trivial, but on that cases you can show the client that it is a fake message and explain to them where it came from.
In this case the headers are not faked. It is a regular message from an account to itself that the default EXIM config is allowing to be sent. All you can say is "well, yep, there's a hole on the server config allowing this guy to use your account to send this emails to you".
Even if the spammer does not have access to the email data, this is not a good thing to hear from your webhosting support, right?

I also aggree with you that SPF and DKIM should block this, but SPF and DKIM are filters that the user can enable/disable at will on Cpanel. In my opinion the best way to avoid that is to block it at SMTP time like it is already done on port 587, denying the spammer to even send the message than filtering it after it is was sent.

With that said, how many Cpanel clients are facing this issue, and how many of them have found this thread to understand how can they block this? One time a client faces this issue and you just can't prove that this is a "fake header" situation (because it is not), this guy won't trust your server security level, and it doesn't matter if he could had block it himself activating the SPF and DKIM on his account.

That's why I think Cpanel devs should care more about this thread, even if I already have found a fix for that on my servers. Relying on DKIM and SPF to block this messages seems just a weak workaround, not an actual fix for the issue.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @plague,

One additional option to consider is Require remote (domain) HELO found under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor. This option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. EX:

Code:
 "REJECTED - Bad HELO - Host impersonating [testing.tld]"
Thank you.
 

plague

Well-Known Member
Sep 22, 2006
67
14
158
Brasil
cPanel Access Level
Root Administrator
Twitter
Hello @cPanelMichael
Thanks for your advice, but still able to send the message using some random domain in the HELO.
This options are checked in the Exim Config:

Require HELO before MAIL
Require remote (hostname/IP address) HELO
Require remote (domain) HELO
Require RFC-compliant HELO

Code:
[email protected] [~]# telnet server.x.com.br 25
Connected to server.x.com.br.
.......
ehlo hotmail.com
250-server.x.com.br Hello servidor.x.eti.br [x.x.x.x]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: [email protected]
250 OK
rcpt to: [email protected]
250 Accepted
data
354 Enter message, ending with "." on a line by itself
teste
.
250 OK id=1gr8HT-001CUN-LH
 
  • Like
Reactions: Emanuel Vicente

Inner2019Peace

Registered
Feb 6, 2019
1
0
1
DreamLand
cPanel Access Level
Root Administrator
Hello everyone
This is the first post for me and I'm happy to be with this great cPanel community. Indeed, I love you cPanel because you served my business for a while

Back to work:
In "Mail Delivery Reports" I see a lot of delivered email made by a spammer [from to] the same email address, example:
From [email protected] To [email protected]
From [email protected] To [email protected]
(Where: account: 123 not exist, account jeorge exists)

Report from exaim_mainlog returns this
Code:
1- (Name_OfSpammerDomain) [His_IP]:Warning: "SpamAssassin as [user_account] detected message as spam (34.5)"
2- malware acl condition: clamd /var/clamd : unable to connect to UNIX socket (/var/clamd): Connection refused
3- (Name_OfSpammerDomain) [His_IP]: Warning: Message has been scanned: no virus or other harmful content was found
4- [email protected] H=(Name_OfSpammerDomain) [His_IP]: P=esmtp S= [email protected] T="Caution! Attack hackers to your account!" for [email protected]
5- discover_sender_information failed to set the from header rewrite for [email protected]
6- jeorge+spam ([email protected]) <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> Saved"
7- Completed
This happened with many domains on my server and for many emails for each domain
Another domain shows the same report but with one different in line: 6

Code:
5- .....rewrite for [email protected]
6- .....<[email protected]> Saved"
Completed
All contents of the messages are about that this spammer has hacked the email and asks to transfer money
I know this kind of lies (I hope that :) ) but I'm asking about two things:

1- Is really this email account hacked?
2- Can the spammer using one of those account to send messages to an outer email like: @gmail.com, in this case he will sends to a lot of outer emails and get my server blocked

Thank you
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hi @plague,

The Require remote (domain) HELO option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. It won't prevent the use of remote domain names as the FROM address, or prevent the activity completely. It's simply an added measure you can take to help prevent the FROM address from mimicking a domain name that exists locally on the cPanel server.

To block the activity all together (other than the through the workaround you noted), the following feature request would need to be implemented:

Enable SMTP authentication on local delivery

@Inner2019Peace, See my post here for information on how you can block this behavior (specifically the use of a local domain as the FROM address).

Can the spammer using one of those account to send messages to an outer email like: @gmail.com, in this case he will sends to a lot of outer emails and get my server blocked
No, delivery attempts to a remote mail server using this method will fail because SMTP authentication is required for non-local addresses.

Thank you.
 

Juanpi

Registered
Feb 14, 2019
2
0
1
Montevideo
cPanel Access Level
Website Owner
Hi @plague,

The Require remote (domain) HELO option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. It won't prevent the use of remote domain names as the FROM address, or prevent the activity completely. It's simply an added measure you can take to help prevent the FROM address from mimicking a domain name that exists locally on the cPanel server.

To block the activity all together (other than the through the workaround you noted), the following feature request would need to be implemented:

Enable SMTP authentication on local delivery

@Inner2019Peace, See my post here for information on how you can block this behavior (specifically the use of a local domain as the FROM address).



No, delivery attempts to a remote mail server using this method will fail because SMTP authentication is required for non-local addresses.

Thank you.
I was linked to the quoted post from a recent thread that I started because a simple telnet proved my mail server to be insecure (see linked post), and also the Anonymailer website bypasses my server checks.

The emails are being sent with the following headers:

FROM: [email protected]
TO: [email protected]

... and are successfully delivered to my [email protected] inbox.

My server is configured as follows:

upload_2019-2-16_11-49-46.png

We are getting massive amounts of spam with spoofed email addresses, and trying to see whether fixing this hole could help control the spam issue.

Thanks in advance!
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
We are getting massive amounts of spam with spoofed email addresses, and trying to see whether fixing this hole could help control the spam issue.
Hello @Juanpi,

Can you confirm if the incoming SPAM has continued since making the adjustments to the options in the screenshot you attached?

Thank you.
 

jbourque

Member
Jul 18, 2008
9
0
51
I have an issue where I have a number of emails that are being spoofed saying email has been hacked. It appears and old database was compromised and the emails began coming in. How can I stop them? My mailscanner is NOT scanning it because it appears to be from my server.
Code:
Hi!
As you may have noticed, I sent you an email from your account.
This means that I have full access to your account.
I've been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you
 
Last edited by a moderator:

zefie

Member
Jun 13, 2013
15
3
3
cPanel Access Level
Root Administrator
Usually spam filters (either GMail's or cPanel's) will filter out most trash.

However, this new string of emails being set by hackers claiming to have my password (but really smtp headers show its still from their server), has been making it past the filters and not only that, being enhanced by GMail rejecting any emails from my server, causing a Mailer Daemon Error and completely bringing the email from the scammer to my inbox every time (I blame both my config and google for this)

For some reason, despite having set the option to only deliver from local addresses if authorized, as well as SPF, it still seems to come through. The message actually from Google, rejecting the forwarded email from cPanel server.

While this mostly mentions gmail, the question I suppose is:

How do I reject emails that pretend to be any account on the server's domains, and to NOT mailer daemon bounce back to itself....