[email protected]

Well-Known Member
Aug 3, 2016
50
5
8
Everywhere
cPanel Access Level
Root Administrator
Hello,

Recently I see that from a particular domain example: mydomain.com someone (remote) sends email to mydomain.com email address..

Example: I have an email account [email protected]

The spammer send me an email as: [email protected]

The headers:

Code:
From: <[email protected]>
To: <[email protected]>
Subject: Something

Delivered-To: [email protected]

Envelope-to: [email protected]
Message-ID: <[email protected]>

.....

Return-Path: <[email protected]>
Return-Path: <[email protected]>

X-Mailer: Microsoft Outlook 14.0

X-Spam-Flag: YES
...
...
...
1.5 SPF_SOFTFAIL     SPF: sender does not match SPF record (softfail)
I think is a spoof email but the strange in all that is that the message-id at the end has the mydomain.com!!

How it is possible?

Also I have spamassassin that mark that message as spam but how this remote user can send a message like that?

Any advice is highly appreciated!!
 

MrCanada

Member
Dec 23, 2017
11
1
3
Canada
cPanel Access Level
Root Administrator
1.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)

The SPF is not passing. When SPF doesn't pass there is a good chance the email will go to spam/junk because it can't verify the sender. Have you set up SPF?
 

[email protected]

Well-Known Member
Aug 3, 2016
50
5
8
Everywhere
cPanel Access Level
Root Administrator
Thanks for the reply!
Yes the message marked as SPAM message.
But I can't understand how someone can make message-id at the end have sign of mydomain.com!

I see that this email delivered from -remote- and not local. That I think seems that the account is not hacked. But I can't understand 1st why the server deliver that message (I have spf configured) and 2nd how the -remote- sender make message-id seems that is from mydomain.com!!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello,

One option to consider is Sender Verification Callouts, found under the "Mail" tab in "WHM >> Exim Configuration Manager >> Basic Editor". Per it's description:

Use callouts to verify the existence of email senders. Exim will connect to the mail exchanger for a given address to verify it exists before accepting mail from it.

However, generally the better approach is to implement a technology such as like S/MIME or PGP to sign individual messages. It's not a feature offered in cPanel & WHM directly, and thus would require your email users to setup their email clients to use the technology. Once configured, the user's email client could indicate that a message was not signed (and thus is forged).

Thank you.
 
  • Like
Reactions: [email protected]