May 29, 2017
15
1
3
South Africa
cPanel Access Level
Root Administrator
Hello,
I hope you are well.

Is it possible to force an account on my server to only accept mail if it complies with the SPF policy?

I have a client that is being spoofed from her own domain which seems to be causing her (and by extension me) untold distress (though it is more an annoyance than anything).

The MX records are pointed to SpamExperts, but I have been told that the mail was delivered "Directly" to my server and did not pass through their filter.

I have enabled the SPF record as well as all the necessary DMARK and DKIM records but this email is still getting through.

Any advice?
 

Infopro

Well-Known Member
May 20, 2003
17,113
509
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I have a client that is being spoofed from her own domain which seems to be causing her (and by extension me) untold distress (though it is more an annoyance than anything).
There is a similar thread with some suggestions you might try, located here:
Spam email from self
 
  • Like
Reactions: Wade John Beckett

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
The MX records are pointed to SpamExperts, but I have been told that the mail was delivered "Directly" to my server and did not pass through their filter.
Hello @Wade John Beckett,

Can you share the specific log entry from /var/log/exim_mainlog for one of the spoofed emails? You can find the log entry by using the exigrep utility as root via the command line. EX:

Code:
exigrep MSGSUBJECT /var/log/exim_mainlog
Replace "MSGSUBJECT" with the subject of the email with the spoofed sender.

Thank you.
 
May 29, 2017
15
1
3
South Africa
cPanel Access Level
Root Administrator
Hello,
Thanks for the reply.

Here is the output from the exim_mainlog for the specific message:

2019-04-02 08:11:25.343 [2489446] 1hBCdo-00ARcM-UL H=([5.76.71.62]) [5.76.71.62]:11180 I=[**.***.***.***]:25 Warning: Message has been scanned: no virus or other harmful content was found
2019-04-02 08:11:25.345 [2489446] 1hBCdo-00ARcM-UL <= [email protected] H=([5.76.71.62]) [5.76.71.62]:11180 I=[**.***.***.***]:25 P=esmtp S=2955 M8S=0 RT=0.358s [email protected] T="Frauders known your old passwords. Access data must be changed." from <[email protected]> for [email protected]
2019-04-02 08:11:25.367 [2489817] 1hBCdo-00ARcM-UL => user <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_virtual_delivery S=3149 C="250 2.0.0 <[email protected]> oNRwFQ39olxq9yUAMIJW9Q Saved" QT=0.427s DT=0.009s
2019-04-02 08:11:25.367 [2489817] 1hBCdo-00ARcM-UL Completed QT=0.427s

I have replaced my server IP with **.***.***.*** and the users email address with [email protected] for security reasons.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @Wade John Beckett,

Here's a response from the link referenced earlier in this thread:

One additional option to consider is Require remote (domain) HELO found under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor. This option will prevent someone from using local domains hosted on the cPanel server as the FROM address during the SMTP transaction. EX:

Code:
"REJECTED - Bad HELO - Host impersonating [testing.tld]"
Thank you.
This should be useful in your case because the emails are sent to an email account hosted locally on the cPanel server.

Thank you.