spoofed sender, randsom email

keat63

Well-Known Member
Nov 20, 2014
1,312
92
28
cPanel Access Level
Root Administrator
Is there any way of stopping this happening.
A randsom email supposedly from self to self, stating words along the lines 'I'm a hacker, and i've taken control of your email, pay me now' etc etc

I checked the headers and can see where it really came from, but my end user wouldn't know how to do this, so really assumed it was true.
Even with SPF and DKIM configured on the account, this randsom email still made it through to one of my users.

Code:
To: [email protected]
Content-Type: multipart/related;
 boundary="6778796521411084-84DCB270D24"
MIME-Version: 1.0
From: <[email protected]>
Would 'Allow DKIM verification for incoming messages' fix this ?
 

backhousemedia

Registered
Nov 26, 2017
1
0
1
Los Angeles
cPanel Access Level
Root Administrator
Ya, it's really annoying. A bunch of our clients have received this same "ransom" email over the past few days and they're blowing up our support. Any way to fix this globally?

It's from/to their own email addresses.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider

keat63

Well-Known Member
Nov 20, 2014
1,312
92
28
cPanel Access Level
Root Administrator
In my case, it didn't actually come from self to self, it did in fact come from an email address with a Turkish TLD.
But as the sender address was spoofed, to my end user, it looked like it came from his own mailbox.

Reading at least all way through the first thread, it seems there is no solid solution.

Searching mail scanner, I've seen a few instances of this, and one thing I notice, is that the actual ransom, is not text, but is in fact a jpg image.

Maybe in the short term I could create a simple rule to combat this.
 
Last edited:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,762
535
263
Houston
cPanel Access Level
DataCenter Provider
In my case, it didn't actually come from self to self, it did, in fact, come from an email address with a Turkish TLD.
That's exactly what spoofing is! It can look different but essentially it's when someone modifies the headers to make it appear that your domain or you (or another party entirely) is sending the offending mail.

SpamAssassin should be able to flag this behavior as spam though I did note that you indicated you're using mail scanner. I believe mailscanner should have settings for this as well.
 

walt

Member
Oct 30, 2015
14
0
1
Houston, Tx
cPanel Access Level
Website Owner
Hello, I was catching up with some old emails, and came across a ransom one from March.
It appears to be very similar to this case (same from and to address, and same time period):
An extra detail is that the email's 'to' address was one that I only use for this forum.

On August 7 I received another email, however this was addressed to my outlook.live account. The
content of the email was word for word almost the same, however the subject line now contained
the password that I was using for this forum.
 
Last edited: