Temporarily Disabling Email Account Question

basshook

Active Member
Jul 27, 2006
25
0
151
Hi all, I've read through a number of threads regarding the disabling of email accounts but none that I've found so far really answer my question so I will try to elaborate here.

I have a valuable client with an imap (squirrelmail) email account that some spammer is spoofing on a regular basis for the last three months and has done in the past also. Usually he/she stops after a month and I ignore it. But now I want to somehow disable the email account without loosing all the data (no migrating feature in squirrelmail) and create a forwarder to another email address with the idea that my client will still receive legititmate email from his hundreds of clients, but the spammer will not be able to use it. I know that it will probably work if I delete the account but was hoping to avoid that. Also he refuses to change his email address because of the length of time he's had it and the painstaking effort to notify all his clients.

After about two months, I thought I'd re-enable the account with all his data again (hopefully) to see if that stops the spoofing. Is this possible or is there another way to stop the spoofing as I receive hundreds of failure messages each day from it? Sooner or later I imagine I will be dealing with RBL's which I hope to avoid.

Sorry for the long winded post.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Deleting the email account will not prevent spoofing attempts. They can occur even when the email account does not exist. One method to avoid this type of behavior is to ensure the domain name uses a SPF record. You can add a SPF record for the account under the "Email Authentication" option in cPanel. Then, remote mail servers that check for SPF records can verify if the email is legitimate.

Thank you.
 

basshook

Active Member
Jul 27, 2006
25
0
151
Thanks for your reply. I have SPF and DKIM enabled but it isn't stopping the spoofing. I get hundreds of failed messages a day related to this spoofer. It only seems to occur with the one account. I guess there is nothing I can do about it except to let mailwatch continue to flag them as spam so the client doesn't see them. What are your thoughts regarding possibly getting black listed because of this spammer?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Have you confirmed the email is coming from a remote server and not locally? If it's a spammer on your own server, then the following document may be helpful:

Prevent Email Abuse

Otherwise, you may want to determine the source through the headers and report this to their email administrator.

Thank you.
 

basshook

Active Member
Jul 27, 2006
25
0
151
I have paid a tech to look at my server and he assures me that it isn't originating from my server. Here are the headers from one of the failure messages for you to peruse and provide feedback if you will. These headers don't show the original email that was sent however. I replaced my clients email address with username/website.com and my server name with myserver.com. Thanks for the link I'll be doing some of those if not all recommendations for sure.

Received: from mailgw.hakodate-ct.ac.jp ([202.25.71.17]:46042)
by myserver.com with esmtp (Exim 4.80.1)
id 1VDpVY-0007j6-L1
for [email protected]; Sun, 25 Aug 2013 22:38:33 -0700
Received: by mailgw.hakodate-ct.ac.jp (Postfix)
id 4F3F8C0EBD; Mon, 26 Aug 2013 14:38:23 +0900 (JST)
Date: Mon, 26 Aug 2013 14:38:23 +0900 (JST)
From: [email protected] (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: [email protected]
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="34A0CC0EA6.1377495503/mailgw.hakodate-ct.ac.jp"
Message-Id: <[email protected]>
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
In "WHM Home » Service Configuration » Exim Configuration Manager", under "ACL Options", you can enable the following option:

"Reject SPF failures"

This should help prevent spoofing for domain names with valid SPF records. However, it will only block emails sent to your server that do not have valid SPF records. If someone sends an email from a remote server to another remote server, it's up to the remote mail server to implement anti-spoofing techniques.

Thank you.
 

basshook

Active Member
Jul 27, 2006
25
0
151
cPanelMichael, thanks for all your help. It is a spammer/spoofer that is sending emails from a remote server to a bunch of other remote servers so I guess there is nothing I can do about it. Why he chose this email address is beyond me but it is what it is. I guess if my server ip gets black listed by a rbl I will deal with it at that time. Again thanks for all your help and links.