The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Too many phishing emails with MY email address: Exim question

Discussion in 'E-mail Discussions' started by erick_paper, Jun 16, 2009.

  1. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Hi. I am getting a lot of emails from my own email address. If I look at the headers, it's clear it's not being sent from my server, but the "From" is fakely specified as mine.

    Which rule in Exim's given cpanel config should I use to block this junk? I remember having an ACL in my older Exim file, but had to recently reset all the config to default after an update. Ideally I'd like to leave the ACL as it is, but i am hoping that there is some rule I can enable.

    I tried "Sender Verification Callout" but that doesn't help, because it would connect to my server and find the right email address, because the fake "from" is in fact a valid sender on my server.

    I also thought about "Require incoming SMTP connections to send a HELO that does not match this server's local domains." but this wouldn't work either, because the SMTP connection to this phisher's actual server would return a HELO that is different from mine.

    Anything I'm missing?

    Thanks!
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Setting up SPF verification should help with that
     
  3. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Thanks, but isn't SPF checking a bit dicey given that many domains may not have set SPFs yet?
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    This is Backscatter: http://en.wikipedia.org/wiki/Backscatter_(e-mail)
     
  5. mattdmin

    mattdmin Member

    Joined:
    Nov 28, 2008
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Spf

    Unfortunately, if your not using SPF checking your going to have this type of open relay. Utilize SPF checking, otherwise eventually you will be blacklisted too, so either way your mail won't go through. Been there done that, add SPF and Domain Keys to each domain. It's simple and you can add it in right through your user level CPANEL. Under Mail->Email Authentication

    I'd also suggest firewalling up, that way you can take care of these nasty mail relayers.
     
  6. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    SPF is already enabled for all my domains.

    I have now enabled SPF checking in WHM as well.

    Still no help. Still getting crap emails with fake headers.

    I used to have some ACL rule from years ago which took care of this, I think. Recently I had to "Reset all ACLs" in Exim in WHM before Cpanel's update could go through. So of course I have lost my older ACL. So what's the improvement from Cpanel? Where can I enable the blocking of fake FROM headers?
     
  7. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    More specifically, I would like to enable some of the ACL rules from this old Chirpy thread:

    http://forums.cpanel.net/f21/how-sp...ng-exiscan-clamav-rbl-spamassassin-31530.html

    But I'm worried that the new Exim 4 won't croak under these rules? The section in the config file now does say something like:

    Code:
    ########################################################################################
    # DO NOT ALTER THIS BLOCK
    ########################################################################################
    #
    # cPanel Default ACL Template Version: 5.9
    # Template: [COLOR="Red"]mailman2.exiscan.dist[/COLOR]
    #
    ########################################################################################
    # DO NOT ALTER THIS BLOCK
    ########################################################################################
    
    Thanks for any thoughts!
     
  8. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Anyone? Any thoughts?

    Could I put this block in Exim 4's ACL rules:

    Code:
    
      #---------------------------------------------------------------------
      # BE POLITE AND SAY HELO. REJECT ANYTHING FROM HOSTS THAT HAVN'T GIVEN
      # A VALID HELO/EHLO TO US.
      #---------------------------------------------------------------------
      deny 
        message = Bad HELO: Empty HELO, Polite hosts say HELO first. Please see RFC 2821 section 4.1.1.1.
        condition = ${if eq{$sender_helo_name}{}{yes}{no}}
      
      #---------------------------------------------------------------------
      # FORGED HOSTNAME -HELOS AS ONE OF MY OWN IPS
      # FORGED HELO (OUR IP/HOSTNAME)
      #---------------------------------------------------------------------
      deny message = Forged HELO: You are not $sender_helo_name as you claim. You are not allowed to use it in HELO/EHLO as per RFC Standards.
       !hosts = @[]
       !hosts = +relay_domains
       !authenticated = *
       condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
      
    
    
     
Loading...

Share This Page