Bobcares

Blocking spoofed mails going out from your cPanel/WHM server to protect it from blacklists

by | Feb 16, 2017

Outgoing spam is a major head ache for many web hosts. Spammers use compromised websites or mail accounts to send thousands of spam mail within a few mins.

By the time the web host comes to know about it, the server IP would be blacklisted (eg. SpamHaus SBL), and legitimate mails would be bouncing left and right.

As part of our Server Support services, our engineers help small and large web hosts recover from spamming incidents, and keep their servers spam free.

[ Want to know how we handle spamming and other security incidents in lightning speed? Click here to know more.. ]

What is email spoofing? Why should you prevent it?

76% of spamming in web hosting servers happen mainly due to email spoofing. In spoofing, mails are sent using a fake ‘From’ address, which can be a valid email account in the server.

As a result, email bounces or failure messages for these mails would come back to your server’s mail queue and fill it up. So, cutting down spoofed mail is always a priority for us, in cPanel server management.

Similarly, a spammer can use a compromised mail account in your server (say user@server.com), and set the spam mail’s “From” address as a different address like “obama@whitehouse.gov”.

Such spoofed mails can cause your mail server to be blacklisted, which would affect the server reputation and prevent further email delivery.

In our experience fixing outbound spamming in web hosting servers, Bobcares engineers have noticed spoofed mails originating from the following three sources:

  1. Spammers exploiting vulnerable mail scripts in the server to send out spoofed mails.
  2. Using compromised mail account details to send spoofed mails after authentication.
  3. Misusing the vulnerabilities in mail server configuration.

We use several methods to keep web hosting servers spam-free. Setting up custom security rules for mail servers is one of them. Today we’ll take a look at how we cut down spam that used fake (aka spoofed) “From” address.

[ Use your time to build your business. We’ll take care of your customers. Hire Our Hosting Support Specialists at $12.99/hr. ]

 

1. Block outgoing spam in cPanel due to unauthenticated spoofing

Unauthenticated spoofing involves spammers exploiting any vulnerable forms in your server and sending out outgoing spam from it using your local mail server, but with a fake ‘From’ address.

To block outgoing spam from cPanel servers, we configure custom ACL rules in Exim mail server. These rules check the email headers of the outbound mails and get the domain name in the ‘From’ address.

The domains in a cPanel server can be categorized into two lists, based on their choice of mail server. 1. Local domains – that use local mail server. 2. Remote domains – that use external mail server.

If the domain name in ‘From’ address does not match with the domain names in any of these two lists, the ACL filter would deny that mail from being delivered using the mail server, thus protecting it from spoofing.

But editing the Exim configuration file should be done with utmost caution, as even a minute mistake can mess up with the mail server and break its normal functioning.

At Bobcares, our Server Support Specialists block outgoing spam in Cpanel servers with their expertise configuring custom ACL rules and ensuring smooth Exim mail server functioning.

[ Running a hosting business doesn’t have to be hard, or costly. Get world class Hosting Support Specialists at $12.99/hour (bulk discounts available) ]

Up next: Prevent authenticated spoofing

2. Block outgoing spam in cPanel due to authenticated spoofing

Outgoing spam due to authenticated spoofing happens when the spammers get hold of the details of any email account in your server and use it to send mails with fake ‘From’ addresses.

End user mail accounts can get hacked due to lack of proper care exercised in keeping the login details secure. Viruses or other vulnerability in the user PC or mail clients can also make them vulnerable to hijacks.

While it is not possible for server owners to have control over their customers’ mail devices, our expert support engineers help web hosts protect their servers from these threats and prevent email spoofing and IP blacklisting.

We configure custom ACL rules for the Exim server to check if the authenticated mail user account matches the ‘From’ address of the email that is sent. If there is a mismatch in these addresses, the mail would be rejected.

[ You don’t have to lose your sleep to keep your customers happy. Our Server Support Specialists cover your servers and support your customers 24/7 at just $12.99/hour. ]

 

3. Fixing server vulnerabilities

Every server software or application has a risk of vulnerability associated with it. Hackers are in the prowl for server vulnerabilities, which can be exploited for their purposes.

It is not uncommon for spammers to exploit server vulnerabilities to send out spam. We’ve seen cases where server owners inadvertently configure their server as an open relay.

Though the default configuration of cPanel keeps Exim as an authenticated relay, adding custom rules or other third party settings may leave open gaps, that allows malicious actors to send out spam.

Bobcares’ cPanel server specialists perform security audits in servers periodically and whenever a change is made in the server settings, to detect any open vulnerabilities and to fix them promptly before an attacker traces it out.

Mail service is perhaps the most important online service that aids day-to-day business transactions. If you’d like to know how you can better support your mail users, we’d be happy to talk to you.

 

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure./p>

SEE SERVER ADMIN PLANS

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

33 Comments

  1. Tom

    When I add the code above in the box: custom_begin_outgoing_notsmtp_checkall I get an error:

    error in ACL: unknown ACL condition/modifier in +local_domains : +remote_domains

    Reply
    • Visakh S

      Hi Tom,

      Thanks for the comment.

      I see that you have entered the details in right place. The issue may be due to any of the following:

      1. Unwanted space in code. That is, there shouldn’t be any space before +local_domains in the code.

      Please try using the following:

      deny
      condition = ${if ! match_domain{${domain:${address:$h_From:}}}{+local_domains : +remote_domains}}
      message = Sorry, you don't have
      permission to send email from this server with a header that
      states the email is from ${lc:${domain:${address:$h_from:}}}.
      accept
      

      2. The below entry might be missing:

      domainlist remote_domains = lsearch;/etc/remotedomains
      

      If the error is still not resolved, please let me know the output to the following:

      grep remote_domains /etc/exim.conf
      
      Reply
  2. Kaushal Kishor Mahato

    If I want to bypass one or two domains, then how can I do that?

    Reply
    • Visakh S

      Hi Kaushal,

      Thanks for the comment.

      Create a file /etc/allowdomains with ownership root:mail. Add the websites that you want to bypass to this file. Then add the below code in the Exim advanced editor using the Add additional configuration setting feature

      domainlist allow_domains = lsearch;/etc/allowdomains.

      Then use the below ACLs:

      1. Blocking all un-authenticated spoofed outbound emails

      Add the following code under acl_not_smtp :

      deny
      condition = ${if ! match_domain{${domain:${address:$h_From:}}}{+local_domains : +remote_domains : +allow_domains}}
      message = Sorry, you don't have \
      permission to send email from this server with a header that \
      states the email is from ${lc:${domain:${address:$h_from:}}}.
      accept
      

      2. Blocking all authenticated spoofed outbound emails

      deny
      authenticated     = *
      condition = ${if ! match_domain{${domain:${address:$h_From:}}}{+local_domains : +remote_domains : +allow_domains}}
      message = sorry, you don't have \
      permission to send email from this server with a header that \
      states the email is from ${lc:${domain:${address:$h_from:}}}.
      accept
      
      Reply
      • Sergio

        Hi Visakh,
        thanks for sharing this.

        I have a doubt, you said:
        “Add the following code under acl_not_smtp :”

        But where under “acl not smtp”?
        There are a few boxes like:
        – custom_begin_outgoing_notsmtp_checkall
        – custom_begin_not_smtp
        Where I should write your code for the Authenticated Spoofed?

        Reply
        • Prajith

          Sergio,

          It should be added under “custom_begin_outgoing_notsmtp_checkall”.

          Reply
  3. Tilak

    I have follow above steps successfully but when i add “domainlist remote_domains = lsearch;/etc/remotedomains”
    Line i am getting error.
    I run “grep remote_domains /etc/exim.conf” command and command output is below:
    ===============================
    # grep remote_domains /etc/exim.conf
    fail_remote_domains:
    ===============================
    Please guide me how to resolve the issue.

    Reply
    • Prajith Kumar

      Hi Tilak,

      We attached the screenshots in the article so that you can configure it easily. Please check those.

      Reply
  4. Joshua

    Hello Visakh
    I have tried configuring with your instructions, but have ran into an issue, I have set the domainlist under additional configuration setting, when I go to configure acl_not_smtp (ensuring there is no spaces) I get an error for acl_smtp_mail and all variables below this up and until untrusted_set_Sender. The error message is:
    main option “message” unknown
    What am I doing wrong?

    Cheers,
    Joshua

    Reply
    • Prajith Kumar

      Hi Joshua,

      I infer that you are adding the codes in wrong place. Please see the attached screenshot and try to configure again in correct place. If you are getting any errors, please paste it here so that I can assist you.

      Reply
  5. Michael

    Hi there,
    Trying to implement your “Blocking all authenticated spoofed outbound emails” option but after putting your code under “acl_smtp_data:” > “custom_begin_exiscanall” I get the error:

    error in ACL: unknown ACL condition/modifier in “{ !eqi{$authenticated_id} {${address:$header_From:}} }”

    Is it just me or is there something wrong with your if statement?

    Reply
    • Prajith Kumar

      Hi Michael,

      There should be some space in between the code, which causing the issue. Please copy paste the above code in article and ensure to add it in correct place. Refer the screenshots in article

      Reply
  6. Hugo

    Hi Joshua,

    How can I add a mail whitelist for the part I? For example, I need that all outgoing mails authenticated, except if it comes from a specific email (root@hostname).

    Reply
  7. Prabhat Kumar

    Dear Vikas ji

    i have done as described in this link(https://bobcares.com/blog/blocking-spoofed-mails-going-out-of-your-cpanel-whm-web-hosting-server/) suggested by you. But failed getting some below error, Please help..

    vim /etc/exim.conf( added below lines on the top)

    domainlist remote_domains = lsearch;/etc/remotedomains

    i have added below code under the (acl_not_smtp = acl_not_smtp) this line.

    vim /etc/exim.conf

    deny
    condition = ${if ! match_domain{${domain:${address:$h_From:}}}{
    +local_domains : +remote_domains}}
    message = Sorry, you don’t have
    permission to send email from this server with a header that
    states the email is from ${lc:${domain:${address:$h_from:}}}.
    accept

    :wq (save and exit)

    service exim restart i got below error. please look into this

    service exim restart
    Shutting down exim: [ OK ]
    Shutting down spamd: [ OK ]
    Starting exim: 2015-10-28 12:30:51 Exim configuration error in line 56 of /etc/exim.conf:
    main option “deny” unknown
    [FAILED]
    0 processes (antirelayd) sent signal 9

    Reply
    • Prajith Kumar

      Hi Prabhat,

      You are editing the /etc/exim.conf directly. The steps given are for editing Exim conf from WHM.

      You need to go to WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EDITOR , and find the ACLs section that starts with “acl_not_smtp:”

      To avoid this confusion, I’ve added screen shots in the article.

      Hope it helps. 🙂

      Reply
    • Prajith Kumar

      Also note that the ACL rule is only 4 lines, that starts with the following strings:

      deny
      condition =
      message =
      accept

      So, if there are more more than 1 line in the condition or message directives, you should put a back-slash (\) at the end of the lines to avoid errors.

      Reply
  8. DJPRMF

    Should the “accept” be removed of that rules?

    That way he doesn’t prevent the other rules from take action (like the malware scanning)…

    Reply
    • Prajith Kumar

      Hi Pedro,

      Yes, if you have malware scanning rules already present in your acl_not_smtp or acl_smtp_data ACL block, you should defer the accept to the last line, so that all rules applicable to reject the mail will be run before it reaches accept.

      Reply
      • Josua

        Hey Prajith

        We recently encountered issues with this part:

        custom_begin_outgoing_smtp_checkall
        deny
        authenticated = *
        condition = ${if or { \
        { !eqi{$authenticated_id} {$sender_address} } \ { !eqi{$authenticated_id} {${address:$header_From:}} } \ } } message = Your FROM address ( $sender_address , $header_From ) must \ match your authenticated email user ( $authenticated_id ). \ Treating this as a spoofed email.
        accept

        It seems to break the SpamAssasin rules that come with cPanel.

        You do mention that the “accept” part has to be deferred – could you be a bit more specific?

        Would you simply delete it from this segment or?

        Reply
        • AV

          Any answer?

          I also have the same issue, SpamAssassing doesn’t filter any incomming spam for any hosted account.

          Should I simply remove the “accept” word in both ACL rules?

          Reply
  9. Prabhat Kumar

    Hi,

    I have done successfully thank you so much.One another question is that how can i byepass some domains.
    i have tried which you metion in reply. But not working kindly suggest.

    Reply
    • Prajith Kumar

      Hi Prabhat,

      The idea is to create one more list called allow_domains and add it to the ACL along with local_domains and remote_domains.

      Can you let me know what all steps you have already taken, and what error (if any) you are getting?

      Reply
  10. Prabhat Kumar

    Dear Prajith ji,
    i have done as below and no one error is coming. But allowdomains is not working

    domainlist remote_domains = lsearch;/etc/remotedomains
    domainlist allow_domains = lsearch;/etc/allowdomains

    i have addded below under (custome_begain_outgoing_notsmtp_checkall)

    deny
    condition = ${if ! match_domain{${domain:${address:$h_From:}}}{+local_domains : +remote_domains : +allow_domains}}
    message = Sorry, you don’t have
    permission to send email from this server with a header that \
    states the email is from ${lc:${domain:${address:$h_from:}}}.
    accept

    And now i have added below under (custom_begin_outgoing_smtp_checkall)

    deny
    authenticated = *
    condition = ${if ! match_domain{${domain:${address:$h_From:}}}{+local_domains : +remote_domains : +allow_domains}}
    message = sorry, you don’t have \
    permission to send email from this server with a header that \
    states the email is from ${lc:${domain:${address:$h_from:}}}.

    Reply
    • Prajith Kumar

      Hi Prabhat,

      Can you please confirm the below:

      Did you create the file /etc/allowdomains and added the domain to be whitelisted in it? Please note that the file should have root:mail ownership.
      I just tested this and is working fine from my end

      If you have still issue can you please provide the output of following:

      grep allow_domains /etc/exim.conf
      cat /etc/allowdomains

      Reply
  11. Prabhat Kumar

    Dear Prajith ji,

    I have another issue with exim. any one can connect my server through telnet and able to send email in same account. How can We protect that one. see blow example.

    nishant@nishant-Lenovo-B40-80 ~ $ telnet kvit.in 25
    Trying 43.252.91.161…
    Connected to kvit.in.
    Escape character is ‘^]’.
    220-ns1.linux-hosting.in ESMTP Exim 4.86 #2 Fri, 30 Oct 2015 12:04:18 +0530
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    helo kvit.in
    250 ns1.linux-hosting.in Hello mail1.kvit.in [122.176.40.9]
    mail from: zimbra@kvit.in
    250 OK
    rcpt to: zimbra@kvit.in
    250 Accepted
    data
    354 Enter message, ending with “.” on a line by itself
    hi this is spoffed email.
    .
    250 OK id=1Zs3HR-0005JX-KU

    Reply
    • Visakh S

      Hi Prabhat,

      Isn’t that expected? I just now tried telnet on your server, and looks like zimbra@kvit.in is a valid email account. So, it will accept a mail irrespective of what the FROM ID is.

      mail from:spammer@gmail.com
      250 OK
      rcpt to:prabhatk@kvit.in
      550 No such person at this address
      rcpt to:bibuiudsybf@kvit.in
      550 No such person at this address
      rcpt to:zimbra@kvit.in
      250 Accepted

      Wonder how this behavior is related to spoofing. Do you think this could be connected to outbound mail spoofing?

      Reply
  12. Prabhat Kumar

    Hi, Vikas ji,

    If any one knows my email account can send email to my Bose behalf of me. You know it is very easy to find anyone email id in organization. See below example.

    nishant@nishant-Lenovo-B40-80 ~ $ telnet kvit.in 25
    Trying 43.252.91.161…
    Connected to kvit.in.
    Escape character is ‘^]’.

    220-ns1.linux-hosting.in ESMTP Exim 4.86 #2 Mon, 02 Nov 2015 12:25:13 +0530
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    500 unrecognized command
    helo kvit.in
    250 ns1.linux-hosting.in Hello mail1.kvit.in [122.176.40.9]
    mail from: prabhat@kvit.in
    250 OK
    rcpt to: vikas@kvit.in

    250 Accepted
    data
    354 Enter message, ending with “.” on a line by itself
    hi, I am going to resgine your company
    .
    250 OK id=1Zt92L-0005wm-Sq

    Reply
  13. Prabhat Kumar

    Dear Vikas ji,

    Thanks for you reply. These day most of mails server don’t care about SPF record and DKIM. So we can set this policy. if is there any other solution kindly tell use.

    Reply
    • Visakh S

      Hi Prabhat,

      If your Exim server is enabled with SPF checking, that’s all you need. The filtering happens at your server’s end.

      Reply
  14. Kaydet.NET

    Hi,

    Great post. I applied all and hoping to get breath from spammers 🙂

    Everything works fine However i found something missing in the rule;

    if user uses the email id that is same with cpanel username which is created when the cpanel account created, he’s still treated as spammer and receive the notification in below code;

    deny
    authenticated = *
    condition = ${if or { \
    { !eqi{$authenticated_id} {$sender_address} } \
    { !eqi{$authenticated_id} {${address:$header_From:}} } \
    } }
    message = Your FROM address ( $sender_address , $header_From ) must \
    match your authenticated email user ( $authenticated_id ). \
    Treating this as a spoofed email.
    accept

    Is it possible you can share with us what more to add in order to resolve this problem?

    I got this error when i use cpanel user’s accessing via webmail, didn’t try outlook setup.

    Reply
  15. Prajith

    IMPORTANT Points to keep in mind

    POP before SMTP won’t work with this setting. You will have to ask your customers to use the option – “My Server Requires Authentication” in the SMTP settings of their email client.
    Username in the format user+domain.com will not work. They have to use user@domain.com instead.
    Email send from default email account won’t work.

    You can override the above problems by using the following entry in ACL under acl_smtp_data instead of the above one:

    deny
    authenticated = *
    condition = ${if !match_address{${address:$h_From:}}{+whitelist_senders}}
    condition = ${if !match_domain{${domain:${address:$h_from:}}}{+remote_domains}}
    log_message = Seems like a spoofing attempt. Please check now.
    message = sorry, you don’t have the permission to send email from this server with a header that\
    states the email is from ${lc:${address:$h_from:}}.

    accept

    You may add the user@hostname accounts to a file /etc/emailaccounts or so (create any file). And you need to add the following entry using the Add additional configuration setting feature:

    addresslist whitelist_senders = ${if exists{/etc/emailaccounts} {lsearch;/etc/emailaccounts} fail}

    You can set up a script and run it as cron to populate the file automatically.

    Reply
  16. Rhumjhum

    Hello,

    What about compromised email accounts as on many many times user account gets compromised and hacker send 1000+ the spam from there.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.