Can malicious email be managed more aggressively?

Twitchin Kitten

New Member
I'm getting A LOT of malicious emails from all my @blahblahblah.com accounts through the server.
What's upsetting is that they are spoofing actual email accounts set up on the mail server on my VPS for several domains. They are sending fake invoices in zip file format demanding monies for unpaid accounts. OBVIOUSLY I don't open them, they are normally marked as ***SPAM*** in front of the title of the subject, but some get past the spam filter.

Is there any way to block these from reaching the server at all? I had a creep stalking me IRL and used my sites via proxies to gain access and through the htaccess file we were able to block him, his TOR browser / network and other myriad of ways to keep just him out. I also have a whole list of "bad bots" blocked and specific countries blocked.

So, knowing this can be done at the server level through htaccess for domains, is it at all possible to start bouncing those malicious emails? I'm getting bombarded with them by the dozens on a daily basis. Looking at the full headers it looks like they're coming from my own server, my own email address and more but I know it's "spoofing" to alarm me. My big question is HOW do they send from my own email address? Don't they have to have that address to send it from? I'm not sure how this kind of email stuff works, so I ask.
Some of them are also "verifying the security of the email through Symantec systems" and I called them to report this and ask how to send them this info because I figured that using someone who is in the security 'business' would have a concern, but they seemed not to care ( no wonder I gave them up 10 years ago).

These spammers are coming from places like Indonesia, Bangaledesh, Germany, Pakistan etc. The 'usual' suspects.
I have a very knowledgeable person handling the server and it's maintenance and he assures me that the spam filters are all set up correctly. I trust him. He just keeps telling me there is nothing we can do about this and I'm here hoping we can.

Any help would be appreciated!
 

phpAddict

Active Member
Well first off there's certainly things you can do about this. Sounds like Mr./Mrs. Very Knowledgeable is getting lazy and needs you to light a fire under his/her butt.

...they are normally marked as ***SPAM***...Is there any way to block these from reaching the server at all?
That's your answer right there. You can add an account wide filter to delete these emails marked as ***SPAM***. The SpamAssasin service on your server is what's marking those as spam, and there's different settings within SpamAssasin that will allow you to handle these Spam emails how you see fit. By default, it just marks them as spam like you're seeing now, but you could just set SpamAssasin to delete these, or you could pipe them all into a special SPAM@yourdomain.com account. Personally, I have them put into a junk folder on my server (roundcube or squirrelmail) that I now safely ignore unless someone tells me "did you get my email?". Combine that with BoxTrapper and I maybe get 1 spam email a month, from someone that actually took the time to click on the BoxTrapper verification link.

The problem with BoxTrapper (at least at first) and where I've had issues educating my clients to use this wonderful program, is they're lazy and can't take the time to regularly check the queue online, especially if they use a local email client like Outlook, then forget it. If you have tech savvy customers, this will reduce their spam to nearly nil. It can be a pain at first because you're starting with a blank whitelist and blacklist but over time as this builds it basically automates itself. I give my customers a jump start with their whitelist by downloading all of their sent emails, gather all the email addresses they've ever sent emails to, and upload them to their BoxTrapper whitelist. Some of my more important clients that are lazy to use this, I manage it for them. The couple minutes it takes to go through the queue, is far less of a headache for my client sifting through junk, and me having to hear about it.

My big question is HOW do they send from my own email address? Don't they have to have that address to send it from?
Clients ask me that a lot. Sadly email is very insecure by default. I can literally program a single line of code that would send you an email from the President of the United States (not that I would of course, that's probably up there with national treason), but hopefully your filters are not so bad that it would accept that email. Emails for the most part are just plain text that anyone can edit, and your server will process them accordingly. The FROM field in the header is part of that easily editable text so spammers regularly take advantage of that.

Looking at the full headers it looks like they're coming from my own server
I hope that's not true. Your server puts header information in every email, so if the header says it's coming from your server, you have a huge problem and best case scenario is only your email account has been hacked, but possibly your website or your hosting account(s) have been hacked. The reason that is, is even if that from IP information is spoofed, your server also adds where it's coming from. So for example, I could programatically put any IP in the header, but then your server would add more "From server/IP" data in the header that I couldn't stop from happening.

Finally, check your servers settings and make sure your own email records look good from the outside.
  • Go into WHM, and go into Exim Configuration Editor...
    • Make sure Require HELO before MAIL is set to On
    • Also, consider the Reject SPF failures option. By default it's set to off, but if you turn it on it'll almost certainly put a stop to these spoofed emails (assuming they're not really coming from your own server).
  • And, do the internet a favor and make sure your email server looks good from the outside by checking your domain on MXToolbox.com (great tool, I use it often). Fix any major issues you find or ask what they mean here if you're not sure.
A note about SPF Records for you: If you enable this option (which I personally recommend you do) you may very well begin to get people trying to send you/your customers an email that will get bounced back to them. The issue is really on their side because they've not properly set up their own SPF records, but the blame will likely be placed on you like I frequently hear "we're not having this issue sending to other people", yea because they aren't checking SPF records like they should be. In this case, just whitelist the sending server's IP within that same Exim Configuration Manager under Trusted SMTP IP addresses.

Hope this helps! Cheers! :D
 

Twitchin Kitten

New Member
Thank you for the info. I'm going to show my server tech this because some of it might as well be written in Chinese to me! He'll be able to explain it better.
Anything marked with that ***SPAM*** does go into the junk folder. I should have been more clear on that. The ones that slip past are the ones not marked as such.

I do port my email to my personal client on my machine because i just hate going to a browser to check mail. I have a couple of people who are hosting with me that really are incapable of setting anything up for themselves and are even worse at going to Squirrelmail or anything like it and I have set up a forward to them from the server. I know it's not a good idea but sadly this is how it has to be, at least for now.

As for the headers - I could very well be reading them wrong. Would it be OK to copy one of them and put it in quote tags or something or would that be too insecure for me to do?
 

phpAddict

Active Member
You can set it up so those emails marked with ***SPAM*** never even get to your junk box.

Not insecure in my opinion, it's the same information you're emailing to everyone in your own emails headers, but posting your domains and IPs on forums tends to leave a sour taste in most web host's mouths, so go ahead and P.M. it to me (click on my name to the left and click Start a Conversation) so at least it's hidden.
 

phpAddict

Active Member
I was having a look at MailScanner in hopes of using it, but I'm not finding anything that's not already available in WHM/cPanel, just in different places. Like blocking based on spam scores that's in SpamAssassin already, black/white listing through BoxTrapper, RBLs in Exim settings, etc.

Assuming you are using it, what features do you find useful?
Did it put a stop to a majority of spam for you?
I did see that there's an account wide white/black list feature which is great, if it functions properly I'd basically be handling account wide BoxTrappers since users are too lazy to manage their own. Does the black/white list feature in cPanel automate the whitelist based on your user's sent emails?
 

Dave G

Member
Hi Josh

I apologize for not getting back to you sooner between our move to a new/used house and visiting my folks out of state time has been short.
Yes I am using MailScanner, Mail Manage and Mail Queues and done so for years.
As I am not well versed on using all the various mail stuff in WHM/cPanel MS is a one stop shop for me.

Did it put a stop to a majority of spam for you?
After MS was trained it is now blocking almost all spam.

I did see that there's an account wide white/black list feature which is great, if it functions properly
It works wonderful I can block IP's, IP ranges and those pesky new top domains like *@*.work*@*.top*@*.xyz*@*.audio*@*.click*@*.info*@*.rocks who's only use is, from what I have seen is to send spam

Does the black/white list feature in cPanel automate the whitelist based on your user's sent emails
No

I also like the ability to see incoming and out going email in real time to spot spam trends and from there train MS as to spam or ham. All manner of adjustments to user accounts can be adjusted from one place.
ClamAV can be updated with a click if you have it installed, as I do and set to scan incoming mail and attachments.
Screen shots can be seen here(bottom of the page)
Code:
http://www.configserver.com/cp/msfe.html
 
Top